Audit and Logging Policy

Provide an accurate and comprehensive audit log to detect and respond to inappropriate access to and use of information systems and data

Information systems must record access to information systems and data as well as important system events

The information system audit log must be saved for an appropriate period of time based on the document preservation plan and business requirements. Audit logs exceeding this retention period should be discarded according to the UF document destruction policy.

The Information System Administrator (ISA) is responsible for creating and implementing reports and procedures to handle inappropriate or abnormal activity.

The Information System Administrator (ISM) is responsible for monitoring and checking the audit log and identifying and responding to inappropriate or abnormal activity.

I do not like configuring audit policies for all activities that occur on the logging server, but I also avoid audits that only check minimal audits and failures. Each time you add an additional audit policy to the server, the server load increases and the security log file grows in size. If you are really interested in logging events that may affect the security of your system, you not only record events that someone tried but could not complete, as well as investigate events that someone tried and succeeded I will. This is my philosophy for a while, it is very useful to me; some people think I am a bit paranoid

Information security and policy (ISP) is a company-wide audit logging software solution (based on HP ArcSight), Campus Log (HP ArcSight), which helps to manage, correlate, and detect suspicious activities related to the most important data assets on campus Association Program is implemented. The advanced detection capabilities of this service make it possible for ISPs to address various aspects of events (IDs, vulnerabilities, vulnerabilities, intrusion detection, etc.) that span multiple firewalls, web servers, system access logs, Asset, time, mode, etc.) can be associated. . Determine whether the system was successfully attacked, currently detecting attacks, or detecting advanced threats before damage caused by attacks.

You need to implement the appropriate logging infrastructure and configure all important devices, systems, and applications using the recorded audit trail. Or its nominator needs to reliably record important events and audit trails. File consistency monitoring / change detection software should check the log and issue a warning when changing the log data. The support staff should be assigned to review and monitor the logs of the systems under its control. Logs should be checked periodically and continuously. The frequency of reviews should be based on the confidentiality of the stored information, the functioning of the system, and other system requirements identified from it. The program needs to verify that logging is active and working properly.