Policy 101 Information Security Status Monitoring, Reporting, and Review

Print this page

• Purpose
• Applicability and Audience
• Information Security Roles and Responsibilities (100.01)
• Policy
  • 101.00 Introduction
  • 101.01 Audit and Accountability
  • 101.02 Monitoring for Events
  • 101.03 Log Collection
  • 101.04 Log Monitoring
  • 101.05 Log Management
  • 101.06 Investigations
• Policy Compliance
• Related Policies, Standards, and Guidelines
• References
• Policy Review

Purpose

The purpose of the Information Security Status Monitoring, Reporting, and Review policy is to ensure the ongoing Confidentiality, Integrity, and Accessibility (CIA) of information resources at Washington University in St. Louis (WashU) through the effective implementation of security controls. Monitoring confirms that controls are implemented and operating correctly, detects indications of compromise, helps to identify and address vulnerabilities, and aids in performance measuring, capacity planning, compliance, and auditing. 

This policy identifies logging requirements for academic, clinical, administrative, research, and technical activities at WashU. Expectations surrounding the use of WashU information resources are included in Policy 112: Information Security Acceptable Use. Monitoring and review other than as described above and related to matters such as academic freedom, consulting privileges, teaching, and research are described in various policies included in the WashU Faculty Information Handbook.

Applicability and Audience 

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.

Information Security Roles and Responsibilities (100.01)

Policy 

101.00 Introduction  

Systematic log collection is essential to understanding our normal operating conditions, detecting security vulnerabilities, events, and incidents, and conducting investigations. Logs are used to establish baselines for our systems, identify trends, and suspicious activities (e.g., unauthorized personnel, connections, mobile code, devices, software, and malicious code), and supply information for compliance and security auditing.  

All system security monitoring must be approved by the OIS. The OIS will collaborate with systems administrators to develop and implement a systematic logging process that includes log monitoring, management, and review, facilitating a dynamic understanding of the status and security of the WashU network and systems as well as the activity of external service providers. The OIS will use the logging and review process to improve detection and will share lessons learned with the broader IT and security community as appropriate.

101.01 Audit and Accountability

The OIS will define, document, enable, and retain records of audits and logs. These records will be monitored continuously and reviewed regularly, allowing the OIS to maintain regulatory compliance, follow industry-standard security frameworks, and adhere to our institutional standards, policies, and guidelines.  

The OIS will provide guidance and standards for the following activities: 

• Establishing and maintaining auditing and monitoring processes. 
• Assigning accountability for maintaining logs. 
• Generating and maintaining log records. 
• Determining a log-management mechanism to support formatting and storage of audit logs. 
• Coordinating with IT to ensure the integrity of logs and support enterprise-level analysis and reporting. 

101.02 Monitoring for Events 

The OIS will develop a standard for logging and monitoring university systems, network segments, systems, accounts, and applications based on information and system classification. The OIS, system administrators, and system owners will develop, document, and implement monitoring and review procedures according to the standard.  

Separation of duties will be maintained during the review process such that only authorized individuals have access to security logs.  

The OIS will coordinate with IT departments to deploy tools to monitor the physical environment, network segments, systems, endpoints, and account access. Refer to Standard 206: Information Security Infrastructure Risk Management, Standard 206.01 Network Security, and Policy 102: Information Security Authorization, Authentication, and Audit for specific information.  

101.03 Log Collection

System Custodians/System Administrators will ensure logging is enabled on all servers and applications. The content of logs and the collection strategy will follow Standard 201: Logging and Event Monitoring.  

Logs will be centralized and correlated. The OIS and the IT departments will determine which infrastructure components will send audit information to centralized logging platform. Security logs from the centralized logging platform will be sent to the OIS security information and event management (SIEM) for correlation with other logging events upon request.  

If logging is not possible or practical, the OIS must review and approve a policy exception request.

101.04 Log Monitoring

Using an SIEM product to centralize, correlate, and analyze logs of activity in network segments and systems, the OIS will analyze events, detect trends and patterns, and identify suspicious activities. Monitoring requirements, responsibilities, and frequency are based on information classification and risk assessment.  

To aid in the log monitoring process the OIS will:  

• Define information logging and monitoring processes. 
• Obtain necessary log files and credentials. 

The OIS may also:  

• Provide WashU department and school IT administrators and owners with a view of the monitoring tools. 
• Use internal and external auditors to assist in audit and accountability review of logs.  
• Provide reports to management documenting audit results and findings.  
• Develop remediation options if logging reveals deficiencies or risks to the university.  
• Increase logging requirements at any time to accommodate data classification, regulatory and industry updates, and new threats or vulnerabilities. 

101.05 Log Management

The log management system will support the formatting and storage of audit logs, the maintenance of log integrity, and the analysis and reporting of logs at the enterprise-level.  

System administrators and owners will engage in the following practices to ensure the confidentiality and integrity of logged information: 

• Logs must be protected against alteration. 
• Logs containing sensitive information must be kept confidential. Access to logs must be limited to System Custodians/System Administrators and OIS staff for purposes of system administration, management, and support.  
• Use of security log data for other purposes must be approved by the appropriate oversight offices. Refer to Standard 201: Information Security Logging and Event Monitoring and Policy 112: Information Security Acceptable Use for additional details about user privacy.

101.06 Investigations

The OIS will manage and coordinate investigations of suspicious or anomalous activity detected in logs. Refer to Policy 109: Information Security Incident Reporting, Response, and Recovery for additional details.

Policy Compliance 

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees. 

Related Policies, Standards, and Guidelines  

Policy 102: Information Security Authorization, Authentication and Audit 

Policy 109: Information Security Incident Reporting, Response, and Recovery 

Standards 201: Information Security Logging and Event Monitoring 

Standard 206: Information Security Infrastructure Risk Management  

Standard 206.01 Network Security 

References 

National Institute of Standards and Technology (2018) Cybersecurity Framework 

National Institute of Standards and Technology (2020) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations, Rev. 5 

Policy Review 

This policy will be reviewed by the OIS at a minimum of every three years.   

Policy Number and Title: Policy 101: Information Security Status Monitoring, Reporting, and Review  

Owner: Office of Information Security  

Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: November 17, 2023

Current Version Publication Date: April 18, 2024