IT Resource Logging (S-11)

Standard: S-11
Responsible Executive: Vice President for Information Technology and System Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: May 1, 2018
Date Last Revised: N/A

Contacts
Individuals and Entities Affected by This Standard
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix

CONTACTS

**Clarification of Standard**
Title/Office	Telephone	Email/Webpage
ITaP Security and Policy		itap-securityhelp@purdue.edu

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

All Purdue University centralized and departmental IT units and the associated IT Resources under their control or support, including IT Resources that may be hosted or managed by a third party on behalf of the University. This standard also covers individually-managed IT Resources if Sensitive or Restricted Data is stored, processed or transmitted by the system.

STATEMENT OF STANDARD

Operating system and application Logging is an essential information security control that is used to 1) identify, monitor, respond to, and prevent operational problems, security incidents, policy violations, and fraudulent activity; 2) optimize system and application performance; 3) assist in business recovery activities; and 4) comply with federal, state, and local laws and regulations and industry-specific requirements. This standard identifies minimum Logging requirements to generate appropriate Logs and integrate with the University’s Log management functions.

All IT units must follow this standard in accordance with the policy on Information Security and Privacy (VII.B.8) and may issue additional guidelines, procedures, or other requirements as necessary to support this standard. Compliance with this standard may be verified through various methods, including but not limited to, system configuration review, Log management system review, internal and external audits, and automated reporting mechanisms.

Implementation of the requirements in this standard applies to any system that handles Sensitive or Restricted Data and new deployments of all systems as of one year from the issuance of this standard.

Requests for any exception to this standard must follow the Security Policy Exception Procedures.

Log Content Requirements

Where technically possible and when not in conflict with regulatory or contractual requirements, systems must record and retain audit Log records of the following events:

Successful/failed user login attempts;
Successful/failed file or database access attempts;
Successful/failed use of privileged accounts with administrative access (e.g., root, admin, SYS, domain);
Use of privileged access or operations such as grant, modify or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes;
Act of switching to or acting as a different user account (e.g., substitute user [su] command in Linux, action of a proxy in SAP SuccessFactors, act of impersonation in SAP);
Accept an incoming network service request;
System, network or services configuration changes, including installation of software patches and updates, or other installed software changes;
Server-based application process startup, shutdown, restart or abnormal end;
Activation and deactivation of protection systems such as anti-virus, intrusion detection and file integrity systems; and
Alarms and/or detection of suspicious/malicious activity provided by an information security system, such as an Intrusion Detection or Prevention System (IDS/IPS), file integrity monitor, anti-virus system or anti-malware system.

When Logging the above events, sufficient information must be captured to answer the following questions:

What activity was performed?
Who or what performed the activity (user ID/username), including where or on what system the activity was performed from (source address) and the target system (destination address)?
What object was the activity performed against?
When was the activity performed (date and time stamp)?
What was the status (e.g., success vs. failure), outcome or result of the activity?

The following information must NEVER be included in Logs:

Unencrypted Sensitive or Restricted Data
Session identification values (consider replacing with a hashed value if needed to track session specific events)
Access tokens (except nonce URLs that grant limited, specific purpose access)
Clear text authentication credentials (e.g., passwords)
Database connection strings
Encryption keys
Information it is illegal to collect in the relevant jurisdiction

Log Configuration Requirements

The appropriate security benchmark (if available) from the Center for Internet Security (CIS) must be used as a guide to configure Logging and auditing systems. In the event that security benchmarks are not available, suitable alternatives include vendor or government-provided best practice security guides, such as the National Institute of Standards and Technology (NIST).
Any regulatory-specific requirements must be implemented. This may require collaboration with an officer/coordinator of the applicable regulation. Consult the Information Owner and/or the Data Steward to ensure agreement of requirements.
The system clock must be synchronized from a trusted network time source through the Network Time Protocol (NTP) or similar time synchronization service.

Log Formatting, Storage and Retention

The system must support the formatting and storage of audit Logs in such a way as to ensure the integrity of the Logs and to support analysis and reporting.

Log data must be retained for a minimum period of three (3) months immediately available for analysis (e.g., online, archived or restorable from backup). Refer to the section on Additional Requirements for Systems with Sensitive/Restricted Data for retention periods pertaining to those systems.

Mechanisms to support these goals include but are not limited to the following:

Microsoft Windows Event Logs collected by a Log management system;
Logs in a well-documented format sent via the syslog protocol to a Centralized Log Management System;
Logs stored in a database that itself generates audit Logs in compliance with the requirements of this document; and
Other open Logging mechanisms supporting the above requirements including those based on Common Log Format System (CLFS), Common Event Format (CEF), Common Event Expression (CEE), or Intrusion Detection Message Exchange Format (IDMEF).

Log Review

Audit Logs are subject to regular periodic review as required by the criticality of the IT Resource and the underlying Information Assets. Factors influencing frequency of Log review include:

University classification of the data being stored, processed or transmitted by the IT Resource and any associated risk, including data subject to regulatory or industry-specific standards, including but not limited to HIPAA, FERPA, GLBA, Controlled Unclassified Information (CUI), PCI, etc.
Criticality of the IT Resource or Information Assets supporting (1) University scholarship, research and instructional activities; (2) business or administrative operations of the University; (3) access to University services or (4) support student and campus life activities.

Security Information and Event Management (SIEM) or other solutions incorporating event thresholds and providing alerts may be used to facilitate monitoring and review processes.

Detection of suspicious activity or discovery of prohibited Sensitive or Restricted Data recorded in Logs must be reported and handled in a manner consistent with the University’s policy on Incident Response (VII.B.3).

Protection, Access and Disclosure

Logging facilities and Log information must be protected against tampering, modification, destruction and unauthorized access. Controls must be in place to prevent alteration or to detect and alert on alteration to Log information. Ensure processes are in place to detect whether Logging has stopped. Logs transmitted over open, public or untrusted networks must use a secure transmission protocol.

Access to Log information is subject to the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4) and the Data Classification and Handling Procedures. Inadvertent or improper disclosure of Log data may be harmful to the security and privacy of University Information Assets and IT Resources and must be reported and handled in a manner consistent with the policy on Incident Response (VII.B.3).

Additional Requirements for Systems with Sensitive/Restricted Data

All systems that store, process, transform and transmit Sensitive and Restricted Data have a higher level of criticality and a greater need for additional security controls for audit Log data. Where technically possible, audit Logs from information systems with Sensitive or Restricted Data may be forwarded to a Centralized Log Management System that includes Log retention, parsing and alerting capabilities. Log review must occur daily through either manual or automated means.

Logs from systems with Sensitive and/or Restricted Data must be retained for at least one year, with a minimum of three months immediately available for analysis. Additionally, audit Logs must be retained for the period as required by any applicable law, regulation, contractual obligation, or as required by internally-imposed retention periods that may be extended beyond what regulations require or beyond the minimum of one year as required by this standard.

RESPONSIBILITIES

Centralized and Departmental IT Units, IT Resource Owners and Their Designees

Assess systems under their control in collaboration with Information Owners and/or Data Stewards for criticality and risks to confidentiality, integrity and availability of Information Assets or IT Resources.
Configure Logging on individual systems under their responsibility.
Collaborate with Information Owners and Data Stewards to define and implement procedures for Log monitoring and review.
Collect, review and monitor Log data on IT Resources within their areas of responsibility in accordance with this standard. IT Resource Owners will also implement or coordinate the implementation of alerts and reports as well as respond to issues uncovered in the Log data.
Collaborate with IT Security and Policy for interpretation and implementation of requirements with this standard.

Data Stewards

Collaborate with Information Owners to identify criticality and risks to confidentiality, integrity and availability of Information Assets or IT Resources.
Collaborate with IT Resource Owners in implementing procedures for reviewing and monitoring audit Logs according to regulatory or industry-specific requirements and this standard.
Collaborate with IT Security and Policy for interpretation and implementation of requirements with this standard.

Information Owners and Their Designees

Collaborate with Data Stewards, IT Resource Owners and application administrators to assess their systems for criticality and risks to confidentiality, integrity and availability of Information Assets or IT Resources and identify Logging and auditing controls commensurate with the associated risk to the Information Assets or IT Resource.
In collaboration with Data Stewards, IT Resource Owners and application administrators, define procedures for reviewing and monitoring audit Logs. Information Owners will also define any alerts, reports, correlation rules and response procedures needed to address security and/or compliance requirements.
Collaborate with IT Security and Policy for interpretation and implementation of requirements with this standard.

IT Security and Policy

Assist IT units with interpretation and implementation of requirements with this standard.
Where required or needed, provide Centralized Log Management and SIEM services to IT Resource owners in accordance with this standard.

DEFINITIONS

All defined terms are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

Centralized Log Management System
A Logging solution that collects Log data from multiple systems, often from multiple locations, to one central storage location to ease enforcement of retention policies and facilitate Log review, security event correlation, alerting and response.

Controlled Unclassified Information (CUI)
As established by Executive Order 13556, unclassified information that requires safeguarding or dissemination controls pursuant to federal law, regulation or government-wide policy.

Data Steward
See definition in the policy on Information Security and Privacy (VII.B.8).

Information Asset
See definition in the policy on Information Security and Privacy (VII.B.8).

Information Owner
See definition in the policy on Information Security and Privacy (VII.B.8).

IT Resource
See definition in the policy on Information Security and Privacy (VII.B.8).

IT Resource Owner
Any person, IT unit or department assigned to or otherwise providing the administrative and physical control and technical support of IT Resources, either on campus or otherwise using University resources, or providing the oversight of third-party hosted or managed IT Resources.

Log (Logging)
A record of (or the act of recording) events describing activity within a computing system, network or application.

Restricted Data
Information protected because of protective statutes, policies or regulations; or information for which the Information Owner has exercised their right to restrict access. Examples include, but are not limited to, student education records, non-directory information, Social Security numbers, protected health information, bank account information, credit card numbers, and Controlled Unclassified Information (CUI).

Sensitive Data
Information whose access must be guarded due to proprietary, ethical or privacy considerations even though there may not be a civil statute requiring this protection. Examples: fixed asset details, PUID, electronic or paper admissions applications.

Security Information and Event Management (SIEM)
Security information and event management software providing centralized Logging for different types of Log sources and may perform Log normalization, analysis and event filtering.

HISTORY AND UPDATES

May 1, 2018: This standard supersedes the policy on IT Resource Logging (VII.B.5) dated November 18, 2011, and the Basic Logging Standard issued March 1, 2010.

See policy VII.B.5 in the policy e-archive for further history.

APPENDIX

There are no appendices to this standard.