UIS.205.1 Information Security Audit Logging Guidelines
In support of UIS.204 Vulnerability Management Policy
Georgetown University has adopted the Security Audit and Accountability principles established in NIST SP 800-171 “Audit and Accountability” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Audit Logging Requirements
A technology system audit event is any observable occurrence in a University information system. UIS identifies audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate. Audit events can include password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, abnormal system activity, and similar occurrences. Also included are auditable events that are required by applicable security frameworks, laws, University policies, regulations, and standards.
All servers, network devices, computer systems, and end-user workstations used for University operations must have the audit mechanism enabled and shall include logs to record specified audit events as defined in Technical Implementation by UIS.
Audit events for information systems containing restricted and otherwise protected data as defined in Information Classification Policy must be collected at the operating system, software, and database levels.
Content of Audit Records
Information systems must be configured to generate detailed audit records containing sufficient information to establish what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Audit Storage Capacity
UIS allocates storage capacity to retain audit records for the required retention period of 1 year. UIS will have active audit records for 180 days; subsequently, audit records will be maintained for an additional 180 days in cold storage. This is to provide support to security incident investigations and to meet University and regulatory information retention schedule requirements.
Audit Processing Failures
In the event of an audit processing failure (such as software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded), UIS will define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors).
UISO monitors for such failures and enables alerting for immediate notifications of system operational status
Logs must be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system administrator.
Audit Review, Analysis, and Reporting
Audit review, analysis, and reporting cover information security-related auditing performed by UIS for the purposes of preventing, detecting, and correcting events that may impact the confidentiality, integrity, and availability of University information systems and data. Findings can be reported to organizational entities that include incident response teams, technology management and support teams, and other stakeholders.
UISO designates staff to regularly review operational audit logs, including system, application and user event logs, for abnormalities
Any abnormalities and/or discrepancies between the logs and the baseline that are discovered are reported to UIS management and stakeholders as applicable
Access to audit logs is restricted to only those authorized to view them and the logs are protected from unauthorized modifications, and if possible, through the use of file-integrity monitoring or change-detection software
UISO reviews and analyzes information system audit records regularly for indications of unusual activity related to potential unauthorized access or system abnormalities; the log analytic tool is regularly tuned to better identify actionable events and decrease event noise
Audit Log Time Stamps
UIS uses Google NTP servers as its time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. Timestamps for audit records are mapped to either Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) or local time with an offset from UTC.
Protection of Audit Information
Audit data is classified as restricted and will be maintained in accordance with the University Information Classification policy, the University Records Retention policy and other applicable policies.
UIS protects audit information and audit tools from unauthorized access, modification, and deletion. Protection controls may include backing up audit records onto a physically different system or system component than the system or component being audited and/or writing audit files to a log server on the internal network and subsequently backing them up to a secure location.
Audit Record Retention
UIS retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational and investigational purposes. UIS disposes of audit records when the retention period has expired in accordance with standard record retention schedule of 1 year and/or after an incident or investigation has closed.
UIS ensures that University-funded or University-owned information systems generate audit records and make them available to UISO.
Information systems must be configured to provide audit logging capability to include the auditable events defined in Audit Logging Technical Implementation Guide.