Technology Audit Logging Guidelines

Technology audit logging, monitoring, and analysis are implemented to help detect events that can interfere with, degrade, or prohibit the operation of University information systems; and to help protect the integrity and availability of information systems by ensuring that pertinent data is collected and retained in accordance with the security policies governing the maintenance of University technology systems.

Audit Logging Requirements

1.1. Audit Events

A technology system audit event is any observable occurrence in a University information system. UIS identifies audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate. Audit events can include password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, abnormal system activity, and similar occurrences. Also included are auditable events that are required by applicable security frameworks, laws, University policies, regulations, and standards.

UIS implements and manages the program for continuous monitoring and auditing of University systems for the purposes of ensuring the confidentiality, availability, and integrity of those systems by detecting abnormal events, monitoring system access and usage, and responding to incidents that may impact the security of those systems.
All servers, network devices, computer systems, and end-user workstations used for University operations must have the audit mechanism enabled and shall include logs to record specified audit events as defined in Technical Implementation by UIS.
Audit logs for information systems containing restricted and otherwise protected data as defined in Information Classification Policy must be audited at the operating system, software, and database levels.

1.2. Content of Audit Records

Information systems shall be configured to generate detailed audit records containing sufficient information to establish what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. 

1.3. Audit Storage Capacity

UIS allocates audit record storage capacity to retain audit records for the required audit retention period of 1 year. UIS will have active audit records for 180 days and then audit records will be maintained for an additional 180 days in cold storage. This is to provide support to the investigations of security incidents and to meet University and regulatory information retention schedule requirements in accordance with Georgetown University Records Retention Policy.

1.4. Audit Processing Failures

In the event of an audit processing failure (such as software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded), UIS will define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors).

UISOmonitors for such failures and enables alerting for immediate notificationsof system operational status
Logsshall be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system administrator.

1.5. Audit Review, Analysis, and Reporting

Audit review, analysis, and reporting cover information security-related auditing performed by UIS for the purposes of preventing, detecting, and correcting events that may impact the confidentiality, integrity, and availability of University technology systems and data.  Findings can be reported to organizational entities that include incident response teams, technology management and support teams, and other stakeholders.

  • UISO regularly reviews operational audit logs, including system, application and user event logs, for abnormalities. Any abnormalities and/or discrepancies between the logs and the baseline that are discovered are reported to UIS management and stakeholders as applicable.  Access to audit logs is restricted to only those authorized to view them and the logs are protected from unauthorized modifications, and if possible, through the use of file-integrity monitoring or change-detection software.
  • UISO reviews and analyzes information system audit records regularly for indications of unusual activity related to potential unauthorized access or system abnormalities; the log analytic tool is regularly tuned to better identify actionable events and decrease event noise.
1.6. Audit Log Time Stamps

UIS uses Google NTP serverstime sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. Timestamps for audit records are mapped to either Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) or local time with an offset from UTC.

1.7. Protection of Audit Information

Audit data is classified as restricted and will be maintained in accordance with Information Classification policy, Georgetown University Records Retention policy and other applicable university policies. 

UIS protects audit information and audit tools from unauthorized access, modification, and deletion. Protection controls may include backing up audit records onto a physically different system or system component than the system or component being audited and/or writing audit files to a log server on the internal network and subsequently backing them up to a secure location.

1.8. Audit Record Retention

UIS retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational and investigational purposes. UIS disposes of audit records when the retention period has expired in accordance with standard record retention schedule of 1 year and/or after an incident or investigation has closed.

1.9. Audit Generation

UIS ensures that University-funded or University-owned technology systems generate audit records and make them available to UISO in accordance with the Georgetown Technology Audit Logging policy.

Information systems are configured to provide audit record generation capability for the list of auditable events defined in UIS Technical Implementation guidelines.