Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
Event logs recording user and administrative activities, exceptions, faults, and information security events must be configured, securely stored, monitored, and reviewed to help detect unauthorized activities on the University network or unauthorized access to University IT resources. Timely action must be taken in response to the identification of a potential security event in the logs. To protect the integrity of the logs, maintain the separation of duties for monitoring logs from those who have access to delete or modify the logs, or change the configuration of the logs.
University Information Security determines the logs they need access to for on-going incident response activities and those needed for forensic, or ad-hoc security incident investigation.
Security Controls
Event Logging
The following table defines the baseline security controls for activities to include in log collection.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| LM.A.01 | For systems: Access attempts: successful and unsuccessful, changes to system configuration, or security protection system | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| LM.A.02 | For applications: Access attempts: successful and unsuccessful, or changes to application configuration | Required Effective July 2019 | Recommended | Recommended |
| LM.A.03 | Use of privilege escalation on system or application (e.g. sudo, Microsoft UAC, RunAs) | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| LM.A.04 | Direct use of system administrator account | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| LM.A.05 | Files and database records accessed and type of access for private-highly restricted data (e.g., create, read, update, delete) | Recommended1 | Recommended | Recommended |
| LM.A.06 | Security alerts raised by the application, systems, or account management | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.A.07 | For systems: Account creation, modification, deletion, or change of privileges | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.A.08 | For applications: Account creation, modification, deletion, or change of privileges | Required Effective July 2019 | Recommended | Recommended |
1 Required for:
- Health information, HIPAA or ePHI compliance on in-scope systems and applications;
- PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Clock Synchronization
The following table defines the baseline security controls to synchronize the system/device clock to ensure the accurate timestamp in the audit logs.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| LM.B.01 | Synchronize the clock to the University’s time servers (ntp.umn.edu) or a trusted external time source | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
Protection of Log Information
The following table defines the baseline security controls to protect the log information from unauthorized access, tampering, and operational problems with logging.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| LM.C.01 | For multi- user system (servers): Use a logging service that maintains the confidentiality, integrity, and non-repudiation of the logs1 | Required | Required | Recommended |
| LM.C.01 | For single-user systems or network infrastructure: Use a logging service that maintains the confidentiality, integrity, and non-repudiation of the logs1 | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.C.02 | For multi-user systems (servers): Control access to the log files to a limited group of authorized personnel. Type of access include write, delete, truncate, or modify | Required | Required | Recommended |
| LM.C.02 | For single user systems and network infrastructure: Control access to the log files to a limited group of authorized personnel. Type of access include write, delete, truncate, or modify | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.C.03 | Monitor for modifications to the log files | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.C.04 | Monitor for alterations to the log configuration (e.g., events recorded, remote logging) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.C.05 | Manage storage capacity of the log files to avoid exceeding capacity and meet retention requirements | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.C.06 | Monitor event logging for continued operation | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.C.07 | Redact non-essential sensitive information, including private data from the logs prior to sharing with vendor or others for troubleshooting, unless contractually protected | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| LM.C.08 | Obtain approval from the CISO to share logs beyond the scope of troubleshooting | Required Effective July 2019 | Required Effective July 2019 | Recommended |
1 Required by PCI DSS for all systems that store, process or transmit cardholder data, or support the credit card processing environment.
Log Retention
The following table defines the baseline security controls for log retention.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| LM.D.01 | For multi-user systems (servers): Retain and readily available for minimum duration | Required - 90 days | Required - 30 days | Required - 30 days Effective July 2019 |
| LM.D.02 | For multi-user systems (servers): Retain logs in off-line storage | Required - 1 year | Required - 90 days | Optional |
| LM.D.03 | For single-user systems: Retain and readily available for minimum duration | Required - 14 days1 Effective July 2019 | Required - 14 days | Required - 14 days |
| LM.D.04 | For single-user systems: Retain logs in off-line storage | Recommended - 90 days2 | Recommended - 90 days | Optional |
| LM.D.05 | For network infrastructure: Retain and readily available for minimum duration | Required - 30 days1 Effective July 2019 | Required - 10 days | Required - 10 days |
| LM.D.06 | For network infrastructure: Retain logs in off-line storage | Required – 90 days2 Effective July 2019 | Required - 90 days Effective July 2019 | Optional |
1 PCI DSS requires 90 days for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
2 PCI DSS requires 1 year for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Log Analysis
The following table defines the baseline security controls for security log analysis for multi-user systems.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| LM.E.01 | Periodically review the severity level assigned to anomalies included in log analysis. See security threat map for anomaly guidance (suggest: annual) See Security Threat Map (google doc) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.E.02 | Monitor and assess high severity anomalies | Required - within 72 hours1 Effective July 2019 | Required – Weekly Effective July 2019 | Recommended - Weekly |
| LM.E.03 | Review and prioritize other anomalies for remediation | Recommended – within 72 hours2 | Recommended | Optional |
| LM.E.04 | For multi-user systems (servers): Document actions taken (including remediation) for high severity anomalies | Required | Required | Recommended |
| LM.E.04 | For single-user systems and network infrastructure: Document actions taken (including remediation) for high severity anomalies | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| LM.E.05 | For multi-user systems (servers): Document actions taken (including remediation for other anomalies) | Required | Recommended | Recommended |
| LM.E.05 | For single-user systems and network infrastructure: Document actions taken (including remediation for other anomalies) | Required Effective July 2019 | Recommended | Recommended |
1 PCI DSS requires within 24 hours for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
2 Required for health information, HIPAA or ePHI, or where specified in a contractual agreement. For PCI DSS required within 24 hours, this includes systems/devices that store, process, transmit, or have the ability to impact the security of credit cardholder data.
Resources Covered
This applies to IT resources owned or contracted by the University.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Log Management
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to log management.
Published Date
November 2014
Last Reviewed
April 2019