SP 6-10e – Audit Logging and Monitoring
Colorado Community College System / System Procedure
SP 6-10e
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES:
Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10b, Access and Authentication
System Procedure (SP) 6-10r, Physical Security and Access
System Procedure (SP) 6-10q, Network Device Configuration
System Procedure (SP) 6-10c, Anti-Virus and Anti-Malware Management
System Procedure (SP) 6-10f, Backup and Recovery
System Procedure (SP) 6-10n, Information Security Incident Response
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents Colorado Community College System and its Colleges’ (CCCS) requirements for activities that are monitored to assure security, integrity, and operational effectiveness of Information Systems and Assets. This procedure also establishes the requirements for capturing audit log information and the requirements for regularly monitoring, recording, and reporting audit log information of CCCS Information Systems and Assets.
APPLICATION
This procedure applies to Information Assets owned, leased, managed, and maintained by the System Information Technology Department (“System IT”) and/or College’s Information Technology Department (“College IT”) or by third parties on behalf of CCCS.
DEFINITION
Audit Log
Audit log is defined as a chronological record of Information System activities including records of system accesses and operations performed in a given period.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
General Information
Automated active monitoring of CCCS Information Systems and Assets as well as manual monitoring of activities, logs and other measures that are intended to communicate information about performance and security is essential for ensuring that CCCS’s Information Technology environment is effectively operating and adequately protected. CCCS shall review Information System activities on a regular basis using the most effective tools available in order to detect and minimize security violations and threats to CCCS Information Systems and Assets.
Network and Server Logging
- Operating system, networking device, and application software audit logging must be enabled on each Information System.
- Network and server systems shall utilize a centralized time source for synchronization of the date and time.
- Access to log data shall be restricted to authorized personnel only.
- Changes to the logging system shall be captured by the logging system.
- Logs of activity must be secured from unauthorized modification or destruction.
- Audit logs for servers and hosts on the internal network will be reviewed as needed based on investigation purposes.
- Audit trail files and logs shall be stored and kept for a specified period of time as determined by System IT and its security teams.
Firewalls and Perimeter Devices
- Audit logging and alerting for firewalls and other network perimeter access control system components must be enabled.
- Firewall and router rulesets shall be reviewed and documented at least annually by the System IT Department or College IT Department.
User Accounts and Backups
- At a minimum, network devices, applications, and production systems shall log the following:
- Logins and attempted logins
- Actions taken by privileged user accounts
- Excessive attempts and suspicious activity shall be investigated in a timely manner by System IT or College IT Department.
- Backup activities shall be monitored on a routine basis and failures corrected as appropriate by System IT or College IT.
Reporting
- Automated alerts shall receive follow-up investigations as deemed necessary by the IT and security teams.
- Ticketing system incident reports are to be reviewed for actions that might indicate system compromise.
- Suspected and/or confirmed instances of successful and/or attempted intrusions must be immediately reported to the CCCS Manager of Information Security.
- Users shall be trained to report any anomalies in system performance and signs of wrongdoing to the System or College IT Help Desk.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.