The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this standard is to identify the responsibilities for security monitoring and logging of IT system activity.

2. Definitions

   Information Security Office is the unit within the Office of Computing and Communications Services responsible for overseeing efforts to protect ODU's computing and information assets and to assist in compliance efforts with information-related laws, regulations, and policies.

   Information Security Officer (ISO) is responsible person for developing, reviewing, evaluating, and managing the University's Information Security Program.

   Logging is an essential information security control that is used to identify, respond, and prevent operational problems, security incidents, policy violations, fraudulent activity; optimize system and application performance; assist in business recovery activities; and, in many cases, comply with federal, state, and local laws and regulations.

   System Owner is the manager responsible for operation and maintenance of a University IT system.

3. Standards Statement

   General Logging Activity

   Logging is to be enabled on all IT systems.

   Employees or other designated individuals with responsibility for logging have some flexibility in determining the detail contained in logs within their areas of responsibility. The detail of information contained in a log depends on the risks to the relevant IT resource and underlying data. However, all system logs must contain a timestamp associated to the logged event synchronized to the University's Network Timeserver (NTP.) Time Stamps should be in local time or UTC (coordinated Universal Time)

   System logs should be devoid of any unencrypted sensitive data, passwords, financial data or personally identifiable information prior to being forwarded to a log management system or any other destination. Local logs that contain sensitive data are generally acceptable as long as the logs are stored appropriately, they should not be sent to a syslog server.

   Prohibited Logging

   The use of keystroke logging, except when required for security investigations and approved in writing by the University President, or designee, is prohibited.

   Responsibilities

   System Owners and/or Application Administrators are responsible for the development and implementation of application logging capabilities and the creation and maintenance of detailed procedures for reviewing and administering the logs.

   The Information Security Officer is responsible for Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) logging.

   System Compliance Owners (formerly called System Owners) are responsible for ensuring their systems have undergone a sufficient risk review and that appropriate logs are being captured for security and compliance purposes. This includes system owners for server operating systems, network devices, desktops, administrative databases and for all BIA Immediate or Class 1 Restricted or Class 2 Confidential, Moderate Sensitivity systems.

   Information Security Office staff is responsible for monitoring security event logs, correlating information with other automated tools, identifying suspicious activities, and providing alert notifications.

   Data Center Operations staff is responsible for monitoring the production computing environment and providing alert notifications.

   The Database Administration staff is responsible for monitoring the availability and performance of the databases and for providing corrective actions and/or alert notifications.

   Compliance
   ITS and departmental IT application and system administrators, as well as System Compliance Owners are responsible for ensuring appropriate compliance with this standard for IT resources within their areas of responsibility and are responsible for documenting appropriate compliance.

4. Procedures, Guidelines & Other Related Information

   University Policy 3501 - Information Technology Access Control Security Policy

   University Policy 3505 - Information Technology Security Policy

   Information Security Program

   Internal Procedures

5. History

   Date	Responsible Party	Action
   December 2006	CIO/ITAC	Created
   October 2007	CIO/ITAC	Reaffirmed
   October 2008	CIO/ITAC	Reaffirmed
   October 2009	CIO/ITAC	Reaffirmed
   October 2010	CIO/ITAC	Reaffirmed
   October 2011	CIO/ITAC	Reaffirmed
   September 2012	CIO/ITAC	Reaffirmed
   January 2014	IT Policy Office	Added time stamp and sensitive data requirement. Added compliance. Revised employee titles. Added definitions. Numbering revised.
   May 2018	IT Policy Office	Reviewed; minor wording changes, links updated
   November 2021	IT Policy Office	Reviewed; definitions and links checked