Menu

Security Logging Standard

Logs must be generated in information technology (IT) systems and networks.  Because of the nature of the data contained in security logs (e.g., passwords, e-mail content), they are considered personally identifying information (PII) and must be protected with the controls for a confidentiality and integrity of high.

Initial Log Generation

  1. All hosts and networking equipment must perform security log generation for all components (e.g., OS, service, application).
  2. All security events must be logged and must be set to capture significant levels of detail to indicate activity.

Log Administration

  1. All hosts and networking equipment must issue alerts on security log processing failures, such as software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded.   All alerts must be as close to real time as possible.
  2. When non-revolving log storage reaches 90% capacity, a warning must be issued. 

Log Storage and Disposal

  1. Within the consolidated log infrastructure, logs must be maintained and readily available for a minimum 30 days.  
  2. Systems that collect logs, whether local or consolidated, must maintain sufficient storage space to meet the minimum requirements for both readily available and retained logs. Storage planning must account for log bursts or increases in storage requirements that could reasonably be expected to result from system issues, including security.
  3. Log integrity for consolidated log infrastructure needs to be preserved, such as storing logs on write-once media or generating message digests for each log file.

Log Access and Use

  1. Log data must be initially analyzed as close to real time as possible.
  2. Access to log management systems must be recorded and must be limited to individuals with a specific need for access to the records. Access to log data must be limited to the specific sets of data appropriate for the business need.
  3. Procedures must exist for managing unusual events. Response must be commensurate with system criticality, data sensitivity and regulatory requirements.

Approved by President’s Cabinet July 2022