Open for Comments - 8.2.2.7 System Logging Standard

Tags logging

Introduction

System logs are essential for identifying, monitoring for, responding to, and preventing operational problems, security incidents, policy violation and fraudulent activity.  The System Logging Standard defines the technical requirements to ensure compliance with OU's System Logging Policy.

This standard applies to all information technology resources or assets operated and/or managed by staff or faculty at OU.  Where practical, third-party systems and services should be logged to the same standard as OU systems.  

Supporting Policy

System Logging Policy

Standard

  1. Audit logs must contain at least the following information: date and time of activity (synchronized via Network Time Protocol [NTP]), origin (e.g., IP address), user or process performing activity, description of activity, and success or failure.
  2. Log Retention Requires (by data classification):
    1. Authentication, network device, endpoint, and server logs: 30 days active / 1 year archive
    2. Healthcare Information: 30 days active / 6 years archive
    3. PCI Data: 30 days active / 1 year archive
    4. Student Information: 30 days active / 3 years archive
    5. Confidential Research: 1 year active / 3 years archive
    6. Administrative and Financial Information: 30 days / 1 year archive
    7. Public Information: 30 days active / 90 days archive
  3. Logs must be secured against tampering.  Only authorized OU IT, DIT, and SECOPS staff are authorized to access logs.  Access to logs must be reviewed annually.
  4. Monitoring Requirements:
    1. PCI logs: Daily
    2. Other regulated or mission-critical categories: Annually or as defined in the internal Log Management (LM9) procedures maintained by SECOPS.
    3. Logs should be transferred in real-time or near real-time to the OU SIEM where feasible.
    4. Monitoring and reconciliation must follow the internal Log Management (LM9) procedures.
  5. Logging Requirements by Category:
    1. Authentication Systems: log logins, failures, password changes, account changes, lockouts
    2. Network Devices: log privileged actions, login attempts, packet screening denials, system changes 
    3. Endpoints: log startup/shutdown, service changes, network failures, login activity, privileged actions, configuration changes 
    4. Storage Systems: log file creation, modification, deletion, failed access attempts, privileged actions 
    5. Databases: log access attempts, privileged use, permission changes, user/group changes, administrative actions, encryption key usage, transactions 
    6. Servers: log startup/shutdown, service changes, login activity, privileged actions, configuration changes, application startup/shutdown/failures 
  6. Criticality-Based Logging Obligations: Tier 0-1 systems must be onboarded to the OU SIEM and validated periodically.  Tiers 2-4 must maintain local logging and review where available. 
  7. Governance & Exception Handling: Exceptions must be approved by CISO/GRC with mitigation documented.  SECOPS will perform monthly reconciliation of SIEM sources versus the authoritative asset inventory (ITAM) and report to CISO/GRC. 

References

  1. National Institute of Standards and Technology Cybersecurity Framework (CSF), ID.SC-4, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-1, PR.PT-4, DE.AE-2, DE.CM-1 

  1. National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.3.1, 3.3.5, 3.13.1, 3.13.2, 3.13.5, 3.13.6 

  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(1)(ii)(D), §164.308(a)(6)(i), §164.308(a)(5)(ii)(B), §164.308(a)(5)(ii)(C), §164.308(a)(8), §164.312(b), §164.312(e)(2)(i) 

  1. National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AU-2, AU-6, AU-12, AU-16, SA-9, SA-12 

  1. Payment Card Industry (PCI) Data Security Standards, 10.6, 11.4, 12.5.2, 12.8 

  1. Gramm-Leach-Bliley Act (GLBA), 314.4(c), 314.4(f) 

  1. NIST SP 800-92 (Guide to Security Log Management) 

  1. OU Criticality Definitions (LM1) 

  1. OU IT SECOPS Log Management Procedures (LM9) 

Revision, Review, and Approval History

  • August 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
  • September 2023: College of Medicine Cell Biology: Standard reviewed, comments submitted
  • September 2023: OU IT Classified Research: Standard reviewed, comments submitted
  • October 2023: OU IT Digital Innovation Group: Standard reviewed, comments submitted
  • December 2023: OU IT Governance, Risk, and Compliance: Comment period closed
  • March 2023: OU IT Governance, Risk, and Compliance: See PSP Comment Summary for details.
  • October 2025: Added SIEM requirements based on criticality tiers.  Revised format of log requirement details.
100% helpful - 1 review
Print Article

Related Articles (2)

System Log Review Guideline
This guideline provides guidance for implementing the minimum processes that should be in place to ensure all access and activity is reviewed by Asset Administrators.