Log Management Standard
This document applies to all servers and network devices that handle, accept network connections, or make access control (authentication and authorization) decisions for Loyola Protected information, as defined within the Data Classification Policy.
Checking logs daily minimizes the amount of time and exposure of a potential breach. To identify the specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with the University’s log management strategy.
The University Information Security Office (UISO) will perform a daily review of security event logs as well as logs from critical system components, and logs from systems that perform security functions, such as firewalls, IDS/IPS, file-integrity monitoring (FIM) systems, etc. as is necessary to identify potential issues. Additionally, the UISO will monitor and analyze alerts and distribute to appropriate personnel.
The following events are reviewed at least daily:
- All security events
- Logs of all system components that store, process, or transmit Card Holder Data (CHD) and/or Sensitive Authentication Data (SAD)
- Logs of all critical system components
- Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)
All covered systems shall record and retain audit-logging information sufficient to answer the following questions:
- What activity was performed?
- Who or what performed the activity, including from where or from which system the activity was performed?
- What the activity was performed on the covered system?
- When was the activity performed?
- With which program(s) was the activity was performed?
- What was the status (such as success vs. failure), outcome, or result of the activity?
Activities to be logged
Logs shall be created whenever any of the following activities are requested to be performed by a covered system:
- Create, read, update, or delete Loyola Protected or Loyola Sensitive information, and authentication information such as passwords
- Initiate a network connection
- Accept a network connection
- User authentication and authorization for activities covered in #1 such as user login and logout
- Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes
- System, network, or service configuration changes, including installation of software patches and updates, or other installed software changes
- Application process startup, shutdown, or restart
- Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault
- Detection of suspicious/malicious activity such as from an Intrusion Prevention System (IPS), anti-virus system, or other security systems.
Elements of the log
Such logs shall identify or contain at least the following elements, directly or indirectly. In this context, the term "indirectly" means unambiguously inferred.
- Type of action – examples include authorize, create, read, update, delete, and accept network connection.
- Subsystems performing the action – examples include process or transaction name, process or transaction identifier.
- Identifiers (as many as available) for the subject requesting the action – examples include user name, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.
- Identifiers (as many as available) for the object the action was performed on – examples include file names accessed, unique identifiers of records accessed in a database, query parameters used to determine records accessed in a database, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.
- Before and after values when action involves updating a data element, if feasible.
- Date and time the action was performed, including relevant time-zone information if not in Universal Time. This date and time shall be synchronized using the University’s NTP servers.
- Whether the action was allowed or denied by access-control mechanisms.
- Description and/or reason-codes of why the action was denied by the access-control mechanism, if applicable.
Formatting and storage
The system shall support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. All audit logs must be kept for one year, with three months available online.
Note that the construction of an actual enterprise-level log management mechanism is outside the scope of this document. Mechanisms known to support these goals include but are not limited to the following:
- Microsoft Windows Event Logs collected by a centralized log management system;
- Logs in a well-documented format sent via syslog, syslog-ng, or syslog-reliable network protocols to a centralized log management system; and
- Logs stored in an ANSI-SQL database that itself generates audit logs in compliance with the requirements of this document.
Access to Log Files
All access to log files and audit trails shall be limited to a user’s job-related need to know, as per the ITS Access Control Policy. Audit trails shall be protected from unauthorized modifications. All log information is transmitted, near real time to a SIEM for aggregation and analysis.
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
This policy will be maintained in accordance with the ITS Security Policy.
- September 8, 2008: Initial Standard
- June 24, 2015: Annual review for PCI Compliance
- July 7, 2015: Added information to comply with PCI-DSS 10.6.1
- April 14, 2016: Annual review for PCI Compliance
- June 7, 2017: Defined CHD and SAD, annual review for PCI Compliance
- May 14, 2018: Annual review for PCI Compliance
- June 27, 2019: Annual review for PCI Compliance
- May 27, 2020: Annual review for PCI Compliance
Title II of the Digital Millennium Copyright Act ("DMCA") of 1998 limits the liability of online service providers, such as Loyola University Chicago, for certain copyright infringement liability if various procedures are followed. This policy is intended to take advantage of the liability protections in the DMCA.
