Standard: Event Monitoring

Similar documents
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

State of Colorado Cyber Security Policies

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

ISO27001 Preparing your business with Snare

7.16 INFORMATION TECHNOLOGY SECURITY

Standard: Vulnerability Management & Standard

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Best practices with Snare Enterprise Agents

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CIS Controls Measures and Metrics for Version 7

Understand & Prepare for EU GDPR Requirements

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Standard: Electronic Data Disposition

Total Security Management PCI DSS Compliance Guide

GDPR Controls and Netwrix Auditor Mapping

Institute of Technology, Sligo. Information Security Policy. Version 0.2

LOGmanager and PCI Data Security Standard v3.2 compliance

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

CIS Controls Measures and Metrics for Version 7

Information Security Policy

Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

IT Services IT LOGGING POLICY

GREATER ESSEX COUNTY DISTRICT SCHOOL BOARD

Carbon Black PCI Compliance Mapping Checklist

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Google Cloud Platform: Customer Responsibility Matrix. December 2018

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

FairWarning Mapping to PCI DSS 3.0, Requirement 10

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

SECURITY PRACTICES OVERVIEW

Information Technology General Control Review

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Apex Information Security Policy

HIPAA Regulatory Compliance

SECURITY & PRIVACY DOCUMENTATION

WHO AM I? Been working in IT Security since 1992

Subject: University Information Technology Resource Security Policy: OUTDATED

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

GDPR Draft: Data Access Control and Password Policy

Rev.1 Solution Brief

The Common Controls Framework BY ADOBE

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

POLICY 8200 NETWORK SECURITY

PCI DSS v3.2 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD PCI DSS

FISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP

Secure Access & SWIFT Customer Security Controls Framework

Education Network Security

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Juniper Vendor Security Requirements

the SWIFT Customer Security

HIPAA Security and Privacy Policies & Procedures

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

Security Policies and Procedures Principles and Practices

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Afilias DNSSEC Practice Statement (DPS) Version

HIPAA Compliance Checklist

Baseline Information Security and Privacy Requirements for Suppliers

ChromQuest 5.0. Tools to Aid in 21 CFR Part 11 Compliance. Introduction. General Overview. General Considerations

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Internal Audit Report DATA CENTER LOGICAL SECURITY

ISO 27002: 2013 Audit Standard Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD ISO 27002

Wireless Security Access Policy and Agreement

MEETING ISO STANDARDS

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Checklist: Credit Union Information Security and Privacy Policies

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

INTERNATIONAL STANDARD

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Computerized Central Records System

Network Security Policy

How AlienVault ICS SIEM Supports Compliance with CFATS

HIPAA Controls. Powered by Auditor Mapping.

IndigoVision. Control Center. Security Hardening Guide

DATA BACKUP AND RECOVERY POLICY

NEN The Education Network

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

efolder White Paper: HIPAA Compliance

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Virginia Commonwealth University School of Medicine Information Security Standard

Security Standards for Electric Market Participants

Security Logging and Monitoring Standard

Transcription:

October 24, 2016 Page 1

Contents Revision History... 4 Executive Summary... 4 Introduction and Purpose... 5 Scope... 5 Standard... 5 Audit Log Standard: Nature of Information and Retention Period... 5 Sensitive Application Systems Logs... 8 Separation of Duties... 8 Production Application System Log Contents... 8 Logging Security-Relevant Events... 8 Logging Logon Attempts... 8 Systems Architecture for Logging Activities... 8 Computer System Audit Logs... 8 Monitoring System Use... 8 Privileged User ID Activity Logging... 9 Privileged System Command Accountability and Traceability... 9 Password Logging... 9 System Log Review... 9 Honeypots and Intrusion Detection Systems... 9 Monitoring and Recording Activity... 9 Electronic Mail Message Monitoring... 9 SPAM/Fraud Detection... 9 Protection of Log Information... 9 System Log Modification Controls... 10 October 24, 2016 Page 2

Log Deactivation, Modification, or Deletion... 10 System Log Protection... 10 Access to Logs... 10 Centralized Log Host Required... 10 Restricted Disclosure of Fields Recorded In System Logs... 10 Administrator and Operator Logs... 10 Computer Operator Logs... 10 Clock Synchronization... 10 Clock Synchronization... 11 October 24, 2016 Page 3

