University of Idaho - I Banner
A student works at a computer

SlateConnect

U of I's web-based retention and advising tool provides an efficient way to guide and support students on their road to graduation. Login to SlateConnect.

Audit and Accountability

Overview

This updated standard is to help align existing practices within Office of Information Technology (OIT) around access controls to the requirements in NIST 800-171 (AU | 3.3.x) as well as industry best practices. This document does not give full coverage of 3.3.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

What is in this document:

  • Required log types
  • Time requirements
  • Log retention requirements
  • Student and guest network security exemption

What is NOT in this document:

  • Approved log locations (Pending knowledge base)
  • Comprehensive list of everything that must ship logs
  • How logs must be shipped
  • The implementation of log collection tools
  • Operating system log configuration (pending baseline config) 

Policy Reference

APM 30.11 University Data Classification and Standards

APM 30.12 Acceptable Use of Technology Resources

APM 30.14 Cyber Incident Reporting and Response

Purpose

This Audit and Accountability standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.

This standard provides the log requirements for the detection, validation and investigation of unlawful, unauthorized, suspicious or unusual activity.

Scope

These Standards are the minimum baseline for all managed systems that access, store or process University of Idaho data (see APM 30.14 C-6) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.

This specifically applies to University of Idaho-managed technology resources as defined by APM 30.12 C-1.

Standards

  1. Access, Authentication and Authorization.

    Logs that record what identities accessed what systems and when. Sources for these include but are not limited to:

    1. Web applications access
    2. Azure AD and AD infrastructure
    3. System access
    4. O365 file access
    5. MFA infrastructure
    6. Network access

      Risks level that requires logging: Low* / Moderate / High

      *Central logging for local authentication on low-risk systems is not required.

  2. Network logs. Logs generated from network activity. Sources for these include but are not limited to:
    1. Firewalls
    2. NetfLow infrastructure
    3. VPN infrastructure
    4. Wireless and wired infrastructure
    5. DHCP infrastructure
    6. ARP tables

      Risk levels that requires logging: Low* / Moderate / High

      *Central logging for local authentication on low-risk systems is not required.

  3. Email logs. Logs that are generated from email activity. Sources for these include but are not limited to:
    1. Email routing appliances
      1. Tools and applications using centrally managed mail relays are exempt.
    2. Email security appliances

      Risk levels that require logging: Low / Moderate / High

  4. Security events. Logs generated by OIT managed security tools. Sources for these include but are not limited to:
    1. AV/EDR
    2. IPS/IDS
    3. Network Security Monitoring (Moderate / High only)
    4. Passive DNS (pDNS) logs (Moderate / High only)

      Risk levels that require logging: Low / Moderate / High

  5. Privilege, Identity and Credential Management. Logs generated via changes in identities and credentials. Sources for these include but are not limited to:
    1. Active directory
    2. Duo administration
    3. Certificate issuance and revocation

      Risk levels that require logging: Low* / Moderate / High

      *Central logging for local authentication on low-risk systems is not required.

  6. Application logs. Logs generated by an application as part of its functions. Examples for these include but are not limited to:
    1. Change logs
    2. Execution logs. (High-risk only)
    3. Debug logs (No central logging required)

      Risk levels that require logging: Moderate / High

    4. Operating system Logs. Logs generated by the operating system as part of its functions. Only logs from server operating systems are required.

      Risk levels that require logging: Moderate / High

  7. Operating system Logs. Logs generated by the operating system as part of its functions. Only logs from server operating systems are required.

