Information Security Office Menu

Log Management Standard

Purpose

• Instruct systems, applications, and services administrators on the logging management requirement for all University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy (IV.06.02).

• Requirements identified herein reduce risks to the confidentiality, integrity and availability of university data and systems (“information assets”).

Application

This Standard applies to all information systems or resources used by the University to process, handle or store university information; accept or control network connections; or make access control (authentication and authorization) decisions.

Definitions 

See ISO Standards - Glossary and Iconography for details.

Standards 

All University owned information system devices and applications, that have the ability, shall be configured to produce audit and log records. Audit/log records shall be determined, documented, implemented, and reviewed. Logs shall be retained in accordance with the UO Records Retention Schedule.

• Log events in an audit logging program should at minimum include:

  • Operating System (OS) Events: start up and shut down of the system; start up and down of a service; network connection changes or failures; changes to, or attempts to change, system security settings and controls.

  • OS Audit Records: log on attempts (successful or unsuccessful); the function(s) performed after logged on (e.g., reading or updating critical file, software installation); account changes (e.g., account creation and deletion, account privilege assignment); successful/failed use of privileged accounts.

    •  Note for HIPAA covered entities: HIPAA requires ALL access events for ePHI to be logged.

  • Application Account Information: successful and failed application authentication attempts; application account changes (e.g., account creation and deletion, account privilege assignment); use of application privileges

  • Application operations: application startup and shutdown; application failures; major application configuration changes; application transactions (i.e. e-mail servers recording the sender, recipients, subject name, and attachment names for each e-mail; Web servers recording each URL requested and the type of response provided by the server; business applications recording which financial records were accessed by each user)

  • The details logged for each event may vary widely, but at minimum each event should capture:

    • timestamp

    • event, status, and/or error codes

    • service/command/application name

    • user or system account associated with an event

    • Device used (e.g. source and destination IPs, terminal session ID, web browser, etc.)

  • Clock Synchronization

    • Synchronize the clock to the University’s time servers (ntp.uoregon.edu, ad.uoregon.edu) or a trusted external time source

  • Network Infrastructure (such as Firewalls, VPNs etc.)

    • Firewalls SHALL be configured to send ALL logs to the aggregation system

Approved Processes and Systems

• Devices SHALL be configured to use an aggregation system that ultimately forwards logs to the ISO-managed SEIM. 

REQUESTING EXEMPTIONS

• In the event the standard cannot be achieved by reasonable means, you can request an exemption by completing the Information Security Standard Exemption Request form. Be ready to provide details as to why the standard cannot be followed, the duration of the exemption request and mitigating controls being put in place to meet the requirement. 

REPORTING INAPPROPRIATE USE OF ACCESS

Any user who suspects a violation of the standard should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.

Violations of this standard could include failing to configure a university owned device or application to send the logs to the approved log aggregation system.

Implementation Guidelines

Guidelines related to the implementation of this standard can be found in the Information Security Office website. 

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at isrc@uoregon.edu. 

Additional information can also be found using the following resources:

• University Information Security Program Policy

  • https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program

  • Information Security Program | University of Oregon Policy Library (uoregon.edu)

• University Acceptable Use Policy

  • https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997 

  • https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999

• University Information Asset Classification & Management Policy 

  • https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset

• Data Security Classification Table 

  • https://infosec.uoregon.edu/data-security-classification-table

Revision History