4-OP-H-25.10 IT Log Collection, Analysis and Retention Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. System and application log data is a critical component in detecting, analyzing, preventing, and responding to potential information security incidents, including unauthorized data disclosures and activities related to FSU systems. Log data must be generated, stored, and analyzed to ensure the security and privacy of information.

This Standard will ensure that an appropriate log collection and analysis infrastructure is in place to provide timely detection and response to information security incidents and satisfy ethical, policy, contractual, and legislative requirements. This includes requirements set forth by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Modernization Act (FISMA), and Payment Card Industry Data Security Standard (PCI DSS), etc.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.

II. Definitions

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function	Category	Desired Outcome (Subcategory)
Protect (PR)	Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.	PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
Detect (DE)	Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood.	DE.AE-2: Detected events are analyzed to understand attack targets and methods
Detect (DE)		DE.AE-3: Event data are collected and correlated from multiple sources and sensors
Respond (RS)	Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities.	RS.AN-3: Forensics are performed

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the 4-OP-H-25.01 Data Security Standard.

For more information, see IT Roles and Responsibilities.

Security Logs

Security logs are records of events occurring within the University’s computer information systems and networks. A security log captures information associated with information security related events and can identify anomalies for further analysis and potential remediation. Audit records may be used to trace activity to users and establish accountability.

Logging is required to be enabled at the operating system, application, and database level when High Risk or Moderate Risk is processed, maintained, transmitted, or stored. Systems that aggregate and process security logs must be protected in a manner consistent with High Risk and Moderate Risk data. It is recommended that logging is enabled for systems, applications, and databases that maintain Low Risk data.

CUU and University Unit ISMs are responsible for ensuring data log collection, review, and coordination with ITS as needed to comply with the requirements of this Standard. This includes processes to protect authorized access, confidentiality, integrity, and availability of security logs under the CUU/University Unit’s control, including compliance requirements related to High Risk and Moderate Risk data. System activity logs must be reviewed regularly and provided to ITS upon request for incident detection, incident response and to satisfy policy and regulatory requirements.

The Data Custodian is responsible for determination of security log requirements and compliance based on data classification as defined by the 4-OP-H-25.01 Data Security Standard, and ensuring awareness and compliance with regulatory log collection and analysis requirements related to High Risk and Moderate Risk data for which he/she is responsible.

Log Configuration and Management

Activities to be Logged - Logs must include these auditable events, at a minimum:

successful and unsuccessful logins and authentication
authorization failures
password changes
modification of security settings
group membership changes
system or network configuration changes
access control changes
user access to High Risk or Moderate Risk data
user modification of High Risk or Moderate Risk data (e.g., configuration of sensitive or critical systems, financial transactions)
privileged actions, such as those actions requiring administrator, sudo or root access and shall be tied to a user session
detection of suspicious or malicious activity from IT security systems, such as from an intrusion detection system or antivirus system

Log Elements - All relevant log events must contain the following:

true source and destination IP address regardless of network address translation when technically viable
user identification: Username for authenticated user that is responsible for the action being logged (when logging user activity)
accurate timestamp for the event
type of event
description of attempted or completed activity
precise identification of resource being acted upon (e.g., filename with full path)

Centralized Log Collection and Review

Log data from CUUs/University Units encompassing High Risk or Moderate Risk data must be forwarded in real-time to a university Security Information and Event Management system (SIEM) operated by ITS when technically viable.
Logs maintained by CUUs/University Units must be saved to a secure log server or an offsite location.
Monitoring and real-time alerting should be implemented to detect conditions that may negatively impact the integrity or availability of log data.

Log Data Integrity

Log information must be protected from unauthorized changes and operational problems. Rights to insert, modify, and delete user identifiable audit log records must be strictly controlled.
Changes or alterations of security logs must be logged. Audit log records must contain the identity of the source of an insert, modification, or deletion of a user identifiable audit log record.
Individuals must not be assigned to be the sole reviewers of their own activity and must not have permission to erase, deactivate, or modify logs of their own activities.

Log Data Access Controls and Confidentiality

Appropriate access controls must be implemented to ensure that only authorized individuals have access to sensitive log data. Individuals must be granted access to security logs on a least privilege basis, and only to staff members with a job-related need for such access;
User access to sensitive log data should be reviewed and audited on an annual basis, at a minimum; and
Rights to view or run reports from user identifiable audit log data must be strictly controlled; the identity of the user accessing, viewing, and running reports from user identifiable audit log data must be logged.

Log Data and Forensic Investigations

The information captured by logs can be used to support incident response and as part of a forensic investigation in the event of a suspected data breach or other forms of electronic crime.

Privacy and Security Logs

Security logs may contain personally identifiable information (PII) about individual users of FSU information resources. FSU is committed to ensuring the privacy of its community members’ personally identifiable information. Security logs are considered FSU records and must meet the requirements for retention, storage, disposal and archival as required by FSU policy and by State, Federal and contractual schedule (e.g., Payment Card Industry). (See 4-OP-H-25.15 Data Disposal and Media Sanitization Standard).

Use of FSU information technology resources constitutes consent to monitoring activities. Security logs will be used for their intended purpose as described in this Standard and will not be used to monitor personal information about individual users. In some cases, the University may be compelled by law, such as a court order, subpoena, or other legal reasons to retain or release information contained in security logs. All such releases are coordinated by ISPO. In the event of a declared health or safety emergency, the CISO or a delegated authority, in consultation the Office of the General Counsel may authorize accessing PII contained in security logs, including location data, wireless connections, and FSU card utilization.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.