Security Logging

Objective: 

This Policy defines requirements for security logging.

Definitions:

Level 1 Information: Data whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe risk to the CSU, its students, employees, or customers. Severe risk includes but is not limited to: financial loss, damage to the CSU’s reputation, and legal action.

Critical Data: Includes protected Level 1 information in such quantities as to require notification of a government entity in the event of a breach (i.e., over 500 records under HIPAA or CA 1798.29), Critical data also includes information classified as protected Level 1 due to severe risk, regardless of the record count. Examples of critical data include patient health information, student financial information, and payment card information. The Information Security Office is responsible for determining the classification of data when questions arise.

Statement: 

Purpose and Scope 

This Policy is applicable to all SFSU campus units that manage network devices, communications infrastructure, servers, cloud services, and endpoints.  It outlines:

• The extent to which security logging must be implemented 
• The types of events that must be logged
• Log Retention period
• Intervals and/or conditions for automated monitoring as well as the intervals and/or conditions for monitoring performed by personnel. 

Policy:

Logging

All network devices, communications infrastructure, servers, cloud services, and endpoints that process critical data must log the events listed below and retain such logs for no less than 30 days in accordance with related business record retention requirements. 

Incident investigations, CSU records retention requirements, subpoenas, litigation holds, departmental guidelines or other directives may dictate longer retention periods. 

Servers that process Level 1 data, at a minimum, must store a copy of their log data on another device and access to these copies should be authorized strictly on a need to know basis. 

Technology purchases which involve the storage or maintenance of level 1 data should be assessed to ensure they are capturing the logging elements defined in this policy, at a minimum, and may be required by the ISO to transmit logging elements to the campus SIEM system.  

Events

At a minimum and as appropriate, considering the capabilities of the device or application creating the log entries, in scope devices must track and log the following events:

• Actions taken by any individual with administrative (root) privileges
• Changes to system configuration
• Access to audit trails
• Invalid access attempts (failed login)
• Use of identification and authentication mechanisms (logins)
• Activation and de-activation of controls, such as anti-virus software or intrusion detection system
• Changes to, or attempts to change, system security settings or controls.

Event Metadata

For each of the above events, the following must be recorded, as appropriate:

• User identification
• Type of event
• Date and time
• Success or failure indication
• Data accessed
• Program or utility used
• Origination of event (e.g., network address)
• Protocol
• Identity or name of affected data, information system or network resource.

Technology purchases which involve the storage or maintenance of level 1 data should be assessed to ensure they are capturing the logging elements defined in this policy, at a minimum, and may be required by the ISO to transmit logging elements to the campus SIEM system 

Monitoring and Escalation

CSU policy mandates that “records created by monitoring controls (e.g. logging) must be protected from unauthorized access and reviewed regularly.” This includes security logs. Data custodians, application administrators, and system administrators should establish mechanisms for conveying relevant data (e.g. alert triggers, daily reports) when activity is detected that potentially puts critical data at risk. 

Log data and associated system information must be made available to the campus ISO upon request. Suspected attacks, and malicious or unauthorized activity should be reported as a security incident using the campus service request ticketing system, or campus police as indicated at: SFSU Incident Management Policy.

The ISO is responsible for monitoring and managing the SIEM and related services, and for investigating and coordinating analyses of SIEM alerts.