Technology Standard
|
|
Technology Standard
|
Threat Management - IT Security Monitoring and Logging
Version: 1.0
Status: Approved 02/21/07
Contact: Director, Technology Services
PURPOSE
To provide guidelines necessary to implement IT Security Monitoring and Logging procedures to protect System Office and College IT systems and data.
SCOPE
In accordance with the COV ITRM 501-01, IT Security Monitoring and Logging policies and procedures must be implemented to ensure the Systems Office and colleges are taking appropriate measures to monitor and record IT system activity.
APPLICABILITY
The IT Security Monitoring and Logging Standard is applicable to the System Office and all Colleges.
STANDARD
Logging of security and other system related events assists in the investigation of security related incidents. Logging capabilities may be at the application or system level or both.
Requirement:
The System Office and Colleges must designate individuals who are responsible for the development and implementation of logging capabilities and the supporting policies where applicable. This includes developing procedures for reviewing and administering the logs.
Recommendation:
The individual(s) responsible for the development and implementation of logging policies and procedures should have this responsibility identified in their Employee Work Profile (EWP) to ensure compliance with this requirement.
Requirement:
The System Office and Colleges must enable logging capabilities on IT systems and applications where practicable and does not impede the performance of the IT system or otherwise impact the Systems Office or College business practices. Alternate security procedures (monitoring and logging at the firewall, IDS, etc. for example) must be documented to ensure IT security monitoring and logging is maintained at an appropriate level to protect against threats.
Recommendation:
The System Office and Colleges may consider changing event log monitors to appropriately fit the environment. For example, a system administrator may want to change a log file default overwrite mode so that old data, potentially needed to research a threat, is not overwritten. Increasing the log file size may also aid in keeping log files from getting full and potentially losing (via overwriting or purging older data) information that may be required during a subsequent investigation . System administrators should review the default settings of all event log monitors.
Requirement:
Event logs should be monitored so that quick reactions to an attack are implemented. If other automated tools are in place, a comparison of the event must be made to provide a clear picture of what has occurred. Once the suspicious activity has been identified, alert notifications must be provided to the appropriate staff.
Requirement:
The System Office and Colleges must specify the type of actions a particular program can take, based on the possible security implications, when suspicious or malicious traffic is detected. For example, a passive IDS may detect and alert a system administrator who will then make a decision to take action to respond accordingly. A reactive IDS may detect, alert, and take a pre-defined action to respond to the threat. In either scenario, the actions must be specified. This may include blocking traffic once a particular time has elapsed, shutting down the system, and alerting appropriate staff.
RELATED LINKS
Threat Management, Threat Detection
Threat Management, Incident Handling