Event Monitoring Revision History Standard Effective Date Email Version Contact Phone OIT-EMS strevena@csustan.edu 1.0 Stan Trevena 209.667.3137 Executive Summary The Event Monitoring Standard defines the requirements for Information Security event monitoring within Stanislaus State computing resources to ensure that information security policies, procedures and controls are being followed and are effective in securing information resources with the goal in of safeguarding the confidentiality, integrity, and availability of information stored, processed, and transmitted. The campus systems should comply with all relevant legal requirements applicable to its monitoring and logging activities. October 24, 2016 Page 4

Introduction and Purpose This standard defines the requirements for Information Security event monitoring within Stanislaus State computing resources. It is intended to ensure that Stanislaus State s information security policies, procedures and controls are being followed and are effective in ensuring the confidentiality, integrity and availability of Stanislaus State s information resources. Scope This standard applies to all Stanislaus State, Self-Funded, and Auxiliary ( campus ) public (internet and campus facing) firewalls, VPNs, network authentication points and servers. Standard Sensitive systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are proactively identified. The campus systems should comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring should be used to check the effectiveness of security controls implemented and to verify adherence to the access control standard. Audit Log Standard: Nature of Information and Retention Period The following table delineates the nature of audit log information and retention period, for each type of application or system. All audit logs must include a date, timestamp, source address, and destination address (where applicable). All audit logs should record logs in a standardized format such as syslog. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into this standard format. System Type Audit Log Information Retention Period Mirror or Backup Firewalls, Inbound/Outbound Proxy, Network IPS/IDS User log on (successful or failed attempts) User log off All Privileged commands (configuration changes) Activation and De-activation 60 days Mirrored in real-time to central logging server October 24, 2016 Page 5

System Type Audit Log Information Retention Period Mirror or Backup Network Infrastructure (Routers, Switches, WLAN Controllers) User log on User log off All Privileged commands (configuration changes) 60 days Mirrored in real-time to central logging server Wireless Network Clients User WLAN association, including source IP address, username, dates, times, and duration of access. 60 days Backup Required VPN User log on and log off Authenticated username VPN client source IP address Source IP address of remote connection Dates, times, and duration of access. 60 days Mirrored in real-time to central logging server Endpoints (Workstations, Laptops, Tablets, Mobile Computing devices) User logon and logoff 30 days Stored locally on endpoint Active Directory servers User log on and log off Creation/edit/deletion of all accounts 60 days Backup Required October 24, 2016 Page 6

System Type Audit Log Information Retention Period Mirror or Backup Servers with L1 Data/ Web App Internet Facing Where possible, read and write of sensitive level 1 or 2 information, including application, username, source IP address Creation/edit/deletion of all accounts Any exceptions when authorization is denied due to improper permissions Changes to system configuration and access control 60 days Stored locally and mirrored to central logging server SIEM All information security events User logon and logoff Creation/edit/deletion of all accounts Activation and De-activation All Privileged commands (configuration changes) 60 days Stored locally and mirrored to central logging server Physical Security (physical access control, key vault) All entry events All checkout events 90 days Stored on appropriate device or server System administrators are responsible for the initial, correct audit log configuration on each managed device. After the device is setup with correct logging, security personnel and/or system administrators should run biweekly reports that identify anomalies in logs. Logs should be actively reviewed, documenting the findings by authorized personnel. October 24, 2016 Page 7

