Purpose
The AACC Division of Information and Instructional Technology (IIT) is committed to a secure information technology environment in support of its mission. Without appropriate security logging and monitoring, an attacker’s activities may go unnoticed, and logs necessary to investigate such events may not be available. Ensuring system logs are available and monitored consistently will aid in the early identification of security events and may help prevent security incidents or minimize the potential impact of incidents.
AACC logs user system and network activities within the application, system, or security incident and event management system. AACC monitors user activities through reports from the logs or alerts from the system. When an alert is received, logs will be reviewed to identify the issue and root cause. If an event is evaluated that possible unauthorized access has occurred, then the incident response plan and compromised account requirements are followed.
The purpose of this Information Technology Requirement (ITR) is to establish a consistent expectation of security logging and monitoring practices across AACC to aid in the early identification and forensic analysis of security events.
Scope
This ITR applies to all high impact systems, or any AACC owned or leased IT assets that require special attention to security due to increased risk of harm resulting from loss, misuse, or unauthorized access to or modification of information or configurations therein. Where practical, externally hosted systems and services should be logged to the same standard as local services. Employee workstations may be included within the scope of this ITR at the discretion of the vice president of IIT.
Required Logging Activities
All hosts and networking equipment must perform security log generation for all system components. All hosts and networking equipment should issue alerts on security log processing failures, such as software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. All alerts should be as close to real time as possible.
Centralized Logging Requirements
All security events for High Impact Systems must be transferred to a managed logging service in real-time or as quickly as technology allows. Systems running workstation operating systems which are used for shared services, such as shared file storage or web services, must also satisfy these requirements. Log integrity for consolidated log infrastructure needs to be preserved.
Required Monitoring Activities
Processes should be developed and implemented to review logs for systems to identify anomalies or suspicious activity. Where possible, security baselines should be developed, and automated monitoring tools used, to generate alerts when exceptions are detected. Systems that are monitored for anomalies or suspicious activity through a managed logging service are not required to be further monitored for the same activity locally, however such dual monitoring is encouraged.
Authorized Personnel
Logs shall be secured by limiting access to individuals whose access is needed to perform their job and protect files from unauthorized modifications.
Retention
Electronic logs that are created due to the monitoring outlined in this ITR should be maintained and readily available for a minimum of 30 days. Systems that collect logs must maintain sufficient storage space to meet the minimum requirements for both readily available and retained logs. Storage planning should account for log bursts or increases in storage requirements that could reasonably be expected to result from system issues, including security.
Audit Events
A technology system audit event is any observable occurrence in a college information system. IIT identifies audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate.
Audit events can include password changes, failed logons, or failed access related to information systems, administrative privilege usage, abnormal system activity, and similar occurrences. Also included are auditable events that are required by applicable security frameworks, laws, College policies, regulations, and standards.
IIT implements and manages the program for continuous monitoring and auditing of college systems for the purposes of ensuring the confidentiality, availability, and integrity of those systems by detecting abnormal events, monitoring system access and usage, and responding to incidents that may impact the security of those systems.
All servers, network devices, computer systems and end-user workstations used for college operations should have the audit mechanism enabled and shall include logs to record specified audit events as defined by IIT.
Audit logs for information systems containing restricted and otherwise protected data should be audited at the appropriate levels.
Content of Audit Records
Information systems should be configured to generate detailed audit records containing sufficient information to establish what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Audit Storage Capacity
IIT allocates audit record storage capacity to retain audit records.
Audit Processing Failures
In the event of an audit processing failure (such as software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded), IIT will define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors).
Audit Review, Analysis and Reporting
Audit review, analysis and reporting cover information security-related auditing performed by IIT for the purposes of preventing, detecting and correcting events that may impact the confidentiality, integrity and availability of college technology systems and data. Findings can be reported to organizational entities that include incident response teams, technology management and support teams and other stakeholders.
IIT regularly reviews operational audit logs, including system, application and user event logs, for abnormalities. Any abnormalities and/or discrepancies between the logs and the baseline that are discovered are reported to IIT management and stakeholders as applicable. Access to audit logs is restricted to only those authorized to view them and the logs are protected from unauthorized modifications, and if possible, through the use of file-integrity monitoring or change-detection software.
IIT reviews and analyzes information system audit records regularly for indications of unusual activity related to potential unauthorized access or system abnormalities; the log analytic tool is regularly tuned to better identify actionable events and decrease event noise.
Protection of Audit Information
Audit data is classified as restricted and will be maintained in accordance with college policy. IIT protects audit information and audit tools from unauthorized access, modification, and deletion. Protection controls may include backing up audit records onto a physically different system or system component than the system or component being audited and/or writing audit files to a log server on the internal network and subsequently backing them up to a secure location.
Audit Record Retention
IIT retains audit records until it is determined that they are no longer needed for administrative, legal, audit or other operational and investigational purposes. IIT disposes of audit records when the retention period has expired in accordance with the standard record retention schedule.
Audit Generation
IIT ensures that college-funded or college-owned technology systems generate audit records and make them available to IIT in accordance with this ITR.
Systems
Systems performing logging, reporting and alerts include, but are not limited to:
1. Colleague
1.1 File user.activty shows which users have logged in to the Colleague system. Information provided includes operator ID, person ID, when the login occurred and the IP address from which the login attempt originated.
1.2 CHGOPR/CHGDATE and ADDOPR/ADDDATE fields exist for all entities (delivered and custom). These fields indicate the last person and date that a record was created or modified.
1.3 HIST files exist for any entity set up in the DHST mnemonic. These files track the creation, modification or deletions made to specific elements in the setup entity. A list of tracked elements is included.
2. Varonis DatAdvantage
2.1 Logs all file modification operations performed on AACC shared drives, M365 OneDrive and M365 SharePoint.
2.2 Requirements for the annual shared drive audit are included.
3. NetSurion EventTracker SIEM
3.1 Collects Windows security event logs from AACC Domin Controllers in a central repository.
3.2 Provides daily reporting on audited events.
3.3 Supports ad-hoc searches of collected event logs.
3.4 Requirements for review of active directory account lockouts and active directory password reset events are included.
4. M365 Audit Log
4.1 Logs operations performed by users in the AACC M365 environment. See Audit log activities | Microsoft Learn for a list of activities logged.
5. Azure Sign-ins Log
5.1 Logs successful and failed sign-in attempts to the AACC Azure Environment.
5.2 Logs successful and failed sign-in attempts to other applications where single sign-on has been configured. SaaS applications where single sign-on is supported have been configured for single sign-on.
5.3 See Sign-in logs in Microsoft Entra ID – Microsoft Entra | Microsoft Learn for additional detail.
6. AD-Audit
6.1 Tracks both successful and failed AD account logon and logoff activities across AACC workstations.
6.2 Logs all other activity taking place on AACC workstations.
7. Firewall Logs
7.1 Logs internet activity both inbound to and outbound from the college. Alerts are configured to fire when attempts to download malware, network intrusions or other illicit activity have taken place.
8. Microsoft User at Risk Detected Alerts
8.1 When alerts are received, incident response and compromised account requirements are followed.
8.2 See Microsoft Entra ID Protection notifications – Microsoft Entra | Microsoft Learn for additional detail.
Exemptions
None
Contingencies
None
Review Process
Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.
Guideline Title: System and Integrity Information Technology Requirement
Guideline Owner: Vice President for Information and Instructional Technology
Guideline Administrator: Director, Information Security
Contact Information: John Williams, [email protected]
Approval Date: Jan. 8, 2024
Effective Date: January 8, 2024
History: Adopted Oct. 13, 2023
Applies to: Division of Information Technology Requirement
Related Policies: N/A
Related Procedures: N/A
Related Guidelines:
Forms: N/A
Relevant Laws: N/A