BP.05.005 - Business Practice for Information Asset Monitoring

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.05.005
  • Version: 1
  • Drafted By: Neal Fisch
  • Approved By: Michael Berman
  • Approval Date: 05/08/2017
  • Latest Revision Date:

Purpose [top]

Provide support of ICSUAM Policy 8045.500 for Information Asset Monitoring related to Information Technology Security.

Background [top]

To support ICSUAM policy 8045.500, CI must implement appropriate controls on the monitoring of information systems and network resources to ensure that monitoring is limited to approved activities. Monitoring must not be conducted for the purpose of gaining unauthorized access, “snooping”, or for other activities that violate the CSU Responsible Use Policy. Records created by monitoring controls (e.g. logging) must be protected from unauthorized access and reviewed regularly. Campuses must ensure that only individuals who have a “need-to-know” are granted access to data generated from monitoring controls.

Data generated by monitoring must be retained for a period of time that is consistent with effective use, CSU records retention schedules, regulatory, and legal requirements such as compliance with litigation holds.

 At a minimum, server administrators are required to scan regularly, remediate, and report un-remediated vulnerabilities on critical systems or systems that store protected information within a prescribed timeframe. The risk level of a system determines the frequency at which logs must be reviewed. Risk factors to consider are:

  • Criticality of business process.
  • Information classification associated with the system.
  • Past experience or understanding of system vulnerabilities.
  • System exposure (e.g., services offered to the Internet).

Business Practice [top]

Accountability [top]

Vice President for Technology and Innovation

Director, Infrastructure Technology

Applicability [top]

All CI connected devices, applications, and computing services

Definition(s) [top]

  1. Logs – Files capturing data regarding authentication and authorization of accessing systems and services.
  2. Logging Elements – Defined pieces of data that are required to me be included in log data collection.

Text [top]

General

CI must identify and implement appropriate logging and monitoring controls for information assets. These controls must take into consideration the technical capabilities of each resource.  At a minimum and as appropriate, taking into account the capabilities of the device or application (or service) creating the log entries, such controls must track and log the following events prescribed in ICSUAM standard 8045.S600 which include:

Logging Elements:

At a minimum and as appropriate, taking into account the capabilities of the device or application creating the log entries, such controls must track and log the following events:

  1. Actions taken by any individual with root or administrative privileges
  2. Changes to system configuration
  3. Access to audit trails
  4. Invalid access attempts (failed login)
  5. Use of identification and authentication mechanisms (logins)
  6. Notifications and alerts
  7. Activation and de-activation of controls, such as anti-virus software or intrusion detection system
  8. Changes to, or attempts to change system security settings or control.

For each of the above events, the following must be recorded, as appropriate:

  1. User identification
  2. Type of event
  3. Date and time
  4. Success or failure indication
  5. Data accessed
  6. Program or utility used
  7. Origination of event (e.g., network address)
  8. Protocol
  9. Identity or name of affected data, information system or network resource.

CI must establish procedures for the retention of logs and monitoring information.  Critical servers, at a minimum, must store a copy of their log data on another device; this copy must be protected from unauthorized access.  CI must establish methods for time synchronization of logging and monitoring activities

 

Exhibit(s) [top]

Assessment History [top]

DescriptionFrequencyRole Assigned
Annual assessment of business practiceAnnual - JulyISO