WIXLIB

Standard: Event MonitoringStandard: Event MonitoringOctober 24, 2016Page 1

Standard: Event MonitoringContentsRevision History . 4Executive Summary . 4Introduction and Purpose . 5Scope. 5Standard . 5Audit Log Standard: Nature of Information and Retention Period . 5Sensitive Application Systems Logs . 8Separation of Duties . 8Production Application System Log Contents . 8Logging Security-Relevant Events . 8Logging Logon Attempts . 8Systems Architecture for Logging Activities . 8Computer System Audit Logs . 8Monitoring System Use . 8Privileged User ID Activity Logging . 9Privileged System Command Accountability and Traceability . 9Password Logging . 9System Log Review . 9Honeypots and Intrusion Detection Systems. 9Monitoring and Recording Activity . 9Electronic Mail Message Monitoring. 9SPAM/Fraud Detection . 9Protection of Log Information . 9System Log Modification Controls . 10October 24, 2016Page 2

Standard: Event MonitoringLog Deactivation, Modification, or Deletion . 10System Log Protection . 10Access to Logs. 10Centralized Log Host Required . 10Restricted Disclosure of Fields Recorded In System Logs. 10Administrator and Operator Logs . 10Computer Operator Logs . 10Clock Synchronization . 10Clock Synchronization . 11October 24, 2016Page 3

Standard: Event MonitoringEvent MonitoringRevision HistoryStandardEffective n.edu1.0Stan Trevena209.667.3137Executive SummaryThe Event Monitoring Standard defines the requirements for Information Security event monitoring withinStanislaus State computing resources to ensure that information security policies, procedures and controlsare being followed and are effective in securing information resources with the goal in of safeguarding theconfidentiality, integrity, and availability of information stored, processed, and transmitted. The campussystems should comply with all relevant legal requirements applicable to its monitoring and loggingactivities.October 24, 2016Page 4

Standard: Event MonitoringIntroduction and PurposeThis standard defines the requirements for Information Security event monitoring within Stanislaus Statecomputing resources. It is intended to ensure that Stanislaus State‘s information security policies, proceduresand controls are being followed and are effective in ensuring the confidentiality, integrity and availability ofStanislaus State‘s information resources.ScopeThis standard applies to all Stanislaus State, Self-Funded, and Auxiliary (“campus”) public (internet andcampus facing) firewalls, VPNs, network authentication points and servers.StandardSensitive systems should be monitored and information security events should be recorded. Operator logsand fault logging should be used to ensure information system problems are proactively identified. Thecampus systems should comply with all relevant legal requirements applicable to its monitoring and loggingactivities. System monitoring should be used to check the effectiveness of security controls implemented andto verify adherence to the access control standard.Audit Log Standard: Nature of Information and Retention PeriodThe following table delineates the nature of audit log information and retention period, for each type ofapplication or system. All audit logs must include a date, timestamp, source address, and destination address(where applicable). All audit logs should record logs in a standardized format such as syslog. If systemscannot generate logs in a standardized format, log normalization tools can be deployed to convert logs intothis standard format.System TypeAudit Log InformationRetention PeriodMirror or BackupFirewalls,Inbound/OutboundUser log on (successful or failedattempts)60 daysMirrored in real-timeto central loggingserverProxy, Network IPS/IDSUser log offAll Privileged commands(configuration changes)Activation and De-activationOctober 24, 2016Page 5

Standard: Event MonitoringSystem TypeAudit Log InformationRetention PeriodMirror or BackupNetwork InfrastructureUser log on60 daysMirrored in real-timeto central loggingserver(Routers, Switches,WLAN Controllers)User log offAll Privileged commands(configuration changes)Wireless NetworkClientsUser WLAN association, includingsource IP address, username,dates, times, and duration ofaccess.60 daysBackup RequiredVPNUser log on and log off60 daysMirrored in real-timeto central loggingserverAuthenticated usernameVPN client source IP addressSource IP address of remoteconnectionDates, times, and duration ofaccess.Endpoints(Workstations, Laptops,Tablets, MobileComputing devices)User logon and logoff30 daysStored locally onendpointActive DirectoryserversUser log on and log off60 daysBackup RequiredOctober 24, 2016Creation/edit/deletion of allaccountsPage 6

