Sample Auditing Standard:: Difference between revisions
No edit summary |
|||
Line 52: | Line 52: | ||
::1. Audit logs must be stored on an alternate media prior to re-initialization.<br> | ::1. Audit logs must be stored on an alternate media prior to re-initialization.<br> | ||
<br> | <br> | ||
::2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity | ::2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity four times greater than normal system operating scenarios.<br> | ||
<br> | <br> | ||
::3. Audit logs must be retained on-line for a minimum of | ::3. Audit logs must be retained on-line for a minimum of thirty (30) days.<br> | ||
<br> | <br> | ||
::4. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.<br> | ::4. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.<br> | ||
<br> | <br> | ||
=='''III. Responsibilities'''== | =='''III. Responsibilities'''== | ||
<br> | <br> |
Revision as of 21:04, 31 October 2008
Sample Auditing Standard
The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.
This Auditing Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific auditing and logging requirements including activation, protection, retention, and storage.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Sensitive Information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.
II. Requirements
- A. General
- 1. The Company shall employ a centralized audit-logging scheme such that audit logs are securely written to a centralized log system.
- 1. The Company shall employ a centralized audit-logging scheme such that audit logs are securely written to a centralized log system.
- 2. The centralized log system shall provide a mechanism for archiving audit logs in accordance with applicable legal and regulatory requirements.
- 2. The centralized log system shall provide a mechanism for archiving audit logs in accordance with applicable legal and regulatory requirements.
- 3. All Company servers, network devices, and multi-user systems shall receive time synchronization from a dedicated, central Company time source.
- 3. All Company servers, network devices, and multi-user systems shall receive time synchronization from a dedicated, central Company time source.
- 4. Authorized personnel shall review audit logs to detect indications of, or patterns associated with malicious activity and take appropriate action or respond in accordance with the Sample Threat Monitoring Standard and Sample Incident Response Standard.
- 4. Authorized personnel shall review audit logs to detect indications of, or patterns associated with malicious activity and take appropriate action or respond in accordance with the Sample Threat Monitoring Standard and Sample Incident Response Standard.
- B. Activation
- 1. Auditing shall be enabled on all Company servers, network devices, and multi-user systems.
- 1. Auditing shall be enabled on all Company servers, network devices, and multi-user systems.
- 2. Security changes, significant activity, and high-risk functions must be recorded.
- 2. Security changes, significant activity, and high-risk functions must be recorded.
- 3. Audit records shall be generated for successful and/or failed attempts to:
- 3. Audit records shall be generated for successful and/or failed attempts to:
- A. Log on or log off to the system
- B. Change User and Group Accounts
- C. Startup and shutdown the system
- D. Change security policy or configuration settings
- E. Backup or restore data
- F. Access sensitive information
- A. Log on or log off to the system
- 4. Audit records should include who, what, when and from where the recorded event or activity occurred.
- 4. Audit records should include who, what, when and from where the recorded event or activity occurred.
- C. Protection
- 1. Audit logs and records shall be protected to prevent deletion or alteration from unauthorized users.
- 1. Audit logs and records shall be protected to prevent deletion or alteration from unauthorized users.
- 2. Access to the audit logs, audit records, and audit configuration settings shall be restricted to privileged accounts.
- 2. Access to the audit logs, audit records, and audit configuration settings shall be restricted to privileged accounts.
- D. Retention and Storage
- 1. Audit logs must be stored on an alternate media prior to re-initialization.
- 1. Audit logs must be stored on an alternate media prior to re-initialization.
- 2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity four times greater than normal system operating scenarios.
- 2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity four times greater than normal system operating scenarios.
- 3. Audit logs must be retained on-line for a minimum of thirty (30) days.
- 3. Audit logs must be retained on-line for a minimum of thirty (30) days.
- 4. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.
- 4. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Auditing Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Auditing Standard.
Company management, including senior management and department managers, is accountable for ensuring that the Auditing Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Auditing Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Auditing Standard and associated guidelines; ensuring audit logs and records are periodically reviewed; and ensuring audit logs are securely archived and retained.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; implementing procedural safeguards and cost-effective controls to protect audit logs and records, ensuring auditing and logging capabilities are activated on Company information systems; ensuring audit logs and records are retained and stored in accordance with the Auditing Standard; and notifying Owners in a timely manner when auditing capabilities or audit records have been compromised.
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Auditing Standard and associated guidelines.
IV. Enforcement and Exception Handling
Failure to comply with the Auditing Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Auditing Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Auditing Standard.
V. Review and Revision
The Auditing Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer