University of Minnesota  Appendix

Log Management Standard

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Objective

Event logs recording user and administrative activities, exceptions, faults, and information security events must be configured, securely stored, monitored, and reviewed to help detect unauthorized activities on the University network or unauthorized access to University IT resources. Timely action must be taken in response to the identification of a potential security event in the logs. To protect the integrity of the logs, maintain the separation of duties for monitoring logs from those who have access to delete or modify the logs, or change the configuration of the logs.

University Information Security determines the logs they need access to for on-going incident response activities and those needed for forensic, or ad-hoc security incident investigation.

Security Controls

Event Logging

The following table defines the baseline security controls for activities to include in log collection.

Control Security Level
ID Description High Medium Low
LM.A.01 For systems: Access attempts: successful and unsuccessful, changes to system configuration, or security protection system Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
LM.A.02 For applications: Access attempts: successful and unsuccessful, or changes to application configuration Required
Effective July 2019
Recommended Recommended
LM.A.03 Use of privilege escalation on system or application (e.g. sudo, Microsoft UAC, RunAs) Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
LM.A.04 Direct use of system administrator account Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
LM.A.05 Files and database records accessed and type of access for private-highly restricted data (e.g., create, read, update, delete) Recommended1 Recommended Recommended
LM.A.06 Security alerts raised by the application, systems, or account management Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.A.07 For systems: Account creation, modification, deletion, or change of privileges Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.A.08 For applications: Account creation, modification, deletion, or change of privileges Required
Effective July 2019
Recommended Recommended

1 Required for:

  • Health information, HIPAA or ePHI compliance on in-scope systems and applications;
  • PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Clock Synchronization

The following table defines the baseline security controls to synchronize the system/device clock to ensure the accurate timestamp in the audit logs.

Control Security Level
ID Description High Medium Low
LM.B.01 Synchronize the clock to the University’s time servers (ntp.umn.edu) or a trusted external time source Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019

Protection of Log Information

The following table defines the baseline security controls to protect the log information from unauthorized access, tampering, and operational problems with logging.

Control Security Level
ID Description High Medium Low
LM.C.01 For multi- user system (servers): Use a logging service that maintains the confidentiality, integrity, and non-repudiation of the logs1 Required Required Recommended
LM.C.01 For single-user systems or network infrastructure: Use a logging service that maintains the confidentiality, integrity, and non-repudiation of the logs1 Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.C.02 For multi-user systems (servers): Control access to the log files to a limited group of authorized personnel. Type of access include write, delete, truncate, or modify Required Required Recommended
LM.C.02 For single user systems and network infrastructure: Control access to the log files to a limited group of authorized personnel. Type of access include write, delete, truncate, or modify Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.C.03 Monitor for modifications to the log files Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.C.04 Monitor for alterations to the log configuration (e.g., events recorded, remote logging) Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.C.05 Manage storage capacity of the log files to avoid exceeding capacity and meet retention requirements Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.C.06 Monitor event logging for continued operation Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.C.07 Redact non-essential sensitive information, including private data from the logs prior to sharing with vendor or others for troubleshooting, unless contractually protected Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
LM.C.08 Obtain approval from the CISO to share logs beyond the scope of troubleshooting Required
Effective July 2019
Required
Effective July 2019
Recommended

1 Required by PCI DSS for all systems that store, process or transmit cardholder data, or support the credit card processing environment.

Log Retention

The following table defines the baseline security controls for log retention.

Control Security Level
ID Description High Medium Low
LM.D.01 For multi-user systems (servers): Retain and readily available for minimum duration Required - 90 days Required - 30 days Required - 30 days
Effective July 2019
LM.D.02 For multi-user systems (servers): Retain logs in off-line storage Required - 1 year Required - 90 days Optional
LM.D.03 For single-user systems: Retain and readily available for minimum duration Required - 14 days1
Effective July 2019
Required - 14 days Required - 14 days
LM.D.04 For single-user systems: Retain logs in off-line storage Recommended - 90 days2 Recommended - 90 days Optional
LM.D.05 For network infrastructure: Retain and readily available for minimum duration Required - 30 days1
Effective July 2019
Required - 10 days Required - 10 days
LM.D.06 For network infrastructure: Retain logs in off-line storage Required – 90 days2
Effective July 2019
Required - 90 days
Effective July 2019
Optional

1 PCI DSS requires 90 days for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

2 PCI DSS requires 1 year for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Log Analysis

The following table defines the baseline security controls for security log analysis for multi-user systems.

Control Security Level
ID Description High Medium Low
LM.E.01 Periodically review the severity level assigned to anomalies included in log analysis. See security threat map for anomaly guidance (suggest: annual) See Security Threat Map Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.E.02 Monitor and assess high severity anomalies Required - within 72 hours1
Effective July 2019
Required – Weekly
Effective July 2019
Recommended - Weekly
LM.E.03 Review and prioritize other anomalies for remediation Recommended – within 72 hours2 Recommended Optional
LM.E.04 For multi-user systems (servers): Document actions taken (including remediation) for high severity anomalies Required Required Recommended
LM.E.04 For single-user systems and network infrastructure: Document actions taken (including remediation) for high severity anomalies Required
Effective July 2019
Required
Effective July 2019
Recommended
LM.E.05 For multi-user systems (servers): Document actions taken (including remediation for other anomalies) Required Recommended Recommended
LM.E.05 For single-user systems and network infrastructure: Document actions taken (including remediation for other anomalies) Required
Effective July 2019
Recommended Recommended

1 PCI DSS requires within 24 hours for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

2 Required for health information, HIPAA or ePHI, or where specified in a contractual agreement. For PCI DSS required within 24 hours, this includes systems/devices that store, process, transmit, or have the ability to impact the security of credit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019