Sensitive Application Systems Logs All production application systems that handle sensitive campus information must generate logs that capture every addition, modification, and deletion to such sensitive information. Separation of Duties System administrators shall not have write/delete or disable logs permissions to mirrored logging servers. A golden master must be maintained for the purposes of security forensics. This may be accomplished either through dual logging servers or granular permission lists. Elevated rights will reside with the Information Security Officer for these systems. Production Application System Log Contents All computer systems running campus production application systems must include logs that record, at a minimum, user session activity including user IDs, logon date and time, logoff date and time, as well as applications invoked, changes to critical application system files, changes to the privileges of users, and system start-ups and shut-downs. Logging Security-Relevant Events Computer systems handling sensitive, valuable, or critical information must securely log all significant security relevant events including, but not limited to, password guessing attempts, attempts to use privileges that are not authorized, modifications to production application software, and modifications to system software. Logging Logon Attempts Whether successful or not, all user initiated logon attempts to connect with Stanislaus State production information systems must be logged. Systems Architecture for Logging Activities Application and/or database management system software storing confidential Level 1 or Level 2 data must keep logs of user activities, and statistics related to these activities, that will in turn permit them to detect and issue alarms reflecting suspicious business events. Computer System Audit Logs Logs of computer security-relevant events must provide sufficient data to support comprehensive audits on the effectiveness of, and compliance with security measures. Monitoring System Use Procedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly by authorized personnel October 24, 2016 Page 8

Privileged User ID Activity Logging All user ID creation, deletion, and privilege change activity performed by Systems Administrators and others with privileged user IDs must be securely logged. Privileged System Command Accountability and Traceability All privileged commands issued by computer system operators must be traceable to specific individuals through the use of comprehensive logs. Password Logging Unencrypted passwords, whether correctly typed or not, must never be recorded in system logs. System Log Review Computer operations staff or information security staff must review records reflecting security relevant events on all production multi-user machines in a periodic and timely manner. Honeypots and Intrusion Detection Systems On all internal servers containing Level 1 or Level 2 information, Stanislaus State must establish and operate application system logs, and other unauthorized activity detection mechanisms specified by the Office of Information Technology (OIT). Monitoring and Recording Activity Information about user activities may be collected anonymously, unless the information is being collected for authorized law enforcement or university investigation purposes. Network management systems may log specific user activities, these logs must have restricted access and operate autonomously to secure critical resources and systems from malicious activities. Electronic Mail Message Monitoring Messages sent over Stanislaus State internal electronic mail systems are not protected by law from wiretapping or monitoring, and may therefore be captured, read, and used by campus managers and Systems Administrators as deemed appropriate by ICSUAM 8105. SPAM/Fraud Detection To be able to immediately detect and respond to phishing attacks, Stanislaus State must mount an ongoing real-time analysis of spam messages currently traversing the Internet. This activity may alternatively be performed by a third party service specializing in this type of fraud detection. Protection of Log Information Logging facilities and log information should be protected against tampering and unauthorized access. October 24, 2016 Page 9

System Log Modification Controls Where possible, all Stanislaus State production information systems must employ at a minimum cryptographic MD5 or SHA-1 checksums to verify integrity of system logs. Log Deactivation, Modification, or Deletion Mechanisms to detect and record significant computer security events must be resistant to attempts to deactivate, modify, or delete the logging software and logs. System Log Protection All Stanislaus State production computer system logs must be protected with digital signatures or Active Directory credentials must document log entry sequence numbers, and must also be automatically monitored for sudden decreases in size, failures of digital signatures, and gaps in log entry sequence. Access to Logs All system and application logs must be maintained in a form that cannot be readily viewed by unauthorized persons. Authorized persons have a readily demonstrable need for such access in order to perform their regular duties. All others seeking access to these logs must first obtain approval from the OIT ISO. Centralized Log Host Required Server system logs must be recorded on both the involved servers and also a central or departmental log host separate from production application servers. These logs must be securely maintained for the time periods stated in server configuration guidelines issued by OIT. Restricted Disclosure of Fields Recorded In System Logs The specific nature of the information recorded in Stanislaus State audit trails and system logs is restricted to those who have a demonstrable need for such information in order to carry out their jobs. Administrator and Operator Logs System administrator and system operator activities should be logged. Computer Operator Logs All Stanislaus State multi-user production systems must have computer operator logs that show production application start and stop times, system boot and restart times, system configuration changes, system errors and corrective actions taken, and confirmation that files and output were handled correctly. Clock Synchronization The clocks of all relevant information processing systems within an organization or security domain should be synchronized with the campus central NTP service that is forensically sound and synchronized with GPS. October 24, 2016 Page 10

Clock Synchronization All multi-user computers connected to the Stanislaus State internal network must always have the current time accurately reflected in their internal clocks. October 24, 2016 Page 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback