Printed on: 07/23/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

APPENDIX TO POLICY

Log Management Standard

Objective

System logs must be configured, securely stored and reviewed to help detect unauthorized activities on the University network or unauthorized access to University IT resources. Timely action must be taken in response to the identification of a potential security event in the logs.

Security Controls

Multi-user systems (e.g., server)

Log Storage and Retention

The following table defines the baseline security controls for log storage and retention for multi-user systems.

Control Security Level
ID Description High Medium Low
LM.A.01 Retain security logs for immediate availability 90 days 30 days 14 days
LM.A.02 Store logs on separate server or media that cannot be changed by those being monitored Required Required Recommended
LM.A.03 Retain logs in off-line storage 1 year 90 days Optional

Log Analysis

The following table defines the baseline security controls for security log analysis for multi-user systems.

Control Security Level
ID Description High Medium Low
LM.B.01 Periodically review security logs for anomalies Required Recommended Optional
LM.B.02 Frequency of review for security logs for anomalies Daily Weekly Optional
LM.B.03 Remediate high risk anomalies Required Required Required
LM.B.04 Remediate medium risk anomalies Required Recommended Recommended
LM.B.05 Remediate low risk anomalies Required Recommended Optional
LM.B.06 Document actions taken for high risk anomalies Required Required Recommended
Single-user systems (e.g., desktop, laptop)

Log Storage and Retention

The following table defines the baseline security controls for log storage and retention for single-user systems.

Control Security Level
ID Description High Medium Low
LM.C.01 Retain security logs for immediate availability 30 days 14 days 14 days
LM.C.02 Store logs on separate server or media that cannot be changed by those being monitored Optional 1 Optional Optional
LM.C.03 Retain logs in off-line storage Recommended 1 Recommended Optional

Log Analysis

The following table defines the baseline security controls for security log analysis for single-user systems.

Control Security Level
ID Description High Medium Low
LM.D.01 Periodically review security logs for anomalies Optional 1 Optional Optional
LM.D.02 Remediate high risk anomalies Required Recommended Recommended
LM.D.03 Remediate medium risk anomalies Recommended 1 Recommended Recommended
LM.D.04 Remediate low risk anomalies Recommended 1 Recommended Optional
LM.D.05 Document actions taken for high risk anomalies Optional 1 Optional Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Network devices (e.g., firewall, switch, router, core node)

Log Storage and Retention

The following table defines the baseline security controls for log storage and retention for network devices.

Control Security Level
ID Description High Medium Low
LM.E.01 Retain security logs for immediate availability 10 days 10 days 10 days
LM.E.02 Store logs on separate server or media that cannot be changed by those being monitored Optional 1 Optional Optional
LM.E.03 Retain logs in off-line storage Recommended 1 Recommended Optional

Log Analysis

The following table defines the baseline security controls for security log analysis for network devices.

Control Security Level
ID Description High Medium Low
LM.F.01 Periodically review security logs for anomalies Optional 1 Optional Optional
LM.F.02 Remediate high risk anomalies Required Recommended Recommended
LM.F.03 Remediate medium risk anomalies Recommended 1 Recommended Recommended
LM.F.04 Remediate low risk anomalies Recommended 1 Recommended Recommended
LM.F.05 Document actions taken for high risk anomalies Optional 1 Optional Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Log Management

Published Date

  • November 2014

Document Feedback