Security Monitoring & Logging Standard
Date of Current Revision or Creation: November 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to identify the responsibilities for security monitoring and logging of IT system activity.
Definitions
Information Security Office is the unit within the Office of Computing and Communications Services responsible for overseeing efforts to protect ODU's computing and information assets and to assist in compliance efforts with information-related laws, regulations, and policies.
Information Security Officer (ISO) is responsible person for developing, reviewing, evaluating, and managing the University's Information Security Program.
Logging is an essential information security control that is used to identify, respond, and prevent operational problems, security incidents, policy violations, fraudulent activity; optimize system and application performance; assist in business recovery activities; and, in many cases, comply with federal, state, and local laws and regulations.
System Owner is the manager responsible for operation and maintenance of a University IT system.
Standards Statement
General Logging Activity
Logging is to be enabled on all IT systems.
Employees or other designated individuals with responsibility for logging have some flexibility in determining the detail contained in logs within their areas of responsibility. The detail of information contained in a log depends on the risks to the relevant IT resource and underlying data. However, all system logs must contain a timestamp associated to the logged event synchronized to the University's Network Timeserver (NTP.) Time Stamps should be in local time or UTC (coordinated Universal Time)
System logs should be devoid of any unencrypted sensitive data, passwords, financial data or personally identifiable information prior to being forwarded to a log management system or any other destination. Local logs that contain sensitive data are generally acceptable as long as the logs are stored appropriately, they should not be sent to a syslog server.
Prohibited Logging
The use of keystroke logging, except when required for security investigations and approved in writing by the University President, or designee, is prohibited.
Responsibilities
System Owners and/or Application Administrators are responsible for the development and implementation of application logging capabilities and the creation and maintenance of detailed procedures for reviewing and administering the logs.
The Information Security Officer is responsible for Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) logging.
System Compliance Owners (formerly called System Owners) are responsible for ensuring their systems have undergone a sufficient risk review and that appropriate logs are being captured for security and compliance purposes. This includes system owners for server operating systems, network devices, desktops, administrative databases and for all BIA Immediate or Class 1 Restricted or Class 2 Confidential, Moderate Sensitivity systems.
Information Security Office staff is responsible for monitoring security event logs, correlating information with other automated tools, identifying suspicious activities, and providing alert notifications.
Data Center Operations staff is responsible for monitoring the production computing environment and providing alert notifications.
The Database Administration staff is responsible for monitoring the availability and performance of the databases and for providing corrective actions and/or alert notifications.
Compliance
ITS and departmental IT application and system administrators, as well as System Compliance Owners are responsible for ensuring appropriate compliance with this standard for IT resources within their areas of responsibility and are responsible for documenting appropriate compliance.
Procedures, Guidelines & Other Related Information
- University Policy 3501 - Information Technology Access Control Security Policy
- University Policy 3505 - Information Technology Security Policy
- Information Security Program
- Internal Procedures
History
Date |
Responsible Party |
Action |
December 2006 |
CIO/ITAC |
Created |
October 2007 |
CIO/ITAC |
Reaffirmed |
October 2008 |
CIO/ITAC |
Reaffirmed |
October 2009 |
CIO/ITAC |
Reaffirmed |
October 2010 |
CIO/ITAC |
Reaffirmed |
October 2011 |
CIO/ITAC |
Reaffirmed |
September 2012 |
CIO/ITAC |
Reaffirmed |
January 2014 |
IT Policy Office |
Added time stamp and sensitive data requirement. Added compliance. Revised employee titles. Added definitions. Numbering revised. |
May 2018 | IT Policy Office | Reviewed; minor wording changes, links updated |
November 2021 | IT Policy Office | Reviewed; definitions and links checked |