AUS Homepage > Finance & Administration > IT
Google Custom Search
IT Department
IT Home
Key Personnel
Accounts
Sections:
- IT Support Services (HelpDesk)
- Network & Telecomm System
- MIS
Policies & Procedures
FAQ
Glossary of Internet Terms
Forms
Back to Finance & Admin
Back to AUS Home
 
Network Change Management Policy/Procedure

Appendix D

Activities Logging Only for ITD Use

Monitoring System Use

1. Privileged User ID Authentication & Activity Logging

  • Policy: All network change activity performed by system administrators and others with privileges must be authenticated, securely logged and reflected in periodic management reports.
  • Commentary: This policy specifies which activities associated with privileged user IDs need to be logged and reflected in periodic management reports. The words securely logged imply that system administrators and other privileged users cannot readily modify or delete log entries.
  • Audience: Technical staff
  • Security Environments: All

2. Production Change Reconstructability

  • Policy: All administrator activities affecting production information must be reconstructible from logs.
  • Commentary: This policy ensures that all errors, fraudulent changes, and other improper modifications to production information can be expediently detected and corrected. For example, in the event that a system crash damages a production database or a switch, such logs will be instrumental in reconstructing the database or switch from a prior copy.
  • Audience: All
  • Security Environments: All

3. Privileged User ID Keystroke Logs

  • Policy: All activity with privileged user IDs on AUS ITD Data Center production systems must be recorded with keystroke logs.
  • Commentary: This policy requires that intensive logging be turned-on for privileged user IDs on production systems. Every key pressed by these privileged users will go into a log so that all actions can be precisely reconstructed. This policy is a deterrent against abuse of the capabilities that go along with privileged user IDs. The policy also mandates extensive logging that could be most useful when trying to determine what went wrong. Keystroke logging is applicable only to privileged user IDs due to disk space limitations, but it could be extended to all user IDs on production machines. This policy assumes that the keystroke log cannot be readily disabled by privileged user IDs. This will be achieved by having the logging software run on a different computer system than the one it monitors.
  • Audience: Technical staff
  • Security Environments: Medium and high

4. Privileged System Command Accountability And Traceability

  • Policy: All privileged commands issued by systems engineers must be traceable to specific individuals through the use of comprehensive logs.
  • Commentary: This policy is particularly relevant to servers and appliances where more than one system engineer could initiate certain commands. The intention of the policy is to maintain accountability and traceability for all privileged system commands that were issued. The policy is not intended for small systems such as personal computers. This policy instructs system management to keep records of all commands and an indication of who issued them. Most importantly, the logs of privileged system commands can be an important tool in both the resolution and understanding of system problems. This policy include other types of people who typically have special privileges, such as information security administrators, systems programmers, and local area network administrators.
  • Audience: Management and technical staff
  • Security Environments: All

5. System Log Modification Controls

  • Policy: All AUS ITD Data Center production information systems must employ checksums to protect system logs.
  • Commentary: This policy ensures that unauthorized modification or deletion of system logs will be immediately evident. One of the first things that hackers and other intruders do when they gain system access is to disable the system log. While the controls dictated by this policy will not detect that a log has been turned off, they will highlight the fact that a log has been tampered with, and this will be used as input to an intrusion detection system. These checksum methods involve a serial dependency of data such that modifying only one bit will cause an immediate alarm.
  • Audience: Technical staff
  • Security Environments: Medium and high

6. Log Deactivation, Modification, Or Deletion

  • Policy: Mechanisms to detect and record significant computer security events must be resistant to attempts to deactivate, modify, or delete the logging software and logs.
  • Commentary: The effectiveness of logs is dependent on the mechanisms used to protect the integrity of the logs and the mechanisms used to generate the logs. This policy informs technical staff that proper access controls must be in place to protect both logs and the mechanisms used to generate logs. Logs are also kept on separate machines that use a different operating system.
  • Audience: Technical staff
  • Security Environments: All

7. System Log Protection

  • Policy: All AUS ITD Data Center production computer system logs must be protected, and must also be automatically monitored for sudden decreases in size.
  • Commentary: This policy requires that production systems be augmented with control measures that will detect tampering with system logs. One of the first things that intruders do when they gain unauthorized access to a system is to turn-off, delete, or modify the system log. This policy ensures that production machine logging systems detect these activities, then promptly notify those who are in a position to remove the intruder from the involved system. Many operating systems do not include code to perform the functions defined in the policy, and that most often additional software will be required. The controls defined in this policy assume that an intrusion detection system is in place.
  • Audience: Technical staff
  • Security Environments: High

8. Access To Logs

  • Policy: All system and application logs must be secure and access provided only to those with a need to know.
  • Commentary: This policy limits access to logs, both application and system, to only those persons who have a genuine need to have such access. All staff with access will be recorded and authorized by the Director of Information Technology
  • Audience: Technical staff
  • Security Environments: All

9. System Log Review

  • Policy: Network operations or information security staff must review records reflecting security relevant events on multi-user machines in a periodic and timely manner.
  • Commentary: This policy requires that network operations or information security staff promptly review logs. This review process can be greatly facilitated if the logs produce exception reports indicating items of a suspicious nature in need of follow-up. The policy could be expanded to include application logs, in which case user management or information Owners or sponsors may be involved in the review process.
  • Audience: Technical staff
  • Security Environments: All
 
P.O. Box 26666 Sharjah, UAE, Phone: +(971) 6 515 5555, Office of Enrollment Management: Phone: +(971) 6 515 1000
[ About Us | Accreditation |Admissions | Academic Programs | Employment | E-mail Directory ]
[ Home | General Contacts | Site Map | Search | Library | Banner ]

© Copyright 1999-2008 American University of Sharjah