IT7810-HSC-C Auditing & Logging Accountability

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

The University of Tennessee Health and Science Center (UTHSC) Information Technology Services (ITS) office and Office of Cybersecurity must establish a comprehensive level of security controls through an audit and accountability policy and standards. This document establishes the UTHSC ‘s Audit and Accountability standard which enables risk management and provides guidelines for security best practices regarding audit record retention.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This standard covers the applicable IT Resources, including computer hardware, software, applications, configurations, business data, and data communication systems. External vendors or other defined groups/organizations providing information security or technology services may work with UTHSC to request exceptions to this standard.

UTHSC coordinates with third-party organizations and/or agencies that access applications, systems, and facilities. All organizational entities that interact with UTHSC are subject to the following requirements outlined within this standard.

Compliance

As the official guidance domain for this standard, UTHSC colleges and business departments abide by the security and privacy requirements established in applicable state laws and regulations as well as the principles established in the Center for Internet Security (CIS) Critical Security Controls (CSC). Additionally, applicable agencies follow security and privacy frameworks outlined within federal organizations such as the Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS), Internal Revenue Service (IRS), and Social Security Administration (SSA).

Definitions

Audit Log Failure – events defined by federal and state guidelines in which logs being captured show issues or errors. Audit log failures can include but are not limited to software/hardware errors, failures in the audit capturing mechanisms, audit storage capacity being reached or exceeded, location of access, and severity of captured information.

Auditable Events – events defined by federal, state, and UTHSC guidelines, requiring audit and retained for the defined period. Auditable events can include but are not limited to the number of failed system log-on attempts, password changes, system errors, printing, changes, updates, deletions to the system, and application errors.

Level 2 Data – The effect on confidentiality and integrity of the Data is significant and includes compliance requirements. This Data is governed by federal, or state compliance requirements, and unwarranted exposure can lead to compliance issues and/or fines. This includes all Data that contains personally identifiable information (PII), protected health information, student education records, and cardholder Data. This categorization level also includes lower-risk items that, when combined, represent increased risk. per IT0005-HSC-A-Data & System Categorization. Minimum security requirements are explained on the webpage https://uthsc.edu/its/cybersecurity/requirements.php.

Coordinated Universal Time (UTC) – the time standard commonly used across the world, basis for civil time today. Unlike GMT, UTC is the world time standard and is not a time zone. This 24-hour time standard is kept using highly precise atomic clocks combined with Earth’s rotation.

Electronic Protected Health Information (ePHI) – protected health information that is produced, saved, transferred, or received electronically. The HIPAA Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g.

Third-Party – any contracted or government organization that is not a part of the UTHSC’s organizational structure. This may include state or federal auditing agencies, approved security contract vendors, or other external organizations whose capabilities can be determined sufficient to conduct assessment needs.

Vendor Staff/Personnel – an employee contracted through an approved agreement, or other formal agreement, to provide temporary work for UTHSC.

Responsibilities

Chief Information Security Officer (CISO) is responsible for providing strategy and direction for assessment, planning, and implementation of all security standards, practices, and ensuring compliance to same.

Chief Privacy Officer (CPO) is responsible for overseeing activities related to the development, implementation, maintenance of, and adherence to the University’s information privacy and confidentiality policies and procedures in compliance with federal and state laws. This individual ensures compliance with HIPAA notification and reporting requirements in the event of an identified breach.

HIPAA Security Officer conducts Health Insurance Portability and Accountability Act (HIPAA) risk assessments.

Security/Privacy Lead – Individuals are designated by the campus/business area leadership to coordinate privacy and/or security issues and incidents with all appropriate personnel. This individual(s) is responsible for providing privacy and security guidance for protection of all sensitive information under their assigned control.

UTHSC Contract, State, and Vendor Staff/Personnel All UTHSC contract, state, and vendor staff/personnel must adhere to this procedure. All staff/personnel must comply.

System Data Owner and System Data Administrators Management/lead who works with the application’s development team, to document components that are not included in the base server build and ensures that functionality and backups are conducted in accordance with business needs. This individual(s) is also responsible for working with personnel within the enterprise, application, technical and business areas, for providing full recovery of all application functionality, as well as meeting federal and state regulations for disaster recovery situations.

Standard

Auditable Events UTHSC Office of Cybersecurity or designee will ensure that the information system or components are capable of auditing events defined by federal and state regulations. The office designee will coordinate security functions and controls with other organizational entities to ensure required auditable events or related data are being captured. UTHSC shall follow the UTHSC Audit and Accountability Procedure for additional information on audit logs, events, and more.

Content of Auditable Events The information system will generate audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

Audit Storage Capacity UTHSC ITS will allocate audit storage capacity in accordance with all federal and state regulations and guidance. Response to Audit Processing Failures. The information system and/or its components will alert designated personnel in the event of an audit log failure where appropriate action is taken.

Audit Review, Analysis, and Reporting UTHSC’s Office of Cybersecurity will work with System and Data Owners, or delegate(s), who receive and analyze audits and reports, per UT Policy, UTHSC standards, or as directed by federal and state regulations. Findings of the reviewed information system audit records, and or issues, are reported to management.

Audit Reduction and Report Generation The information system provides an audit reduction report generation capability that supports functions for on-demand audit review, analysis and reporting requirements, and after-the-fact investigation of security incidents. The information system will not alter the original content or time ordering of any audit records.

Time Stamps Information systems will use internal system clocks that can be mapped to Coordinated Universal Time (UTC) to generate time stamps. UTHSC will meet federal and state-defined granularity of time measurements on audit logs.

Protection of Audit Information Audit information will be protected from unauthorized access, modifications, and deletions. The system will have compensating controls in place to prevent any unauthorized action to be taken on audit information.

Audit Record Retention The system will retain audit records to provide support for after-action reviews, investigations of security incidents, and assisting troubleshooting measures. Retention requirements shall meet all, UT, UTHSC, and state and federal regulatory retention requirements.

Audit Generation Auditable events will be generated by the information system. Security personnel or designees may have the ability to select which events are to be audited.

Policy History