Body
Policy Statement
It is the policy of the OU that faculty and staff who manage or operate any and all OU, or third-party systems, information technology resources, or assets must implement processes to ensure access and activity are recorded and reviewed.
Web Address For This Policy
https://universityok.navexone.com/content/docview/?docid=218&public=true
Scope
This policy applies to all information technology resources or assets operated and/or managed by staff or faculty at OU. Where practical, third-party systems and services should be logged to the same standard as OU systems.
Definitions
- Office of Information Technology (OU IT): The Office of Information Technology is OU’s enterprise IT office, providing systemwide services and support.
- Department Information Technology (DIT): Department IT provides services and support specific to the industry of a college or department to aid in teaching and research.
Procedure
- Office of Information Technology and Department Information Technology Staff (IT staff)
- Audit logs must be produced and kept assisting in future investigations and access control monitoring.
- Audit logs must record sufficient information for the logs to be reviewed through automated or manual processes in accordance with the System Logging Standard.
- Certain audit logs may be required to be archived as part of the record retention procedures or because of requirements to collect evidence. Audit logs must be retained in accordance with the System Logging Standard.
- Audit logs must be reviewed in accordance with the System Logging Standard and ensure that users are only performing activities that have been authorized.
- Audit logs must be considered confidential and protected data. OU IT and Departmental IT must take active measures to prevent unauthorized access during the retention period in accordance with the System Logging Standard.
- IT staff must record and retain authentication logs (Active Directory, Lightweight Directory Access Protocol (LDAP), Radius, Shibboleth, Kerberos, Linux IdAM, etc.) in accordance with the System Logging Standard.
- IT staff who manage or maintain network devices must record and retain network device logs in accordance with the System Logging Standard.
- Where technically possible and when not in conflict with regulatory or contractual requirements, IT staff should record and retain user endpoint audit logs in accordance with the System Logging Standard.
- Storage system logs provide information about data creation, modification, deletion, and access. IT staff must record and retain storage system logs in accordance with the System Logging Standard.
- Database logs contain information about access events and system privileges used in the database. IT staff must record and retain database logs in accordance with the System Logging Standard.
- Application logs have the potential to identify information about a user (e.g., identity, roles, permissions) and the context of a log event (target, action, outcomes), and often this data is not available to either infrastructure devices, or even closely related applications. Where technically possible and when not in conflict with regulatory or contractual requirements, IT staff should record and retain application audit log records in accordance with the System Logging Standard.
- Server logs provide detailed information about user and device activity and are an integral part of system administration. IT staff must record and retain server logs.
References
- National Institute of Standards and Technology Cybersecurity Framework (CSF), ID.SC-4, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-1, PR.PT-4, DE.AE-2, DE.CM-1
- National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.3.1, 3.3.5, 3.13.1, 3.13.2, 3.13.5, 3.13.6
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(1)(ii)(D), §164.308(a)(6)(i), §164.308(a)(5)(ii)(B), §164.308(a)(5)(ii)(C), §164.308(a)(8), §164.312(b), §164.312(e)(2)(i)
- National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AU-2, AU-6, AU-12, AU-16, SA-9, SA-12
- Payment Card Industry (PCI) Data Security Standards, 10.6, 11.4, 12.5.2, 12.8
- Gramm-Leach-Bliley Act (GLBA), 314.4(c), 314.4(f)