IT Resource Logging (VII.B.5)
Volume VII; Information Technology
Chapter B; Security
Responsible Executive: Vice President for Information Technology
Responsible Office: Office of the Vice President for Information Technology
Date Issued: May 26, 2005
Date Last Revised: November 18, 2011
TABLE OF CONTENTS
Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Who Should Know This Policy
Web Site Address for This Policy
Related Documents, Forms, and Tools
History and Updates
Logging activity within Purdue University IT Resources, and reviewing such activity, is an information security control that is necessary in order to identify, respond, and prevent operational problems, security incidents, policy violations, and fraudulent activity; optimize system and application performance; assist in business recovery activities; and, in many cases, comply with federal, state, and local laws and regulations.
Logging must be enabled and Log review must take place on IT Resources. The information captured in Logs depends upon the type of information processed by IT Resources and federal, state, and local laws and regulations.
Logging activity within Purdue University IT Resources is necessary to reduce risk to such IT Resources and data contained therein. This policy sets Logging requirements for Purdue University IT Resources.
This policy is guided by the following objectives:
- Preserve Purdue University’s ability to operate and maintain its IT Resources;
- Protect the security and functionality of university IT Resources and the data stored on those resources;
- Safeguard the privacy, property, rights, and data of users of university IT Resources;
- Preserve the integrity and reputation of the University;
- Comply with applicable federal, state, and local laws; and
- Comply with applicable university policies, standards, guidelines, and procedures.
This policy covers students, faculty, staff, and all individuals or entities using any university IT Resource and all uses of such IT Resources.
IT Resource owners and any individual who may handle university Log data.
Purdue University information security policies institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for IT Resources and underlying data, occasionally exceptions will exist. The Security Policy Exception Procedure must be used when requesting an exception to Purdue University information security policies. The Chief Information Security Officer, or his or her designee, will approve or deny any request for an exception.
|Policy Clarification||ITaP Networks and Securityfirstname.lastname@example.org|
A record of (or the act of recording) events describing activity within a computing system, network, or application.
All tangible and intangible computing and network assets provided by or for the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, hardware, software, wireless access, network bandwidth, mobile devices, electronic information resources, printers, and paper.
IT Resource Owners and Their Designees
Collect and review Log data on IT Resources within their areas of responsibility in accordance with the standards developed by the University in support of this policy.
ITaP Networks and Security will facilitate the establishment and maintenance of standards and technical reference materials to support this policy and post such information online.
Departmental IT units must follow standards issued by ITaP Networks and Security in support of this policy. Departmental IT units may also issue additional guidelines, procedures, or other requirements as necessary to support this policy. Specific reference materials for implementing Logging on IT Resources may vary from campus to campus or department to department.
Inadvertent or improper disclosure of Log data may be harmful to the security and privacy of university data and IT Resources and must be reported and handled in a manner consistent with the University’s Information Technology Incident Response policy (VII.B.3).
In the event that an IT unit does not believe it can fulfill the requirements of this policy or its related standards and guidelines, the unit must request a policy exception using the Security Policy Exception Procedure.
Violations of this policy may result in disciplinary action or sanctions in accordance with university policy and procedures and applicable state and federal laws.
University IT Policies:
Standards supporting the implementation of this and other university IT policies:
Security Incident Reporting Information:
Security Policy Exception Procedure:
November 18, 2011: Policy number changed to VII.B.5 (formerly V.1.7).
March 1, 2010: Significant revisions have been made to update this policy from its original interim version titled HIPAA Covered System and Application Logging (V.1.7, issued May 26, 2005). It also has been formatted in the current policy template.
There are no appendices to this policy.