Audit Logging Policy - Threat Detection

Threat detection is the process of identifying potential security threats to an organization's computer systems. Log analysis can be a valuable tool in threat detection, as it can help identify suspicious activity that may be indicative of a security threat. By analyzing log data, security analysts can look for patterns of activity that may be associated with specific security threats. For example, if a log file shows that a particular user repeatedly accessed sensitive data during odd hours of the night, this could be indicative of a malicious insider threat. Log analysis can also help identify potential attacks that are in progress, as well as provide information that can be used to track down the source of an attack.

Responsibility – The Security Officer or designee shall ensure that a secure audit record is created for all activities (create, read, write, update, and delete) on Business systems containing or processing covered information. Systems shall be configured to record identifying information of the user, actions performed, and time and date actions were performed.

Audit Log Review and Retention – Business  will review audit logs generated on a periodic basis, generate a report, investigate anomalies if necessary, and take any appropriate action based on the findings of the audit. Audit log review reports shall be retained for a minimum of six years. Audit logs for the period reviewed shall be retained for 90 days following the completion of the periodic review of audit logs.

Access to Audit Tools/Trails – Access to system audit tools and audit trails shall be protected and controlled to prevent unauthorized access and tampering.

System Clocks – System clocks on all systems shall be synchronized to an agreed, authoritative real-time standard and synchronized daily and at system boot.

Legal Requirements – Any applicable legal requirements related to monitoring authorized and unauthorized access attempts shall be followed.

 Audit Logging Configuration

The Security Officer or designee shall ensure that all systems storing or processing covered information are configured to log system-specific events including, but not limited to, authentication attempts (including privileged/elevated), create, read, update, and delete actions. Any legal requirements related to monitoring authorized and unauthorized access attempts shall be followed when configuring systems for audit logging. Access to audit log files shall be restricted to appropriate system administrators and shall be set to “Read Only” to prevent tampering.

All system audit logs shall be configured to capture, at a minimum, the following information:

  • Unique user ID

  • Unique data subject ID

  • Function(s) performed

  • Date/time the event was performed

The activities of privileged users shall be logged and capture the following information:

  • The success/failure of the action/event

  • Date/time the action or event occurred

  • The account involved

  • The processes involved

  • Any other pertinent information relevant to the system/action

Periodic Audit Preparation

  • A Business  designee shall inventory all applications and data repositories to determine what audit logs can be generated when confidential information is accessed.

  • Business  designee will activate all appropriate audit logs to track confidential information access.

  • Business  designee will also develop an audit log review schedule for each audit log generated. The schedule will reflect the criticality of the data (e.g. audit log reviews will be more frequent for more sensitive data).

  • Any audit log file generated shall be reviewed at least once per quarter.

  • The Security Officer will review audit logs generated and evaluation criteria for periodic audits at least annually or whenever any major system or business changes occur.

Periodic Audit Process

  • At the scheduled time the Business  Security Officer shall request/generate a printout of the logs to be reviewed.

  • Logs will be regularly reviewed on a predetermined schedule depending on the criticality of the application. A predetermined set of logs are reviewed on a regular schedule and all others are reviewed randomly.

  • Any anomalies will be documented in a periodic audit report that includes the audit logs reviewed, the date of the audit, and a description of the anomaly.

  • Following a review of the set of audit logs, the Security Officer will investigate any anomalies found and document findings.

  • If an anomaly was caused by the application or data repository, the security officer shall report such a finding to the appropriate information technology (IT) workforce member.

  • The IT workforce member is responsible for mitigating any damages and/or applying the appropriate patches to prevent future such anomalies and is responsible for reporting back to the Security Officer who will document mitigating action taken in the periodic audit report.

  • If the anomaly was caused by inappropriate action on the part of Business  workforce members, affiliated third party or business associate, the anomaly and the individual or entity responsible for inappropriate access or action shall be reported to the Security Officer, immediate supervisor or Human Resources if applicable.

  • The Security Officer is responsible for applying sanctions matching the severity of the incident. When a Business  workforce member is involved, Human Resources and the immediate supervisor are consulted. This may include disciplinary action, additional staff training and, if actions are criminal in nature, reporting the incident to the appropriate law enforcement authorities.

  • The Security Officer is responsible for documenting mitigation action taken in the periodic audit report.

Report and Audit Log Retention

  • Periodic audit log review reports shall be retained for a minimum of six years.

  • The audit logs for the period covered by the review shall be retained for 90 days or the conclusion of any anomaly investigation, whichever is later.

  • Periodic audit reports shall be reviewed at the time of the annual evaluation (compliance audit) to determine if any patterns exist between audit periods. If such exists, this will be noted in the annual compliance audit report.