Logging Security Standard
April 8, 2016
This standard establishes the minimum requirements for collection, storage and review of log information.
Logging is needed to identify and respond to unauthorized activities on agency systems.
This standard applies to all participating agencies as defined by Iowa Code Chapter 8B.1(7). Non-participating agencies are encouraged to follow this and other enterprise standards.
Selected terms used in the Enterprise Logging Security Standard are defined below:
- Event: Something that occurs within a system or network.
Enterprise Logging Standard
- Logging: All servers, network devices, and applications shall be capable of and configured to:
- Produce audit logs, and
- Offload audit log data to a log aggregation server
- Events: The following events (successful and failed) shall be captured in audit logs:
- Authentication attempts,
- Attempts to use a privileged account,
- Attempts to change account passwords,
- Attempts to modify or destroy a log file, and Attempts to grant, modify, or revoke access rights.
The following shall be logged for each event:
- User/subject identity,
- Date and time of the event,
- Source of access,
- Duration of access,
- Actions executed, and
- Action result.
- Applications: Application, including web services and database services, residing on servers that utilize cashed or separate authentication capabilities must also maintain logs of all security, application and event related information. Web applications shall also meet the requirements of Enterprise Web Application Security Standard.
- Storage: The System Administrator will ensure audit storage capacity is allocated in accordance with system configuration such that capacity is not exceeded.
- Log Access: Audit records, audit settings, and audit reports shall be protected from unauthorized access, modification, and deletion.
- Alerts: Where feasible systems shall be configured to provide real-time alerts for the following:
- Audit failure.
- Escalation of privileges
- Five (5) or more consecutive failed authentication attempts.
- Time Stamps: Systems shall be configured to generate time stamps to include both date and time. The time may be expressed in Coordinated Universal Time (UTC) and utilize Network Time Protocol (NTP) time synchronization.
- Retention: Audit logs shall be retained for a minimum of 45 days. Maximum log retention shall be set to meet agency contractual requirements.
- Review: Audit logs shall be reviewed at least weekly. Alerts shall be reviewed daily.
- Providers: Third party providers shall meet the requirements of this standard.
This document shall be reviewed at least every two years and updated as needed.
This standard was approved electronically by the CIO on April 8, 2016 and shall be effective May 1, 2016.
This standard shall be enforced pursuant to Iowa Administrative Code11-25.11(8A) and Iowa Code 8B.21(1)(f)(2).
Iowa Administrative Code 11-25.11(2) and Iowa Code 8B.21(5) provide for variances\waivers from security standards. Requests for a variance\waiver from any of the requirements of this standard shall be submitted in writing to the Chief Information Security Officer.