Standard: Event MonitoringSystem TypeAudit Log InformationRetention PeriodMirror or BackupServers with L1 Data/Web App InternetWhere possible, read and write ofsensitive level 1 or 2 information,including application, username,source IP address60 daysStored locally andmirrored to centrallogging server60 daysStored locally andmirrored to centrallogging server90 daysStored onappropriate device orserverFacingCreation/edit/deletion of allaccountsAny exceptions whenauthorization is denied due toimproper permissionsChanges to system configurationand access controlSIEMAll information security eventsUser logon and logoffCreation/edit/deletion of allaccountsActivation and De-activationAll Privileged commands(configuration changes)Physical Security(physical accesscontrol, key vault)All entry eventsAll checkout eventsSystem administrators are responsible for the initial, correct audit log configuration on each managed device.After the device is setup with correct logging, security personnel and/or system administrators should runbiweekly reports that identify anomalies in logs. Logs should be actively reviewed, documenting the findingsby authorized personnel.October 24, 2016Page 7

Standard: Event MonitoringSensitive Application Systems LogsAll production application systems that handle sensitive campus information must generate logs that captureevery addition, modification, and deletion to such sensitive information.Separation of DutiesSystem administrators shall not have write/delete or disable logs permissions to mirrored logging servers. A“golden master” must be maintained for the purposes of security forensics. This may be accomplished eitherthrough dual logging servers or granular permission lists. Elevated rights will reside with the InformationSecurity Officer for these systems.Production Application System Log ContentsAll computer systems running campus production application systems must include logs that record, at aminimum, user session activity including user IDs, logon date and time, logoff date and time, as well asapplications invoked, changes to critical application system files, changes to the privileges of users, andsystem start-ups and shut-downs.Logging Security-Relevant EventsComputer systems handling sensitive, valuable, or critical information must securely log all significantsecurity relevant events including, but not limited to, password guessing attempts, attempts to use privilegesthat are not authorized, modifications to production application software, and modifications to systemsoftware.Logging Logon AttemptsWhether successful or not, all user initiated logon attempts to connect with Stanislaus State productioninformation systems must be logged.Systems Architecture for Logging ActivitiesApplication and/or database management system software storing confidential Level 1 or Level 2 data mustkeep logs of user activities, and statistics related to these activities, that will in turn permit them to detect andissue alarms reflecting suspicious business events.Computer System Audit LogsLogs of computer security-relevant events must provide sufficient data to support comprehensive audits onthe effectiveness of, and compliance with security measures.Monitoring System UseProcedures for monitoring use of information processing facilities should be established and the results of themonitoring activities reviewed regularly by authorized personnelOctober 24, 2016Page 8

Standard: Event MonitoringPrivileged User ID Activity LoggingAll user ID creation, deletion, and privilege change activity performed by Systems Administrators and otherswith privileged user IDs must be securely logged.Privileged System Command Accountability and TraceabilityAll privileged commands issued by computer system operators must be traceable to specific individualsthrough the use of comprehensive logs.Password LoggingUnencrypted passwords, whether correctly typed or not, must never be recorded in system logs.System Log ReviewComputer operations staff or information security staff must review records reflecting security relevantevents on all production multi-user machines in a periodic and timely manner.Honeypots and Intrusion Detection SystemsOn all internal servers containing Level 1 or Level 2 information, Stanislaus State must establish and operateapplication system logs, and other unauthorized activity detection mechanisms specified by the Office ofInformation Technology (OIT).Monitoring and Recording ActivityInformation about user activities may be collected anonymously, unless the information is being collected forauthorized law enforcement or university investigation purposes. Network management systems may logspecific user activities, these logs must have restricted access and operate autonomously to secure criticalresources and systems from malicious activities.Electronic Mail Message MonitoringMessages sent over Stanislaus State internal electronic mail systems are not protected by law fromwiretapping or monitoring, and may therefore be captured, read, and used by campus managers and SystemsAdministrators as deemed appropriate by ICSUAM 8105.SPAM/Fraud DetectionTo be able to immediately detect and respond to phishing attacks, Stanislaus State must mount an ongoingreal-time analysis of spam messages currently traversing the Internet. This activity may alternatively beperformed by a third party service specializing in this type of fraud detection.Protection of Log InformationLogging facilities and log information should be protected against tampering and unauthorized access.October 24, 2016Page 9