    Risk levels that require logging: Moderate / High

  8. Other log types as specified by OIT security

  1. To ensure managed technology devices are maintaining the correct time for logging they must use time.uidaho.edu or an approved source as their source of time.
    1. Time.uidaho.edu is a pair of time servers.
    2. Time.uidaho.edu leverages the following as authoritative time servers.
      1. clock.xmission.com
      2. sue.cc.uregina.ca
      3. india.colorado.edu
      4. clock.sjc.he.net

        Applies to: Low / Moderate / High

    3. Approved time sources, includes the authoritative times source time.uidaho.edu as well as the following either directly or indirectly:
      1. time.windows.com
      2. time.nist.gov
      3. Pool.ntp.org
      4. time.apple.com
      5. Cloud services contracted by the university may use their internal time servers.
  2. If possible, time format should be in ISO 8601 (YYYY-MM-DDThh:mm:ss.mmm+<offset from UTCli>>)

Ensure appropriate logs can be actioned by OIT Security through the following standards:

  1. Required logs must be shipped to an approved central logging server for correlation, review and report generation.
  2. Alerts must be established for the following scenarios to ensure logging success:

    Applies to: Low / Moderate / High

    1. No or Low log volume for expected period of time.
    2. Log parsing errors
    3. Log storage capacity limitations being reached.
  3. Alerts generated from errors in logging capability must be sent to systems owners and/or central logging server admins to locate and resolve the issue.
  4. Logging systems should be periodically reviewed by log source owner to ensure logging meets defined standards.

    Applies to: Low / Moderate / High (at least annually)

  5. All logs should contain:
    1. A UTC-adjusted timestamp of the event according to the time on the log source.
    2. A UTC-adjusted timestamp of when the log was processed by central logging server.
    3. The IP/name of the log source.
    4. The application/service name that generated the source (if available).
    5. Any relevant identifying information provided by application or gathered from context.
      1. Examples include but not limited to: Usernames, IP addresses, device names, certificates, user-agents, x-forwarded for, translated IP addresses, SPF results, Geo-location data.
      2. Use of High-risk data and privileged functions must be able to be correlated to a single user or process acting on behalf of user.
    6. Action performed.
      1. Examples include but not limited to: Password change, authentication attempt, HTTP POST, email received.
    7. Result of action and reason (if available)
      1. Examples include but not limited to: success, failure due to bad password, failure due to permissions issue, HTTP 404.
    8. Security information (if available)
      1. Examples include but not limited to: Signature detected, security action, scan results.
    9. Contextual information
      1. Examples: port numbers, email subject, role assignment, session state.
    10. Any additional items that may be helpful in an investigation as required by either system owner or OIT.

Required logs should be retained on the appropriate central logging server for 1 year unless defined by laws, regulations, contractual obligations or otherwise defined by OIT Security.

The following standards ensure the confidentiality and integrity of log data.

  1. Central logging server access is granted on an as-needed basis.
  2. Central logging server access is reviewed yearly.
  3. Alerts occur when data in the central logging server is deleted.
  4. Data classification standards must be applied to Central Logging Servers based on the risk level of the data within the logs.

To protect the privacy of students and guests, student and guest networks are exempt from network security monitoring and pDNS logging.

Other References

1. NIST SP800-171r2 (February 2020)

2. NIST SP800-53r5 (September 2020)

3. ISO 8601

4. Approved Central Logging Systems

Definitions

1. Identity

The way in which a unique entity can be identified. I.E. user name, hostname, IP address, UUID, etc.

2. UTC adjusted timestamp

A log field of a point in time that is recorded in Coordinated Universal Time. I.E. 12:00 PM Pacific time is 19:00 (UTC-8).

3. Log source

The system that generates the log.

4. Relevant identifying information

Information that can be used to uniquely track an entity across relevant actions and sessions. This includes both direct identifiers such as user names and IP addresses and indirect identifiers such as UA strings and geo-location.

5. Central logging server

Central system that other systems and applications forward logs to such as OIT-managed Splunk, Syslog, Sentinel or AKIPS.

6. Execution logs

Logs relating to execution of commands and functions within an application. Examples include but not limited to API execution, SQL execution or function execution.

7. Network security monitoring (NSM)

Passive analysis of network packets for later analysis and investigation.

Standard Owner

OIT Security is responsible for the content and management of these standards.

To request an exception to this standard.

Contact: oit-security@uidaho.edu

Revision History

3/1/2024 — Minor updates

  • Added alternate time servers
  • Added log retention, log access and student and guest exemptions
  • Other minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@uidaho.edu

Map