Security Logging

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Wednesday, November 30, 2011

Revised Date: 

Thursday, March 2, 2022

Authority: 

CSU Information Security Policy and Standards

Objective: 

This Policy defines requirements for security logging.

Definitions:

Level 1 Information: Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Severe risk includes but is not limited to:  financial loss, damage to the CSU’s reputation, and legal action.

Critical Data: “Critical data” includes protected Level 1 information in such quantities as to require notification of government officials in the event of a breach (e.g. over 500 records under HIPAA or California Civil Code section et seq.,), or information classified as protected Level 1 due to severe risk, regardless of the record count. Examples of critical data include patient health information, student financial information, and payment information. See the Confidential Data Policy for more information.  SF State’s Information Security Office is responsible for determining the classification of a workstation when questions arise.   

Statement: 

Purpose and Scope 

This Policy is applicable to all SF State departments and operational units operating network devices, communications infrastructure, servers, cloud services, and endpoints.  It outlines:

  • The extent of monitoring and logging that must be in place
  • The event elements that must be logged
  • Retention period
  • Intervals and/or conditions for automated and human involved monitoring and escalation

Policy

Logging

All network devices, communications infrastructure, servers, cloud services, and endpoints that process critical data must activate logging of the elements listed below and retain such logs for no less than 30 days in accordance with related business record retention requirements. Incident investigations, CSU records retention guidelines, subpoenas, departmental guidelines or other directives may dictate longer retention periods. Servers that process Level 1 data, at a minimum, must store a copy of their log data on another device and access to these copies should be limited on a need to know basis. Technology purchases, including cloud services, that involve the storage or maintenance of level 1 data should be assessed to ensure they are capturing the logging elements defined in this policy, at a minimum, and may be required by the ISO to send logs to the SF State SIEM system.  

Log Elements

If available, and storage and processor capacity allows, the following elements should be captured for platforms that processes critical data, and the applications running on them:

  • Threat Identity
  • User/account identification
  • Type of event
  • Date and time
  • Program or utility used
  • Host Origin (e.g., network address)
  • Protocol
  • Host Impacted
  • Actions taken by any individual with root or administrative privileges
  • Changes to system configuration
  • Data Accessed
  • Access to audit trails
  • Invalid access attempts (failed login)
  • Use of identification and authentication mechanisms (logins)
  • Notifications and alerts
  • Activation and de-activation of controls, such as anti-malware software
  • Changes to, or attempts to change system security settings or control.

SF State uses a Security Information and Event Management (SIEM) automated security log monitoring tool for automated log analysis and alerting.  The Information Security Office (ISO) will identify and approve logs that are required for ingestion by the SIEM.

Monitoring and Escalation

CSU policy mandates that “records created by monitoring controls (e.g. logging) must be protected from unauthorized access and reviewed regularly.” This includes security logs. Data custodians, application administrators, and system administrators should establish mechanisms for conveying relevant data (e.g. alert triggers, daily reports) when activity is detected that potentially puts critical data at risk. 

Log data and associated system information must be made available to the campus ISO upon request. Suspected attacks, and malicious or unauthorized activity should be reported as a security incident using the campus service request ticketing system, or campus police as indicated at: SF State Incident Management Policy.

ISO is responsible for monitoring and managing the SIEM and related services, and for investigating and coordinating analyses of SIEM alerts.

References

CSU Records/Information Retention and Disposition Schedules - Executive Order 1031