Standard: Event Monitoring



Similar documents
Standard: Network Security

USM IT Security Council Guide for Security Event Logging. Version 1.1

Guideline on Auditing and Log Management

The Importance of Organizing Your SJSU Information Assets

Information Privacy and Security Program Title:

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

ADM:49 DPS POLICY MANUAL Page 1 of 5

CHIS, Inc. Privacy General Guidelines

LogRhythm and PCI Compliance

Standard: Application Service Provider Security Requirements

Central Agency for Information Technology

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Automate PCI Compliance Monitoring, Investigation & Reporting

Standard: Data Center Security

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

The Comprehensive Guide to PCI Security Standards Compliance

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

CorreLog Alignment to PCI Security Standards Compliance

GE Measurement & Control. Cyber Security for NEI 08-09

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Achieving PCI-Compliance through Cyberoam

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Account Management Standards

Standard: Information Security Incident Management

Information Security Office. Logging Standard

FileCloud Security FAQ

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Security Architecture Whitepaper

STANDARD ON LOGGING AND MONITORING

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Level 3 Public Use. Information Technology. Log/Event Management Guidelines

Retention & Destruction

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

Security Controls for the Autodesk 360 Managed Services

2: Do not use vendor-supplied defaults for system passwords and other security parameters

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

SANS Top 20 Critical Controls for Effective Cyber Defense

Cybersecurity Health Check At A Glance

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Supplier Information Security Addendum for GE Restricted Data

User Guide. Version R91. English

IIS, FTP Server and Windows

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Log Management for the University of California: Issues and Recommendations

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Data Management Policies. Sage ERP Online

Standard: and Campus Communication


Information Technology Branch Access Control Technical Standard

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

The University of Information Technology Management System

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Network & Information Security Policy

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Technical Standards for Information Security Measures for the Central Government Computer Systems

Comprehensive List of XenDesktop Event Log Entries

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements with Enterasys SIEM

PCI DSS Requirements - Security Controls and Processes

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Standard: Web Application Development

Implementing CitectSCADA to meet the requirements of FDA 21 CFR Part 11

PCI and PA DSS Compliance Assurance with LogRhythm

Additional Security Considerations and Controls for Virtual Private Networks

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

PCI Requirements Coverage Summary Table

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Integrating Juniper Netscreen (ScreenOS)

GFI White Paper PCI-DSS compliance and GFI Software products

SonicWALL PCI 1.1 Implementation Guide

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

ICT USER ACCOUNT MANAGEMENT POLICY

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Telemedicine HIPAA/HITECH Privacy and Security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Network Security Guidelines. e-governance

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Transcription:

Standard: Event Monitoring Page 1

Executive Summary The Event Monitoring Standard defines the requirements for Information Security event monitoring within SJSU computing resources to ensure that information security policies, procedures and controls are being followed and are effective in securing information resources with the goal in of safeguarding the confidentiality, integrity, and availability of information stored, processed, and transmitted. The campus systems should comply with all relevant legal requirements applicable to its monitoring and logging activities. Page 2

Information Security Standards Event Monitoring Standard IS-EM Effective Date 11/10/2015 Email security@sjsu.edu # Version 3.0 Contact Mike Cook Phone 408-924-1705 Revision History Date Action 4/24/2014 Draft sent to Mike 5/15/2014 Accepted many changes, made comments, added content 12/8/2014 Reviewed. Content suggestions. Added comments. Hien Huynh 11/10/2015 Incorporated changes from campus constituents Distributed to Campus. Page 3

Table of Contents Executive Summary... 2 Introduction and Purpose... 5 Scope... 5 Standard... 5 Audit Log Standard: Nature of Information and Retention Period... 5 Sensitive Application Systems Logs... 7 Separation of Duties... 7 Production Application System Log Contents... 7 Logging Security-Relevant Events... 7 Logging Logon Attempts... 7 Systems Architecture for Logging Activities... 7 Computer System Audit Logs... 7 Monitoring System Use... 7 Privileged User ID Activity Logging... 7 Privileged System Command Accountability and Traceability... 7 Password Logging... 7 System Log Review... 7 Honeypots and Intrusion Detection Systems... 8 Monitoring and Recording Activity... 8 Electronic Mail Message Monitoring... 8 SPAM/Fraud Detection... 8 Protection of Log Information... 8 System Log Modification Controls... 8 Log Deactivation, Modification, or Deletion... 8 System Log Protection... 8 Access to Logs... 8 Centralized Log Host Required... 8 Restricted Disclosure of Fields Recorded In System Logs... 8 Administrator and Operator Logs... 9 Computer Operator Logs... 9 Clock Synchronization... 9 Clock Synchronization... 9 Page 4

Introduction and Purpose This standard defines the requirements for Information Security event monitoring within SJSU computing resources. It is intended to ensure that SJSU s information security policies, procedures and controls are being followed and are effective in ensuring the confidentiality, integrity and availability of SJSU s information resources. Scope This standard applies to all SJSU State, Self-Fund, and Auxiliary ( campus ) public (internet and campus facing) firewalls, VPNs, network authentication points and servers. Standard Sensitive systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are proactively identified. The campus systems should comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring should be used to check the effectiveness of security controls implemented and to verify adherence to the access control standard. Audit Log Standard: Nature of Information and Retention Period The following table delineates the nature of audit log information and retention period, for each type of application or system. All audit logs must include a date, timestamp, source address, and destination address (where applicable). All audit logs should record logs in a standardized format such as syslog. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into this standard format. System Type Audit Log Information Retention Period Mirror or Backup Firewalls, Inbound/Outbound User log on (successful or failed attempts) 60 days Mirrored in realtime to central Proxy, Network IPS/IDS User log off logging server All Privileged commands (configuration changes) Activation and Deactivation Network Infrastructure (Routers, Switches, WLAN Controllers) Wireless Network Clients User log on User log off All Privileged commands (configuration changes) User WLAN association, including source IP address, username, dates, times, and duration of access. 60 days Mirrored in realtime to central logging server 60 days Backup Required Page 5

VPN User log on and log off Authenticated username VPN client source IP address Source IP address of remote connection Dates, times, and duration of access. Endpoints (Workstations, Laptops, Tablets, Mobile Computing devices) User log on and log off Business applications accessing L1 or L2 information audit events Active Directory servers User log on and log off Creation/edit/deletion of all accounts Servers with L1 Data/ Web App Internet Facing Where possible, read and write of sensitive level 1 or 2 information, including application, username, source IP address User log on and log off Creation/edit/deletion of all accounts Any exceptions when authorization is denied due to improper permissions Changes to system configuration and access control SIEM All information security events User log on and log off Creation/edit/deletion of all accounts Activation and Deactivation All Privileged commands (configuration changes) Physical Security Information (S2 Logs, Key Boxes) All checkin/checkout events, including user, date and time. 60 days Mirrored in realtime to central logging server 30 days Stored locally on endpoint 60 days Backup Required 60 days Stored locally and mirrored to central logging server 60 days Stored locally and mirrored to central logging server 90 days Stored on appropriate device or server. System administrators are responsible for the initial, correct audit log configuration on each managed device. After the device is setup with correct logging, security personnel and/or system administrators should run biweekly reports that identify anomalies in logs. Logs should be actively reviewed, documenting the findings by authorized personnel. Page 6

Sensitive Application Systems Logs All production application systems that handle sensitive campus information must generate logs that capture every addition, modification, and deletion to such sensitive information. Separation of Duties System administrators shall not have write/delete or disable logs permissions to mirrored logging servers. A golden master must be maintained for the purposes of security forensics. This may be accomplished either through dual logging servers or granular permission lists. Production Application System Log Contents All computer systems running campus production application systems must include logs that record, at a minimum, user session activity including user IDs, logon date and time, logoff date and time, as well as applications invoked, changes to critical application system files, changes to the privileges of users, and system start-ups and shut-downs. Logging Security-Relevant Events Computer systems handling sensitive, valuable, or critical information must securely log all significant security relevant events including, but not limited to, password guessing attempts, attempts to use privileges that are not authorized, modifications to production application software, and modifications to system software. Logging Logon Attempts Whether successful or not, all user initiated logon attempts to connect with SJSU production information systems must be logged. Systems Architecture for Logging Activities Application and/or database management system software storing confidential Level 1 or Level 2 data must keep logs of user activities, and statistics related to these activities, that will in turn permit them to detect and issue alarms reflecting suspicious business events. Computer System Audit Logs Logs of computer security-relevant events must provide sufficient data to support comprehensive audits on the effectiveness of, and compliance with security measures. Monitoring System Use Procedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly by authorized personnel Privileged User ID Activity Logging All user ID creation, deletion, and privilege change activity performed by Systems Administrators and others with privileged user IDs must be securely logged. Privileged System Command Accountability and Traceability All privileged commands issued by computer system operators must be traceable to specific individuals through the use of comprehensive logs. Password Logging Unencrypted passwords, whether correctly typed or not, must never be recorded in system logs. System Log Review Computer operations staff or information security staff must review records reflecting security relevant events on all production multi-user machines in a periodic and timely manner. Page 7

Honeypots and Intrusion Detection Systems On all internal servers containing Level 1 or Level 2 information, SJSU must establish and operate application system logs, and other unauthorized activity detection mechanisms specified by the Information Security Office. Monitoring and Recording Activity Information about user activities must be collected anonymously, unless the information is being collected for authorized law enforcement or university investigation purposes. Electronic Mail Message Monitoring Messages sent over SJSU internal electronic mail systems are not protected by law from wiretapping or monitoring, and may therefore be captured, read, and used by campus managers and Systems Administrators as deemed appropriate by ICSUAM8105. SPAM/Fraud Detection To be able to immediately detect and respond to phishing attacks, SJSU must mount an ongoing real-time analysis of spam messages currently traversing the Internet. This activity may alternatively be performed by a third party service specializing in this type of fraud detection. Protection of Log Information Logging facilities and log information should be protected against tampering and unauthorized access. System Log Modification Controls Where possible, all SJSU production information systems must employ cryptographic MD5 or SHA-1 checksums to verify integrity of system logs. Log Deactivation, Modification, or Deletion Mechanisms to detect and record significant computer security events must be resistant to attempts to deactivate, modify, or delete the logging software and logs. System Log Protection All SJSU production computer system logs must be protected with digital signatures or Active Directory credentials must document log entry sequence numbers, and must also be automatically monitored for sudden decreases in size, failures of digital signatures, and gaps in log entry sequence. Access to Logs All system and application logs must be maintained in a form that cannot be readily viewed by unauthorized persons. Authorized persons have a readily demonstrable need for such access in order to perform their regular duties. All others seeking access to these logs must first obtain approval from the Information Security Office. Centralized Log Host Required Server system logs must be recorded on both the involved servers and also a central or departmental log host separate from production application servers. These logs must be securely maintained for the time periods stated in server configuration guidelines issued by the Information Security Office. Restricted Disclosure of Fields Recorded In System Logs The specific nature of the information recorded in SJSU audit trails and system logs is restricted to those who have a demonstrable need for such information in order to carry out their jobs. Page 8

Administrator and Operator Logs System administrator and system operator activities should be logged. Computer Operator Logs All SJSU multi-user production systems must have computer operator logs that show production application start and stop times, system boot and restart times, system configuration changes, system errors and corrective actions taken, and confirmation that files and output were handled correctly. Clock Synchronization The clocks of all relevant information processing systems within an organization or security domain should be synchronized with the campus central NTP service. Clock Synchronization All multi-user computers connected to the SJSU internal network must always have the current time accurately reflected in their internal clocks. Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information