Information Technology Security System Monitoring

PPD-0387

Introduction

Computers, servers and network devices generate logs that are essential to the operations of the infrastructure that makes up the core of the data services provided to VIMS by ITNS.  They provide a vital mechanism for tracking and reporting for review, diagnostic and security functions.  Therefore, ITNS must maintain accurate and comprehensive logs of mission-critical servers, computers and equipment for both operational and reporting purposes.

Scope

This policy applies to all ITNS staff that support and maintain core infrastructure services.

Policy 

  1. ITNS will maintain a centralized system of secure log management, through which authorized users may access and review collected log data.
  2. Access to all secured systems at VIMS through centrally managed directory system must be logged for security and audit purposes.
  3. ITNS will designate “mission critical” equipment, physical servers, virtual servers and computers. These mission critical devices must report logs to the centralized log management system.  Additional non-critical systems and equipment may also report to the centralized log management system for diagnostic and troubleshooting purposes.
  4. Access to logs will be provided to W&M InfoSec personnel as appropriate to assist in response to incidents per VIMS PPD-0388 “Security Incident Reporting Procedures”.
  5. Logs will be retained for a minimum of 30 days, but as long as 1 year depending on priority for risk assessment and abatement.

Roles & Responsibilities 

  1. Infrastructure Services Architects (ISAs), as assigned at the discretion of the CIO, are responsible for developing and maintaining the centralized log management system. The assigned ISAs will be responsible for all necessary updates, upgrades, maintenance and troubleshooting of the log system’s functionality.
  2. The designated Enterprise Operations Specialist for ITNS shall be responsible for operational monitoring of log systems for VIMS. This includes ongoing monitoring of event logs, acting on security breach events as necessary, and reporting security breach events to the designated VIMS CIO.
  3. Authorized Users are designated as individuals whose areas of responsibilities may require access to the centralized log management system for diagnostic and troubleshooting purposes. Authorized Users have limited access within the log system, allowing the review of logs but with no access to make changes.

Management Oversight and Monitoring

  1. The VIMS CIO will review log reports generated on a weekly basis and analyze for potential security and operational risks.
  2. Log reports will also be generated periodically and sent to the W&M CISO for risk review.