Sample Auditing Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 16:08, 24 July 2006 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sample Auditing Standard


The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.

This Auditing Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific auditing and logging requirements including activation, protection, retention, and storage.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Sensitive Information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

II. Requirements


A. General


1. The Company shall employ a centralized audit-logging scheme such that audit logs are securely written to a centralized log system.


2. The centralized log system shall provide a mechanism for archiving audit logs in accordance with applicable legal and regulatory requirements.


3. All Company servers, network devices, and multi-user systems shall receive time synchronization from a dedicated, central Company time source.


4. Authorized personnel shall review audit logs to detect indications of, or patterns associated with malicious activity and take appropriate action or respond in accordance with the Sample Threat Monitoring Standard and Sample Incident Response Standard.


B. Activation


1. Auditing shall be enabled on all Company servers, network devices, and multi-user systems.


2. Security changes, significant activity, and high-risk functions must be recorded.


3. Audit records shall be generated for successful and/or failed attempts to:


A. Log on or log off to the system
B. Change User and Group Accounts
C. Startup and shutdown the system
D. Change security policy or configuration settings
E. Backup or restore data
F. Access sensitive information


4. Audit records should include who, what, when and from where the recorded event or activity occurred.


C. Protection


1. Audit logs and records shall be protected to prevent deletion or alteration from unauthorized users.


2. Access to the audit logs, audit records, and audit configuration settings shall be restricted to privileged accounts.


D. Retention and Storage


1. Audit logs must be stored on an alternate media prior to re-initialization.


2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity 300% greater than normal system operating scenarios.


3. Audit logs must be retained on-line for a minimum of 30days.


4. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Auditing Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Auditing Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Auditing Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Auditing Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Auditing Standard and associated guidelines; ensuring audit logs and records are periodically reviewed; and ensuring audit logs are securely archived and retained.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; implementing procedural safeguards and cost-effective controls to protect audit logs and records, ensuring auditing and logging capabilities are activated on Company information systems; ensuring audit logs and records are retained and stored in accordance with the Auditing Standard; and notifying Owners in a timely manner when auditing capabilities or audit records have been compromised.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Auditing Standard and associated guidelines.

IV. Enforcement and Exception Handling


Failure to comply with the Auditing Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Auditing Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Auditing Standard.

V. Review and Revision


The Auditing Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer