Original Issuance Date: June 9, 2021
Last Revision Date: June 9 , 2021
Effective Date: July 1, 2022
1. Policy Purpose
The purpose of this policy is to establish a consistent expectation of security logging and monitoring practices across the University of Wisconsin (UW) System to aid in the early identification and forensics of security events.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration.
This policy applies to all high impact systems or any UW owned or leased IT assets that require special attention to security due to increased risk of harm resulting from loss, misuse, or unauthorized access to or modification of information or configurations therein. Where practical, externally hosted systems and services should be logged to the same standard as local services. Employee workstations may be included within the scope of this policy at the discretion of each institution’s Information Security Officer (ISO).
The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology (IT) environment in support of its mission.
Without appropriate security logging and monitoring, an attacker’s activities may go unnoticed, and logs necessary to investigate such events may not be available. Ensuring system logs are available and monitored consistently will aid in the early identification of security events and may help prevent security incidents or minimize the potential impact of incidents.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- High Impact System: A system that is identified as instrumental to continued business operations, including administrative and academic missions. This includes systems that if made unavailable or compromised, would cause a major disruption to daily operations or would be significantly expensive to restore, as well as systems with data that if compromised, would cause significant financial or reputational harm.
- IT Asset: Equipment or software used to manage, process, or store UW System data and is used in the course of accomplishing the UW System mission. This includes but is not limited to all UW owned or leased:
- Desktop, laptop and server computers and associated IT infrastructure;
- Mobile devices and portable computing equipment;
- Network devices such as firewalls, routers, switches, and wireless access points;
- Software; and
- Multi-function devices, printers and scanners.
6. Policy Statement
A. Required Logging Activities
All hosts and networking equipment must perform security log generation for all system components. Institutions shall ensure that each logging host’s clock is synched to a common time source, whenever feasible.
All hosts and networking equipment must issue alerts on security log processing failures, such as software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. All alerts must be as close to real time as possible.
B. Centralized Logging Requirements
All security events (Appendix A) for High Impact Systems must be transferred to a managed logging service in real-time or as quickly as technology allows. Systems running workstation operating systems which are used for shared services, such as shared file storage or web services, must also satisfy these requirements. Log integrity for consolidated log infrastructure needs to be preserved, such as storing logs in read-only.
C. Required Monitoring Activities
Processes must be developed and implemented to review logs for all systems to identify anomalies or suspicious activity. Where possible, security baselines should be developed, and automated monitoring tools used, to generate alerts when exceptions are detected. Systems that are monitored for anomalies or suspicious activity through a managed logging service are not required to be further monitored for the same activity locally, however such dual monitoring is encouraged.
D. Authorized Personnel
Logs shall be secured by limiting access to individuals whose access is needed to perform their job and protect files from unauthorized modifications. Access to log management systems must be recorded.
Electronic logs that are created due to the monitoring outlined in this policy should be maintained and readily available for a minimum of 30 days. Systems that collect logs must maintain sufficient storage space to meet the minimum requirements for both readily available and retained logs. Storage planning must account for log bursts or increases in storage requirements that could reasonably be expected to result from system issues, including security.
7. Related Documents
8. Policy History
First approved: June 9, 2021
9. Scheduled Review