New and ImprovedEPC publishes updated guidelines on the use of audit trails in security systems
19.07.10 BY Björn Flismark
In June 2010, the EPC approved an updated version of the document "The Use of Audit Trails in Security Systems: Guidelines for European Banks" (a link is included at the end of this article). These guidelines support payment service providers (PSPs) in complying with requirements established to ensure information security, i.e. protecting the confidentiality, integrity and availability of data underlying a payment transaction. Specifically, the revised guidelines now include recommendations regarding the maintenance of so-called audit trails (or audit logs) of payment systems. Audit trails form part of any information security management system: they feature a chronological sequence of audit records where each record pertains to the execution of a specific business process or system function. Audit records typically result from activities such as transactions or communications triggered by individual people, systems, accounts or other entities. Such records - as documented in the audit trail - are ultimately relied upon to validate whether the system controls designed to ensure information security are adequate. Björn Flismark details the guidelines approved by the EPC on the use of audit trails in security systems.***
Scroll to the end of the page and post a comment. Go to comments.
Extended scope of the guidelines on the use of audit trails now also cover payment processes
The guidelines for the use of audit trails in security systems were first created in 20011 to provide good practice recommendations on how computer and system audit trails should be captured, stored and used to support the management and operation of security in banking computer systems. The previous edition of these guidelines, however, did not consider audit trails of payment systems. The scope of the updated edition now approved by the EPC was extended to include payments-related data taking into consideration the implementation of harmonised SEPA Payment Schemes.
The secure capture and storage of the audit trails of payment records, along with the relevant security audits, may, amongst others, serve as evidence in any related dispute resolution process. Such dispute resolution could take place between PSPs or between PSPs and their customers. The revised document is the basis from which specific guidance might be developed over time applicable to SEPA Payment Schemes and PSPs participating in these Schemes.
The updated guidelines also take into account that internationally agreed security requirements are placing ever-greater emphasis on the need to capture transactional audit trails. The guidelines focus on IT Security and audit trails for security-related purposes as well as on the audit trails of business processes of banks, namely the processing of payments. The changes compared to the previous edition include updates of the bibliography and an extensive review of the principles (or recommendations, as they were called in the previous version) with a view to improve clarity and to ensure that these principles are aligned with present requirements regarding information security. Last but not least, the document could serve as reference in service level agreements when outsourcing certain processing activities to third parties.
The EPC guidelines on the use of audit trails are fit for purpose and applicable to any business unit
PSPs must regularly conduct audits to validate whether appropriate controls ensuring information security are in place. Such security audits consist of an independent review and examination of a system's records and activities to determine the adequacy of system controls and to ensure compliance with established security policy and procedures. The validation of system controls will usually rely on a so-called audit trail; e.g. a chronological record of system activities which allows reconstructing and examining the environment and processes impacting a security-relevant transaction. Such activities are documented in an audit log featuring a chronological sequence of audit records. An audit record is a single entry that describes one single auditable event. The systematic review of business processes or system functions as reflected in the audit log thus allows detection of possible breaches in security policies and - in the event that such breaches are identified - to develop recommendations on how to improve system controls.
The updated guidelines approved by the EPC offer practical, easy-to-use principles allowing PSPs to implement a secure audit trails strategy. These principles are applicable to any part of an organisation such as a business unit, corporate headquarter or data centres.
The document specifies audit principles in the following areas:
- Audit system design including events to be recorded, format and fields of records, audit tools
- Management of audit logs including ownership, access and classification of audit data, generation, storage and back-up of audit trails
- Retention periods
- Application and use of audit logs (e.g., internal investigations, presentation to court)
The EPC guidelines on the use of audit trails in security systems are available for download on the EPC web site (see link below).
Björn Flismark served as the Chair of the EPC Information Security Support Group (ISSG) until June 2010. He has been succeeded as Chair of the ISSG by Ruth Wandhöfer.
1The document was first published by the ECBS (European Committee for Banking Standards); the EPC has taken over the ECBS tasks and maintains a portfolio of documents originally created by the ECBS.
Other articles in this issue
19.07.10 Update EPC Plenary Meetings - Main decisions taken in June 2010 By Gerard Hartsink 19.07.10 SEPA Scheme Rulebooks: next Release - Public consultation ends in August 2010 By Javier Santamaría 19.07.10 EPC Card Fraud Prevention Forum - Agreement on new measures to fight card fraud By Cédric Sarazin 19.07.10 Standardisation is Key - Focus on security requirements and a European certification framework By Claude Brun 19.07.10 New Business Opportunities with Chip and PIN - How to create added value based on EMV technology By Nick Collin 19.07.10 PSD: taking Action - Commission determined to ensure transposition and PSD Expert Group offers further guidance By Ruth Wandhöfer 19.07.10 SEPA in the Context of the Financial Crisis - Retail payments business proves to be resilient By Wiebe Ruttenberg and Monika Hempel 19.07.10 Gaining Momentum - A progress report on e-Invoicing By Charles Bryant 19.07.10 Facing the Facts in July 2010 - The EPC Newsletter tracks the progress of SEPA implementation By Herman Segers 19.07.10 Missed Opportunity - European Commission recommendation on scope and effects of euro cash as legal tender By Leonor Machado 19.07.10 Continued Commitment to high Quality - EU Regulation on authentication of euro coins and handling of euro coins unfit for circulation By Leonor Machado 19.07.10 Why change? Why me? Why now? - The political mismanagement of the SEPA process reinforces resistance to change By Javier Santamaría 19.07.10 On Payments and Light Bulbs - Commission ready to write off SEPA via EU legislation? By Gerard Hartsink 19.07.10 Promoting the SEPA Vision - European Commission and ECB establish the SEPA Council By Gerard Hartsink
If you would like to comment on this article, please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC Newsletter Terms and Conditions, so please read them carefully before doing so.