Objective:

These procedures have been established to detail the implementation and management of audit controls and records based on UTIA IT0127 – Audit and Accountability Policy for any University of Tennessee Institute of Agriculture (the Institute) IT assets, application, network, or user activity.

Scope:

These procedures apply to all IT assets owned, operated, or provided by the Institute, as well as all students, faculty, staff, and users who access, use, or handle the Institute’s IT assets.

Procedures:

These procedures address the following audit controls:

Audit events
Audit records
Audit storage capacity
Audit review, analysis, and reporting
Audit records retention

Audit events

Audit events include any auditable event required by Institute policies and procedures; University policies; Office of General Counsel; Human Resources; applicable local, state, and federal laws; as well as industry directives, policies, regulations, and standards.

The details logged for each event can vary, but may include:

Time stamps, mapped to either Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)
Event, status, and/or error codes
Service, command, or application name
Account associated with an event
Device used (source and destination IPs, web browser, etc.)
Password changes
Successful and failed logons
Failed accesses related to the Institute’s IT assets
Third-party credential usage

Audit Policy, in the Windows Local Security Policies, will be configured differently for those IT assets classified as low and those IT assets classified as moderate, high, or business critical.

These will be a part of the baseline configuration.

Audit records

The baseline configuration must include the appropriate content settings to support the centralized management and configuration capability of the Institute’s IT assets.

Audit records should include:

Type of event that occurred
When the event occurred
Where the event occurred
Source of the event
Outcome of the event
Identity of any individuals or subjects associated with the event

Audit storage capacity

Audit records should be maintained for a period as designated by the baseline configuration. When possible, off-loading audit records onto a different IT asset than the one that is being audited (i.e., large capacity external hard drive) will preserve the confidentiality and integrity of audit records.

Audit review, analysis, and reporting

Audit review, analysis, and reporting covers information security-related auditing performed by the Institute and may include monitoring of:

Account usage
Remote access
Wireless connectivity
Mobile device connection
Configuration settings
System component inventory
Use of maintenance tools and non-local maintenance
Physical access
Use of VoIP

Questionable findings must be immediately reported to the Institute’s Chief Information Security Officer (CISO) or to the incident response team for review and analysis. The CISO will also correlate information from audit records with records obtained through physical monitoring and non-technical sources (e.g., human resource records or legal requests).

The CISO will oversee any necessary adjustment of the level, scope, and frequency of audit review, analysis, and reporting when there is a change in risk based on new information received.

Audit records retention

Appropriate retention is necessary for any after-the-fact investigations of security incidents, as well as to meet UT Policy FI0120 – Records Management. Audit records retention will be consistent with the requirements in all Institute IT security policies and procedures; University policies; industry and government standards; and state, local, and federal laws.