Connor Group Information Security
Auditing and Logging Standard
November 2023
v.1.3
Introduction
Collection and review of audit logs help companies monitor and keep track of use, misuse, and potential breaches of company resources. Logging of production systems and networks is necessary to ensure compliance with legal and business requirements of Connor Group data. As such, this standard codifies expectations for log collection and review from systems and services utilized by Connor Group. It is one of a set of documents that together, form Connor Group's Information Security Management System (ISMS).
Purpose
The purpose of this Standard is to provide expectations and requirements for the collection, retention, and review of all log events of Connor Group systems.
Scope
This Standard applies to all IT Production Systems utilized by Connor group, specifically but not limited to:
- Servers, workstations, or networks managed by Connor Group or a Contracted Third Party.
- Applications or systems used to support Connor Group data and/or Services.
- Third Party systems used by Connor Group for business purposes.
This Standard defines the term “IT Systems” to include:
- Applications (e.g., Outlook, Slack, Adobe, Java)
- Operating Systems (e.g., Linux/Solaris/Windows)
- Network Devices (e.g., Switches/Routers/Firewalls)
- Servers, both physical and virtual
- Desktop Systems, both physical and virtual
- Storage Solutions (e.g. File servers, NAS)
- Removable Media (e.g. MicroSD cards, USB drives)
All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein.
In the event of uncertainty regarding the applicability of this Standard, contact Information Security for clarification and/or guidance.
Definitions
References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000112202)
Standard
Adherence to requirements in this standard is mandatory.
1. Logging
Ref: |
Requirement |
1.1 |
Logs shall be retained using a common timestamp across devices, with UTC as the recommended setting. |
1.2 |
Where possible, logging shall be enabled and set at a verbose level to include the following, at a minimum:
|
1.3 |
Where possible, failures of the following events shall be logged:
|
1.4 |
For network devices, including firewalls, success and failure of the following shall be logged, at a minimum:
|
1.5 |
Logs shall be exported away from the originating system or device and stored in a secondary location. The logs in the secondary location shall be encrypted and set to read only. |
1.6 |
In best practices of separation of duties, the process for moving logs to the secondary location shall not have permission to decrypt or purge logs at the secondary location. |
1.7 |
Logs shall be kept a minimum of 30 days for each system or application with logs appending to new files instead of being set to overwrite. A maximum retention of log files shall be in compliance with legal requirements or the Data Retention Standard, whichever is longer. |
2. Auditing
Ref: |
Requirement |
2.1 |
System and application logs shall be inspected regularly for indication of erroneous or malicious activity. |
2.2 |
Log review shall be performed by Information Security to protect the integrity of the logs and maintain separation of duties. In the event of Information Security logs, inspection will be left up to the discretion of the CIO. |
2.3 |
The auditing of logs shall instigate an alert, action, or investigation from the following user events at a minimum:
|
2.4 |
The auditing of logs of network devices shall instigate an alert, action, or investigation from the following user events at a minimum:
|
2.5 |
The changing of permissions of a large number of network files (an indicator or Ransomware) shall instigate an alert, action or investigation. |
2.6 |
The log backup to a secondary location for production systems and applications shall be regularly audited, with noncompliance remediated upon discovery. |
2.7 |
Logs shall be reviewed regularly for sensitive data and classified accordingly by their highest classification content. |
Compliance
Information Security team shall verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner.
Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to the System entering live operation.
The following are required to adhere to this Standard, except where a formal exception has been granted as above:
- All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse.
- Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group.
Revision History
Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.
Version |
Detail |
Author |
Date |
1.1 |
Formatting revised with requirements under Standards enumerated for easier reference. |
Connor Group Information Security |
May 2021 |
|
|
|
|
1.2 |
Added Table of Contents
|
Connor Group Information Security
|
August 2022
|
1.3 |
Minor edits and review Definitions link updated to FS KB 1.6 updated for clarity on process separation 2.2 updated to only include CIO discretion
|
Connor Group Information Security
|
November 2023 |