Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

Transcription

1 Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

2 Document Détails Title Description Version 1.0 Author Classification Review Date 25/02/2015 Audit Logging and Monitoring Procedures Procedure for Audit Logging and Monitoring Information Security Manager Internal Reviewer & Custodian CISO Approved By Release Date 23/03/2015 Information Security Council (ISC) Owner CISO Distribution List Name Internal Distribution Only Version History Version Number Version Date /03/2015 Internal Page 2 of 6

3 Table of Contents 1. Audit Logging and Monitoring Audit trail rules Monitoring system use Monitoring of firewall logs Use of Intrusion detection system Deployment of a central syslog server Security Audits... 6 Internal Page 3 of 6

4 1. Audit Logging and Monitoring All computing resources not limited to server, desktops, laptops, network devices should be monitored to ensure conformity to logical access policies and procedures. This is necessary to determine the effectiveness of measures adopted and to ensure conformity to logical access policies and procedures. 2. Audit trail rules Audit trails recording exceptions and other security-related events should be logged for all computing resources available within the OIL network not limited to user and admin accounts. The logs generated would be kept for a quarter to assist in future investigations and access control monitoring. All logs stored should be protected from unauthorized access. All logs should be in Read only format and un-editable even by the system administrator. A record of successful system access, in addition to rejected attempts, should be created. At a minimum, audit trails must include the following: User ID s Dates and times for logon and logoff Terminal identity or location if possible All logs would be reviewed periodically by the Network/System Administrator and report submitted to IT Head. 3. Monitoring system use The systems use must be monitored to ensure that users are only performing processes that have been explicitly authorized. The level of monitoring required for individual systems should be determined by a separate risk assessment. Areas that must be monitored are: Access failures Review of logon patterns for indications of abnormal use or revived user Ids Internal Page 4 of 6

5 Allocation and use of user accounts including users with admin rights Tracking of selected transactions The use of sensitive resources Dial-up activity Firewall activity O/S and application access attempts 3.1. Monitoring of firewall logs The Systems Engineers must review the Internet connection audit reports created on the firewall for any unusual/suspicious activities. The period between reviews should not exceed two days. This shall be a part of the daily activities performed by the system engineer and will be recorded in the Daily Checklist. Alarms must be configured to alert the Systems Engineers of Systems Operations Group about any suspected activities, security breaches or violations and any other related events generated by the firewall. The events to be monitored include, but not limited to: A session being initiated from the external world Spoofing activities Suspicious activities taking place internally and from external sources A new server/host attaching to the network locally and remotely Well known hacker signatures Password guessing attempts Attempts to use privileges that have not been authorized Modification to system software Use of Intrusion detection system Network Intrusion Detection Systems (NIDS) should be deployed to monitor network traffic to and from the network segments hosting sensitive information resources viz. critical applications. Host based Intrusion Detection Systems (HIDS) should be considered for deployment on critical or high value information assets/systems. Internal Page 5 of 6

6 The intrusion detection systems should be configured to send critical alerts to the concerned system and security administrators on a real-time basis. Further, the IDS logs should be reviewed and documented on a weekly basis by the concerned system and security administrators. 4. Deployment of a central Syslog server A centralized logging server (viz. syslog server) should be deployed for gathering logs from various systems, firewalls and IDS in a centralized location. Log analysis tools should be used for analyzing the logs collected in the logging server. The capacity of the syslog server should be planned accordingly. 5. Security Audits Internal security compliance audits not limited to Software compliance audit, Network security audit, internal audits shall be conducted on an annual basis. Internal Page 6 of 6