Administrative Regulation: Monitoring and Logging
Regulation Number: 7.1.5
_____________________________________________________________________________________
Purpose:
This Monitoring and Logging Administrative Regulation (the “Admin Reg”) outlines College practices and procedures regarding the monitoring and logging of events related to Institutional Resources. Standardized monitoring and logging procedures ensure the College is able to readily identify suspicious incidents and effectively protect the confidentiality, integrity, and availability of Institutional Resources.
Definitions:
Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.
Scope:
This Admin Reg applies to all Institutional Resources. Responsibilities identified in this Admin Reg apply to IT or other Personnel tasked with monitoring system events.
Log Content:
Where technically possible, and not in conflict with regulatory or contractual requirements, systems will record and retain log records of the following events. Log records will be made regardless of whether attempted activities are failed or successful.
- User login attempts;
- File or database access attempts;
- Use of privileged accounts with administrative access;
- Use of privileged access or operations (e.g., adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, user password changes, etc.);
- Act of switching to or acting as a different user account
- Accept an incoming network service request;
- System, network, or services configuration changes, including installation of software patches and updates, or other installed software changes;
- Server-based application process startup, shutdown, restart, or abnormal end;
- Activation and deactivation of protection systems such as anti-virus, intrusion detection, and file integrity systems; and
- Alarms and/or detection of suspicious or malicious activity provided by an information security system, such as an Intrusion Detection or Prevention System (IDS/IPS), file integrity monitor, anti-virus system, or anti-malware system.
Log records will capture sufficient information to provide the following:
- Identification of the activity performed;
- Identification of the person or entity that performed the activity (e.g., username or other ID, source address, destination address);
- Object the activity was performed against;
- Date and time stamp of the activity; and
- Status, outcome, and/or result of the activity.
Log Storage and Retention:
IT Resources will be configured to support formatting and storage of logs that ensure the integrity and availability of log information. Log information will be retained for a minimum of three (3) months for immediately available analysis. Logs will be subject to the College’s Data Backup Administrative Reg.
Log Monitoring and Review:
Logs will be reviewed regularly by authorized IT personnel to ensure College resources remain secure. Frequency of log reviews will be determined based on the criticality of the Institutional Resources related to the logs, based on the College’s Information Classification Administrative Reg.
Alerts based on thresholds and triggering events will be incorporated into logging practices to facilitate monitoring of logs and flagging of suspicious activity. Detection of suspicious activity will be reported and handled in accordance with the College’s Incident Response Administrative Reg.
Controls will be in place to ensure logs are not improperly accessed or modified and logging is not improperly halted.
References:
Data Backup Administrative Regulation
Incident Response Administrative Regulation
Information Classification Administrative Regulation
Information Security Policy
Revision History:
Original Adoption Date: 1/29/24
Revision Date(s):
Date Reviewed, no change: