AU-002.01 – Logging and System Activity Review

Responsible Office: Office of Cybersecurity

Last Review: 04/15/2020

Next Review: 04/15/2022

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

To specify definite practices for logging/information system activity review involving UTHSC IT Resources.

Scope

The UTHSC Community and all individuals or entities using any UTHSC IT Resources and all uses of such UTHSC IT Resources that process, store, access or transmit data or information categorized as C-3 per the Data Classification Standard.

Practice

  1. All servers that store, access, or transmit UTHSC data or information categorized as Confidential or Classified, covered by the AU-002-Logging and System Activity Review, must connect their logs to the Security Information and Event Management (SIEM) system.
    1. Contact the Information Security Team for details on how and where to forward logs from servers and security monitoring systems.
  2. Required Logs
    1. Server Authentication Logs must include the following:
      1. Date/time
      2. Username
      3. IP address from which the login originated
      4. Whether the login was successful
    2. Logs of any log-based intrusion prevention security application must include the following:
      1. Date/time
      2. Username(s) attempted
      3. IP address from which the attempt originated
    3. Web server access logs (if the server is offering web pages) must include the following:
      1. Date/time
      2. IP address from which the access originated
      3. The complete URL of the page that was accessed
    4. Any logs for applications that handle data or information categorized as Confidential or Classified, or authentication/access information must include the following:
      1. Date/time
      2. IP address of server on which the application is running
      3. Any critical information on actions performed within the application
    5. Critical information includes any security related actions:
      1. Failed login attempts
      2. Successful logins
      3. User creation
      4. User deletion
      5. Credential and permission changes
      6. File accesses
      7. File downloads and uploads
      8. Any other critical actions unique to the application

References

  1. AU-002-Logging and System Activity Review
  2. GP-002-Data Categorization

AU-002.01 – Logging and System Activity Review
Version: 1 // Effective: 03/20/2016
PDF icon Downloadable PDF

Related Procedures: