University of Idaho - I Banner
Menu
A student works at a computer

SlateConnect

伊利诺伊大学基于网络的保留和建议工具为学生的毕业之路提供了有效的指导和支持. Login to SlateConnect.

Common Tools

Resources

Services

Access Email Access MyUI Visit Human Resources

IT Standards

Student Technology Center

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@yuandianwan.com

Map

Audit and Accountability

Overview

这个更新的标准是为了帮助信息技术办公室(OIT)围绕访问控制的现有实践与NIST 800-171 (AU | 3)中的要求保持一致.3.x) as well as industry best practices. This document does not give full coverage of 3.3.由于现有的限制和特定于CUI的其他需求,171中的x控件.

What is in this document:

  • Required log types
  • Time requirements
  • Log retention requirements
  • Student and guest network security exemption

What is NOT in this document:

  • Approved log locations (Pending knowledge base)
  • Comprehensive list of everything that must ship logs
  • How logs must be shipped
  • The implementation of log collection tools
  • 操作系统日志配置(挂起基线配置) 

Policy Reference

APM 30.11 University Data Classification and Standards

APM 30.12 Acceptable Use of Technology Resources

APM 30.14 Cyber Incident Reporting and Response

Purpose

This Audit and Accountability standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.

本标准提供了检测的日志要求, validation and investigation of unlawful, unauthorized, suspicious or unusual activity.

Scope

这些标准是所有访问的托管系统的最低基线, store or process University of Idaho data (see APM 30.14 C-6) at the Low, Moderate or High risk levels (see APM 30.11)不包括在经批准的系统保安计划内.

这特别适用于bet365亚洲官网管理的技术资源,定义为 APM 30.12 C-1.

Standards

  1. Access, Authentication and Authorization.

    记录哪些身份在何时访问了哪些系统的日志. Sources for these include but are not limited to:

    1. Web applications access
    2. Azure AD and AD infrastructure
    3. System access
    4. O365 file access
    5. MFA infrastructure
    6. Network access

      需要记录的风险级别:低* /中/高

      *不需要在低风险系统上进行本地认证的中央日志记录.

  2. Network logs. Logs generated from network activity. Sources for these include but are not limited to:
    1. Firewalls
    2. NetfLow infrastructure
    3. VPN infrastructure
    4. Wireless and wired infrastructure
    5. DHCP infrastructure
    6. ARP tables

      需要记录的风险级别:低* /中/高

      *不需要在低风险系统上进行本地认证的中央日志记录.

  3. Email logs. Logs that are generated from email activity. Sources for these include but are not limited to:
    1. Email routing appliances
      1. 使用集中管理的邮件中继的工具和应用程序除外.
    2. Email security appliances

      Risk levels that require logging: Low / Moderate / High

  4. Security events. Logs generated by OIT managed security tools. Sources for these include but are not limited to:
    1. AV/EDR
    2. IPS/IDS
    3. Network Security Monitoring (Moderate / High only)
    4. Passive DNS (pDNS) logs (Moderate / High only)

      Risk levels that require logging: Low / Moderate / High

  5. Privilege, Identity and Credential Management. Logs generated via changes in identities and credentials. Sources for these include but are not limited to:
    1. Active directory
    2. Duo administration
    3. Certificate issuance and revocation

      需要记录的风险级别:低* /中/高

      *不需要在低风险系统上进行本地认证的中央日志记录.

  6. Application logs. 应用程序作为其功能的一部分生成的日志. Examples for these include but are not limited to:
    1. Change logs
    2. Execution logs. (High-risk only)
    3. Debug logs (No central logging required)

      Risk levels that require logging: Moderate / High

    4. Operating system Logs. 操作系统作为其功能的一部分而产生的日志. Only logs from server operating systems are required.

      Risk levels that require logging: Moderate / High

  7. Operating system Logs. 操作系统作为其功能的一部分而产生的日志. Only logs from server operating systems are required.

    Risk levels that require logging: Moderate / High

  8. Other log types as specified by OIT security

  1. 为了确保托管技术设备维护正确的日志记录时间,它们必须使用时间.yuandianwan.com or an approved source as their source of time.
    1. Time.yuandianwan.com is a pair of time servers.
    2. Time.uidaho.Edu利用以下工具作为权威时间服务器.
      1. clock.xmission.com
      2. sue.cc.uregina.ca
      3. india.colorado.edu
      4. clock.sjc.he.net

        Applies to: Low / Moderate / High

    3. 批准时间源,包括授权时间源时间.uidaho.以及直接或间接地:
      1. time.windows.com
      2. time.nist.gov
      3. Pool.ntp.org
      4. time.apple.com
      5. 与大学签约的云服务可以使用其内部时间服务器.
  2. 如果可能的话,时间格式应该是ISO 8601 (YYYY-MM-DDThh:mm:ss).mmm+>)

确保OIT安全部门可以通过以下标准处理适当的日志:

  1. 必须将所需的日志发送到经批准的中央日志服务器以进行关联, review and report generation.
  2. 必须为以下场景建立警报,以确保日志记录成功:

    Applies to: Low / Moderate / High

    1. No or Low log volume for expected period of time.
    2. Log parsing errors
    3. Log storage capacity limitations being reached.
  3. 日志功能错误产生的警报必须发送给系统所有者和/或中央日志服务器管理员,以定位和解决问题.
  4. 日志源所有者应定期检查日志记录系统,以确保日志记录符合规定的标准.

    Applies to: Low / Moderate / High (at least annually)

  5. All logs should contain:
    1. 根据日志源时间调整过的utc时间戳.
    2. 中央日志服务器处理日志的时间戳,经过utc调整.
    3. The IP/name of the log source.
    4. 生成源的应用程序/服务名称(如果可用).
    5. 由应用程序提供或从上下文收集的任何相关标识信息.
      1. Examples include but not limited to: Usernames, IP addresses, device names, certificates, user-agents, x-forwarded for, translated IP addresses, SPF results, Geo-location data.
      2. 高风险数据和特权功能的使用必须能够与代表用户的单个用户或进程相关联.
    6. Action performed.
      1. Examples include but not limited to: Password change, authentication attempt, HTTP POST, email received.
    7. Result of action and reason (if available)
      1. Examples include but not limited to: success, failure due to bad password, failure due to permissions issue, HTTP 404.
    8. Security information (if available)
      1. 示例包括但不限于:检测到的签名、安全动作、扫描结果.
    9. Contextual information
      1. 例如:端口号、电子邮件主题、角色分配、会话状态.
    10. 根据系统所有者或OIT的要求,可能对调查有帮助的任何其他项目.

所需的日志应在适当的中央日志服务器上保留1年,除非法律另有规定, regulations, 合同义务或OIT Security规定的其他义务.

以下标准可确保日志数据的机密性和完整性.

  1. 根据需要授予中央日志服务器访问权限.
  2. Central logging server access is reviewed yearly.
  3. 当删除中央日志服务器中的数据时,将出现警报.
  4. 必须根据日志中数据的风险级别对中央日志服务器应用数据分类标准.

To protect the privacy of students and guests, 学生和访客网络免于网络安全监控和pDNS日志记录.

Other References

1. NIST SP800-171r2 (February 2020)

2. NIST SP800-53r5 (September 2020)

3. ISO 8601

4. Approved Central Logging Systems

Definitions

1. Identity

The way in which a unique entity can be identified. I.E. user name, hostname, IP address, UUID, etc.

2. UTC adjusted timestamp

在协调世界时中记录的某个时间点的日志字段. I.E. 12:00 PM Pacific time is 19:00 (UTC-8).

3. Log source

The system that generates the log.

4. Relevant identifying information

可用于跨相关操作和会话唯一跟踪实体的信息. 这既包括直接标识符,如用户名和IP地址,也包括间接标识符,如UA字符串和地理位置.

5. Central logging server

其他系统和应用程序转发日志的中心系统,如oit管理的Splunk, Syslog, Sentinel or AKIPS.

6. Execution logs

与应用程序中命令和功能的执行有关的日志. 示例包括但不限于API执行、SQL执行或函数执行.

7. Network security monitoring (NSM)

对网络数据包进行被动分析,以便后期进行分析和调查.

Standard Owner

OIT Security负责这些标准的内容和管理.

To request an exception to this standard.

Contact: oit-security@yuandianwan.com

Revision History

3/1/2024 — Minor updates

  • Added alternate time servers
  • 增加了日志保留,日志访问和学生和客人豁免
  • Other minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2

Download Adobe Reader

Student Technology Center

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@yuandianwan.com

Map