Sample Auditing Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
=='''Sample Auditing Standard'''==
==Sample Auditing Standard==
<br>
The Auditing Standard builds on the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Standard''']], and provides specific auditing and logging requirements including activation, protection, retention, and storage.
The '''<Your Company Name>''' (the "Company") [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.<br>
 
<br>
==Objectives==
This Auditing Standard builds on the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']], and provides specific auditing and logging requirements including activation, protection, retention, and storage.<br>
# '''General'''
<br>
## The Company shall employ a centralized audit-logging scheme such that audit logs are securely written to a centralized log system.
=='''I. Scope'''==
## The centralized log system shall provide a mechanism for archiving audit logs in accordance with applicable legal and regulatory requirements.
<br>
## All Company servers, network devices, and multi-user systems shall receive time synchronization from a dedicated, central Company time source.
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br>
## Authorized personnel shall review audit logs to detect indications of, or patterns associated with malicious activity and take appropriate action or respond in accordance with the [[Sample_Threat_Monitoring_Standard:|'''Threat Monitoring Standard''']] and [[Sample_Incident_Response_Standard:|'''Incident Response Standard''']].
<br>
# '''Activation'''
'''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
## Auditing shall be enabled on all Company servers, network devices, and multi-user systems.
<br>
## Security changes, significant activity, and high-risk functions must be recorded.
'''Sensitive Information''' refers to information that is classified as Restricted or Confidential. Refer to the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']] for confidentiality classification categories.<br>
## Audit records shall be generated for successful and/or failed attempts to:
<br>
### Log on or log off to the system
=='''II. Requirements'''==
### Change User and Group Accounts
<br>
### Startup and shutdown the system
:'''A. General'''<br>
### Change security policy or configuration settings
<br>
### Backup or restore data
::1. The Company shall employ a centralized audit-logging scheme such that audit logs are securely written to a centralized log system.<br>
### Access sensitive information
<br>
## Audit records should include who, what, when and from where the recorded event or activity occurred.
::2. The centralized log system shall provide a mechanism for archiving audit logs in accordance with applicable legal and regulatory requirements.<br>
# '''Protection'''
<br>
## Audit logs and records shall be protected to prevent deletion or alteration from unauthorized users.
::3. All Company servers, network devices, and multi-user systems shall receive time synchronization from a dedicated, central Company time source.<br>
## Access to the audit logs, audit records, and audit configuration settings shall be restricted to privileged accounts.
<br>
# '''Retention and Storage'''
::4. Authorized personnel shall review audit logs to detect indications of, or patterns associated with malicious activity and take appropriate action or respond in accordance with the [[Sample Threat Monitoring Standard:|'''Sample Threat Monitoring Standard''']] and [[Sample Incident Response Standard:|'''Sample Incident Response Standard''']]. <br>
## Audit logs must be stored on an alternate media prior to re-initialization.
<br>
## Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity 300% greater than normal system operating scenarios.
:'''B. Activation'''<br>
### Audit logs must be retained on-line for a time period defined by the Document Retention Schedule or otherwise defined by legal requirements which currently is thirteen (13) months.
<br>
### Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.
::1. Auditing shall be enabled on all Company servers, network devices, and multi-user systems.<br>
<br>
::2. Security changes, significant activity, and high-risk functions must be recorded.<br>
<br>
::3. Audit records shall be generated for successful and/or failed attempts to:<br>
<br>
:::A. Log on or log off to the system<br>
:::B. Change User and Group Accounts<br>
:::C. Startup and shutdown the system<br>
:::D. Change security policy or configuration settings<br>
:::E. Backup or restore data<br>
:::F. Access sensitive information<br>
<br>
::4. Audit records should include who, what, when and from where the recorded event or activity occurred. <br>
<br>
:'''C. Protection'''<br>
<br>
::1. Audit logs and records shall be protected to prevent deletion or alteration from unauthorized users.<br>
<br>
::2. Access to the audit logs, audit records, and audit configuration settings shall be restricted to privileged accounts. <br>
<br>
:'''D. Retention and Storage'''<br>
<br>
::1. Audit logs must be stored on an alternate media prior to re-initialization.<br>
<br>
::2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity four times greater than normal system operating scenarios.<br>
<br>
::3. Audit logs must be retained on-line for a minimum of thirty (30) days.<br>
<br>
::4. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.<br>
<br>
<br>


=='''III. Responsibilities'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
The Chief Information Security Officer (CISO) approves the Auditing Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Auditing Standard.<br>
<br>
Company management, including senior management and department managers, is accountable for ensuring that the Auditing Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Auditing Standard.<br>
<br>
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Auditing Standard and associated guidelines; ensuring audit logs and records are periodically reviewed; and ensuring audit logs are securely archived and retained.<br>
<br>
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; implementing procedural safeguards and cost-effective controls to protect audit logs and records, ensuring auditing and logging capabilities are activated on Company information systems; ensuring audit logs and records are retained and stored in accordance with the Auditing Standard; and notifying Owners in a timely manner when auditing capabilities or audit records have been compromised.<br>
<br>
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Auditing Standard and associated guidelines.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Auditing Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Auditing Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Auditing Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Auditing Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>
<br>
<gallery>
Image:Auditing Standard.png|Auditing Standard page one of seven.
Image:Auditing Standard(1).png|Auditing Standard page two of seven.
Image:Auditing Standard(2).png|Auditing Standard page three of seven.
Image:Auditing Standard(3).png|Auditing Standard page four of seven.
Image:Auditing Standard(4).png|Auditing Standard page five of seven.
Image:Auditing Standard(5).png|Auditing Standard page six of seven.
Image:Auditing Standard(6).png|Auditing Standard page seven of seven.
</gallery>

Latest revision as of 20:12, 15 January 2014

Sample Auditing Standard

The Auditing Standard builds on the objectives established in the Sample Asset Protection Standard, and provides specific auditing and logging requirements including activation, protection, retention, and storage.

Objectives

  1. General
    1. The Company shall employ a centralized audit-logging scheme such that audit logs are securely written to a centralized log system.
    2. The centralized log system shall provide a mechanism for archiving audit logs in accordance with applicable legal and regulatory requirements.
    3. All Company servers, network devices, and multi-user systems shall receive time synchronization from a dedicated, central Company time source.
    4. Authorized personnel shall review audit logs to detect indications of, or patterns associated with malicious activity and take appropriate action or respond in accordance with the Threat Monitoring Standard and Incident Response Standard.
  2. Activation
    1. Auditing shall be enabled on all Company servers, network devices, and multi-user systems.
    2. Security changes, significant activity, and high-risk functions must be recorded.
    3. Audit records shall be generated for successful and/or failed attempts to:
      1. Log on or log off to the system
      2. Change User and Group Accounts
      3. Startup and shutdown the system
      4. Change security policy or configuration settings
      5. Backup or restore data
      6. Access sensitive information
    4. Audit records should include who, what, when and from where the recorded event or activity occurred.
  3. Protection
    1. Audit logs and records shall be protected to prevent deletion or alteration from unauthorized users.
    2. Access to the audit logs, audit records, and audit configuration settings shall be restricted to privileged accounts.
  4. Retention and Storage
    1. Audit logs must be stored on an alternate media prior to re-initialization.
    2. Each system will provide sufficient storage to ensure logs will not be overwritten during normal operating conditions and situations that generate logging activity 300% greater than normal system operating scenarios.
      1. Audit logs must be retained on-line for a time period defined by the Document Retention Schedule or otherwise defined by legal requirements which currently is thirteen (13) months.
      2. Security-related audit logs should be archived on read-only media, if possible, then secured and retained according to applicable legal and regulatory requirements.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.