Logging and Monitoring of UBC Systems
- Effective logging and monitoring procedures (i.e. continual monitoring and/or periodic reviews) provide ongoing assurance that UBC Systems and the UBC Electronic Information that they hold are secure, and that confidentiality and integrity are effectively being ensured. In the event of a security breach, audit logs are relied upon to determine whether or not information has been accessed or modified without authority.
- The nature and frequency of logging and monitoring procedures must be based upon the sensitivity of the information stored in the system and the potential impact of a security breach upon the University and affected individuals. It is only necessary to implement logging and monitoring at a level that will reasonably identify unauthorized access to UBC Systems and UBC Electronic Information in a timely manner. Logging and monitoring should be considered at the operating system, database and/or application level.
- This standard defines requirements for effective logging and monitoring of UBC Systems and UBC Electronic Information for security purposes. Unless otherwise stated in this document, University IT Support Staff are responsible for ensuring compliance with these standards. In addition, Information Stewards/Owners are responsible for ensuring that logging and monitoring procedures are adequate for securing the information they are responsible for. ERPs, Merchant Systems and EMRs must be compliant with this standard; it is recommended that all other UBC Systems comply with this standard.
- The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to firstname.lastname@example.org.
Logging and Monitoring Requirements
- The following key activities must be logged:
- User login, logout and access to a resource;
- action performed by the User and the time it was performed; and
- where feasible, any access to, or modification of, records.
- Logs should be configured to record system faults that are potential indicators for detecting attacks against UBC Systems or other unauthorized activity.
- Logs provide valuable information that can be used to validate the integrity and confidentiality of UBC Electronic Information; to be effective, logs must be:
- retained for at least 90 days (except for ERP logs, which must be retained for at least 365 days) and regularly backed up whenever possible, preferably to offsite secure storage;
- retrievable in a timely manner if they are required for analysis; and
- protected against unauthorized access and modification, preferably by locating them on a separate server outside the Demilitarized Zone (DMZ), such as a Database Server protected by a firewall, and restricting access as necessary; no-one should be able to change or delete log information.
- Logs should be monitored to determine the use of system resources and to detect information security events (e.g. failed logons, simultaneous logins from different geographic locations, escalation of privilege, attacks against systems, etc.). Monitoring software should be configured to send an alert to responsible University IT Support Staff when appropriate.
- Accurate logs are dependent on accurate time. Systems containing or processing High or Very High Risk Information must be set to synchronize their clocks with a reliable source. UBC’s DNS servers act as the University’s (Time synchronization) NTP servers. These are synchronized to an external time source, ntp.org; all Users and University IT Support Staff should use these or an equivalent service as a time synchronization source. More details on this service can be found on the myDNS Overview page.
Additional Requirements for Privileged Accounts
- University IT Support Staff must ensure that logs are kept of the usage of all Privileged Accounts. Key activity to be logged must include the following:
- login, logout and the identity of the User, if known;
- action performed and the time it was performed;
- where feasible, any access to, or modification of, UBC Electronic Information; and
- any other information that the Information Stewards/Owners decide should be captured in order to protect high risk files.
- Logs of Privileged Account activity must be reviewed on a regular basis to detect information security events and determine if further investigation is required; where feasible this should be automated. Investigations should be reported to the Information Steward/Owner as required.
- Where appropriate, Privileged Account logging systems must automatically transmit alerts of significant activities to the technology owner (typically a manager of a University IT Support Staff team). The following activities must always trigger an alert:
- escalation of privilege; and/or
- usage of the Break Glass Procedure as described in the Privileged Account Management standard.
Additional Requirements for Merchant Systems
- For all Merchant Systems processing PCI Information, there is a requirement that logs be maintained for the following events:
- which particular record was accessed;
- which User accessed the record; and
- the time the User accessed the record.
- Logs of access to PCI Information should be retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).
Use and Disclosure of Logs
- Logs are generally intended to be used for maintenance and troubleshooting, as well as detecting and investigating information security events. Access for other purposes must be approved using one of the following methods:
- internally, within UBC, in accordance with the Accessing Electronic Accounts and Records standard;
- externally to law enforcement via Campus Security; or
- externally to other entities via authorization from the Office of the University Counsel.
Related Documents and Resources
- Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
- UBC IT myDNS
- Privileged Account Management standard
- Accessing Electronic Accounts and Records standard
Last Revised: 2021-01