Information Technology Standard 06.6.0

Security Monitoring & Logging Standard


Date of Current Revision or Creation:ÌýNovember 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to identify the responsibilities for security monitoring and logging of IT system activity.

Definitions

Information Security Office is the unit within the Office of Computing and Communications Services responsible for overseeing efforts to protect Â鶹´«Ã½'s computing and information assets and to assist in compliance efforts with information-related laws, regulations, and policies.

Information Security Officer (ISO) is responsible person for developing, reviewing, evaluating, and managing the University's Information Security Program.

Logging is an essential information security control that is used to identify, respond, and prevent operational problems, security incidents, policy violations, fraudulent activity; optimize system and application performance; assist in business recovery activities; and, in many cases, comply with federal, state, and local laws and regulations.

System Owner is the manager responsible for operation and maintenance of a University IT system.

Standards Statement

General Logging Activity

Logging is to be enabled on all IT systems.

Employees or other designated individuals with responsibility for logging have some flexibility in determining the detail contained in logs within their areas of responsibility. The detail of information contained in a log depends on the risks to the relevant IT resource and underlying data. However, all system logs must contain a timestamp associated to the logged event synchronized to the University's Network Timeserver (NTP.) Time Stamps should be in local time or UTC (coordinated Universal Time)

System logs should be devoid of any unencrypted sensitive data, passwords, financial data or personally identifiable information prior to being forwarded to a log management system or any other destination. Local logs that contain sensitive data are generally acceptable as long as the logs are stored appropriately, they should not be sent to a syslog server.

Prohibited Logging

The use of keystroke logging, except when required for security investigations and approved in writing by the University President, or designee, is prohibited.

Responsibilities

System Owners and/or Application Administrators are responsible for the development and implementation of application logging capabilities and the creation and maintenance of detailed procedures for reviewing and administering the logs.

The Information Security Officer is responsible for Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) logging.

System Compliance Owners (formerly called System Owners) are responsible for ensuring their systems have undergone a sufficient risk review and that appropriate logs are being captured for security and compliance purposes. This includes system owners for server operating systems, network devices, desktops, administrative databases and for all BIA Immediate or Class 1 Restricted or Class 2 Confidential, Moderate Sensitivity systems.

Information Security Office staff is responsible for monitoring security event logs, correlating information with other automated tools, identifying suspicious activities, and providing alert notifications.

Data Center Operations staff is responsible for monitoring the production computing environment and providing alert notifications.

The Database Administration staff is responsible for monitoring the availability and performance of the databases and for providing corrective actions and/or alert notifications.

Compliance
ITS and departmental IT application and system administrators, as well as System Compliance Owners are responsible for ensuring appropriate compliance with this standard for IT resources within their areas of responsibility and are responsible for documenting appropriate compliance.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

December 2006

CIO/ITAC

Created

October 2007

CIO/ITAC

Reaffirmed

October 2008

CIO/ITAC

Reaffirmed

October 2009

CIO/ITAC

Reaffirmed

October 2010

CIO/ITAC

Reaffirmed

October 2011

CIO/ITAC

Reaffirmed

September 2012

CIO/ITAC

Reaffirmed

January 2014

IT Policy Office

Added time stamp and sensitive data requirement.
Added compliance.
Revised employee titles.
Added definitions.
Numbering revised.
May 2018 IT Policy Office Reviewed; minor wording changes, links updated
November 2021 IT Policy Office Reviewed; definitions and links checked
Ìý