URP: I.19.d Information Security Audit and Accountability

Tags techurp

STATEMENT OF PURPOSE

This document establishes the information security audit and accountability regulations and procedures for managing risks from inadequate event logging and transaction monitoring. The information security audit and accountability program helps Texas Woman's University (TWU) implement security best practices with regard to information security auditing and accountability.

 

DEFINITIONS

 

Audit Accountability is the responsibility of either a person or a department to perform a specific function to verify the integrity and accuracy of organizational rules and processes.

Audit Events are information or computer security-relevant information system actions can be audited.

Timestamp is the current time of an event that is recorded by a computer.

 

Scope

The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

 

Regulations and PROCEDURES

The State of Texas has chosen to adopt the Audit and Accountability principles established in NIST SP 800-53 “Audit and Accountability Control Family guidelines”.  The following subsections outline the audit and accountability standards that constitute TWU’s regulations and procedures.

  • AU-1 Audit and Accountability: 
    • Regulations:
      • TWU must develop, adopt or adhere to a formal, documented audit and accountability for regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
    • Procedures:
      • The Office of Technology (OOT) will maintain regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance of TWU’s information security audit and accountability program.
  • AU-2 Audit Events: 
    • Regulations:
      • All TWU information resources must be capable of auditing the actions of users deemed necessary by the Information Security Officer (ISO). 
    • Procedures:
      • TWU information resources will be reviewed during the risk assessment process to determine if information systems provide the necessary means whereby authorized personnel can audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or affect the release of confidential information.
  • AU-3 Content of Audit Records: 
    • Regulations:
      • TWU information systems must produce audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user associated with the event.
    • Procedures:
      • OOT employs centralized audit logging systems that contain the minimum required information for events and transactions.
      • Information system Audit requirements
        • Information system owners have to be recorded by the OOT Security Team.
        • Information system data have to be classified by the OOT Security Team as: 1) confidential (PIP); 2) agency sensitive (PI); and 3) public (PO).
        • OOT managed monitoring systems are required for production, redundant and failover servers
          • Monitoring is optional for Dev/Test servers
        • Information systems must be configured to provide centralized logging managed by OOT.
        • Production information systems must be physically located in one of TWU’s controlled facilities.
        • Information systems that have update services are managed by OOT by default.  Automatic updating can be configured on a case by case basis.
        • When information systems allow, they must be joined to TWU’s security group management system.
          • Exceptions can be made based on case by case basis by the ISO.
        • When information systems allow, proper group policies must be applied.
        • Information systems must have endpoint security properly installed and configured.
        • Information systems must have appropriate monitoring scripts installed, configured, and running to provide central notifications.
  • AU-4 Audit Storage Capacity: 
    • Regulations:
      • TWU information systems must allocate audit record storage capacity and configure auditing to reduce the likelihood of such capacity being exceeded
    • Procedures:
      • OOT maintains capacity for 90 days’ worth of audit logs.  Information system scripts will monitor available space and notify the appropriate individuals of high space utilization.
  • AU-5 Response to Audit Processing Failures: 
    • Regulations:
      • TWU information systems must alert designated organizational officials in the event of an audit processing failure.   
      • TWU information systems must be configured to take appropriate actions during an audit log failure.
    • Procedures:
      • OOT utilizes automated email alerts to inform the Information Security Manager of failure. The Information Security Manager then determines the source of the problem and coordinates with appropriate team members that are responsible for the failure.
      • In the event of a failure, systems are configured to either shut the system down, begin overwriting old logs, stop processing transactions, or other action deemed appropriate by the system owner.
  • AU-6 Audit Review, Analysis, and Reporting: 
    • Regulations:
      • TWU information asset records must be reviewed and analyzed periodically for indications of inappropriate or unusual activity, and report findings to designated organizational officials. 
      • TWU must adjust the level of audit review, analysis, and reporting within the information asset when there is a change in risk to organizational operations, organizational assets, individuals, or other organizations due to credible intelligence.
    • Procedures:
      • On a monthly basis, the Information Security Manager will randomly select systems for review and analysis of inappropriate or unusual activity.
      • When necessary the ISO will adjust the level of audit review, analysis, and reporting for an information asset.
      • OOT utilizes the following incident notification plan as the order for reporting inappropriate or unusual activity that has been discovered via the auditing process:
        • TWU’s Service Desk is notified
        • TWU’s Security Team is notified
        • ISO is notified
        • CIO is notified
  • AU-8 Time Stamps: 
    • Regulations:
      • TWU information systems must use standardized clocks to generate time stamps for audit records to facilitate logging and monitoring.
    • Procedures:
      • TWU information systems must be configured to a centralized NTP server (time.twu.edu) that all servers and network devices are synced with as our authoritative time source. This centralized source can be mapped to Coordinated Universal Time (UCT). This aids in the monitoring of timestamps and logs.
  • AU-9 Protection of Audit Information: 
    • Regulations:
      • TWU information systems must protect audit information and audit tools from unauthorized access, modification, and deletion
    • Procedures:
      • All centralized audit logs are restricted to users with administrative permissions as are the log collection servers that report to it.  Administrative permissions are controlled by the Security Team.
  • AU-11 Audit Record Retention: 
    • Regulations:
      • TWU information systems must retain audit records for a sufficient period of time to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
    • Procedures:
      • All information systems must retain audit records for 90 days to provide support for after-the-fact investigations.
  • AU-12 Audit Generation: 
    • Regulations:
      • TWU information audit systems must allow investigators to select which auditable events are to be audited and the audit records must conform to the minimum standards defined in AU-2 and AU-3.
    • Procedures:
      • OOT central audit systems allow events to be reported and collected on the basis of event type.
      • OOT Security Team shall configure all information systems to generate audit records to all of the specifications set forth in previous procedures in this document.

APPLICABILITY

TWU Students, Faculty, Staff, and Guest

COMPLIANCE

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

 

SPECIAL NOTES

Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

 

Details

Article ID: 56368
Created
Fri 6/22/18 10:39 AM
Modified
Thu 5/16/19 3:44 PM