Loyola University Chicago respects the rights of holders of copyrights, their agents and representatives and will implement appropriate policies and procedures to support these rights without infringing on the legal use, by individuals, of those materials. Legal use can include, but is not limited to, ownership, license or permission, and fair use under the US Copyright Act. Employees and students need to be aware of the rights of copyright owners. Information on copyright law and these rights can be found in a number of places, but general information particularly can be found by going to the following sites:
- Copyright at Loyola University Chicago, Loyola University Chicago, August, 1999
- United States Copyright Office: http://www.lcweb.loc.gov/copyright
- What you need to know about DMCA on University Campuses: Educause DMCA FAQ
Persons who are found to intentionally or repeatedly violate the copyright rights of others may be denied access to all University computing and networking facilities and resources. All instances of reported copyright violations will be reported to the appropriate University authority in accordance with the following policies for possible additional disciplinary actions.
The Designated Agent for complaints under the DMCA is:
Information Security Officer
Information Technology Services
Loyola University Chicago
6439 North Sheridan Road
Chicago, IL 60626
Listing of the Designated Agent is posted on the United States Copyright Office web site in the Directory of Agents. Notices sent to an email address other than the Designated Agent will be considered invalid.
Complaint Notice Procedures for Copyright Owners
A notice of alleged copyright infringement to the Designated Agent concerning information residing on the University's systems or networks at the direction of the user must have the following:
- A description of the works claimed to be infringed.
- A description of the allegedly infringing works or location site sufficient to enable the Designated Agent to find them.
- Sufficient information to enable the Designated Agent to contact the complaining party.
- A statement that the complaining party believes in good faith that the use of the material is not authorized by the copyright owner, the owner's agent, or the Copyright Act.
- A signed statement that the information provided by the complaining party in the notice is accurate and, under penalty of perjury, that the complaining party is authorized to act on behalf of the copyright owner of one or more of the exclusive copyright rights.
- A physical or digital signature of the owner of an exclusive copyright right or the owner's authorized agent, which accompanies the statement.
Alleged Infringing Site Take Down Procedures
When properly notified of the potential copyright infringement, the Designated Agent will make a reasonable effort to contact the site or page owner of the materials in question. There will be an attempt to secure the voluntary take down of the work, but, if not, then the University will immediately disable access to the work unless it is immediately determined that the work is lawful under the copyright law. The owner of the site or page of the alleged infringing material may exercise their counter notice procedure rights set forth below.
The Designated Agent may, but need not, undertake to determine if the work complies with copyright law.
Counter Notice Procedures
After voluntary take down or if the site is involuntarily disabled, the University may, but need not, proceed to counter notification on its behalf or on behalf of its employees and students, the owner of the site may provide counter notification to the Designated Agent. Counter notices can claim only that either the copyright owner is mistaken and that the work is lawfully posted or that the work has been misidentified. A site owner may assert that use of another's work is fair use, which falls under the provision that the copyright owner is mistaken in characterizing the work as infringing. Various University officials may be consulted in arriving at a fair use determination.
Counter notices to the Designated Agent must contain the following:
- A physical or digital signature of the site or page owner.
- A description of the materials removed and its location before it was removed.
- A statement that the owner believes in good faith that the material was removed by mistake because the work is not infringing or that it was misidentified.
- Sufficient information to enable the Designated Agent to contact the owner who filing the counter-notice, e.g., name, address, phone number, e-mail address, and his or her consent to jurisdiction of the federal district court with proper jurisdiction for any court actions arising from the infringement.
- A statement that the owner will accept service of process from the complaining party.
Access to the materials in question will be restored within 10 to 14 business days after the date the Designated Agent receives the counter notice unless the Designated Agent first receives a notice from the complaining party that he or she has filed an action seeking a court order to restrain the page owner. The Designated Agent will promptly send a copy of any substantially conforming counter notice to the complaining party indicating that the site will be restored within 10 to 14 business days unless the Designated Agent receives a notice of court action.
History and Updates
- September 12, 2011: Initial Policy
- October 22, 2012 Corrected Contact Information
- June 22, 2015: Annual Review for PCI Compliance
- April 26,2016: Annual Review for PCI Compliance
- July 6, 2016: Added verbiage designating correct email for complaints
- April 19, 2017: Annual Review for PCI Compliance
- Sep 6, 2018: Annual Review for PCI Compliance
- Sep 24, 2019: Annual Review for PCI Compliance
- Author: UISO
- Version: 1.2