South Plains College
Information Services (SPC-IS)
Auditing and Accountability Standard: I-D(c)
Purpose
To ensure that SPC Information Services (SPC-IS) resources and information systems are established with adequate security controls and enhancements that reflect applicable federal and state laws, Executive Orders, directives, regulations, policies, standards, and guidance.
Standard
This Standard applies to all departments and users of SPC-IS resources and assets.
- Audit Events
The information systems owners, in cooperation with audits and SPC-IS, shall:
- Determine that the information system can audit the following events: User Access, Application Installation, Configuration Changes
- Coordinate the security audit function with other organizational entities requiring audit.
- Provide a rationale for why the auditable events are deemed adequate to support after-the-fact investigations of security incidents.
- Determine that the following events are to be audited within the information system:
- User Access
- Application Installation
- Configuration Changes
- System Breaches.
- Reviews And Updates
- The organization shall review and update the audited events continuously.
- Content of Audit Records
- The information system shall generate audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
- Additional Audit Information
- The information system shall generate audit records containing the following additional information: Date, time, and credentials used to access the system; date, time, and credentials used to install software, date, time, and credentials used to make configuration changes.
- Audit Storage Capacity
- The information owner shall ensure audit record storage capacity is allocated.
- Transfer To Alternate Storage
- The information system shall off-load audit records continuously onto a different system or media than the system being audited.
- Response To Audit Processing Failures
The information system shall:
- Alert System Administrator, Network Administrator, and ISO in the event of an audit failure
- Take the following additional actions: verify audit records. Add additional capacity to audit record storage.
- Audit Storage Capacity
- The information system shall provide a warning to System Administrator, Network Administrator, and ISO when the allocated audit record storage volume reaches 85% of repository's maximum audit record storage capacity.
- Real-Time Alerts
- The information system shall provide an alert to System Administrator, Network Administrator, and ISO when the following audit failure events occur:
- Multiple authorization attempts.
- Configurable Traffic Volume Thresholds
- The information system shall enforce configurable network communications traffic volume thresholds reflecting limits on auditing capacity and reject or delay network traffic above those thresholds.
- Audit Review, Analysis, And Reporting
The information system owner shall:
- Review and analyze information system audit records when unusual activity occurs for indications of multiple failed authorization attempts
- Report findings to ISO.
- Process Integration
- The information system owners shall ensure automated mechanisms are employed to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
- Audit Repositories
- The information system owner shall ensure analysis and correlation of audit records across different repositories to gain situational awareness.
- Audit Reduction and Report Generation
- The information system shall provide an audit reduction and report generation capability that:
- Supports on-demand audit review, analysis, reporting requirements, and after-the-fact.
- It does not alter the original content or the time of ordering audit records.
- Automatic Processing
- The information system shall provide the capability to process audit records for events of interest.
- Time Stamps
The information system shall:
- Use internal system clocks to generate time stamps for audit records.
- Record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
- Synchronization With Authoritative Time Source
The information system shall:
- Synchronize the internal information system clocks with NIST Time servers.
- Protection Of Audit Information
- The information system shall protect audit information and tools from unauthorized access, modification, and deletion.
- Access By Subset of Privileged Users
- SPC shall authorize access to management of audit functionality to authorized system personnel.
- Audit Record Retention
- The information system owners shall retain audit records for one year to support after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements.
- Long-Term Retrieval Capability
- The information system owners shall employ cloud backup to ensure that long-term audit records generated by the information system can be retrieved.
- Audit Generation
The information system shall:
- Provide audit record generation capability for auditable events.
- Allow the System Administrator, Network Administrator, and ISO to select which auditable events are to be audited by specific information system components.
- Time-Correlated Audit Trail
- The information system shall comply with audit records from network equipment, firewalls, and authentication systems in a time-correlated (logical or physical) audit trail.
- Standardized Formats
- The information system shall produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
- Changes By Authorized Individuals
- The information system shall provide the capability for System Administrator, Network Administrator, or ISO to change the auditing to be performed on Network equipment, Firewalls, and Data Servers.
Compliance
Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to IT resources, and other actions as well as both civil and criminal penalties.
Policy Exceptions
Requests for exceptions to this policy shall be reviewed by the Information Security Officer (ISO) and the Chief Information Officer (CIO). Departments requesting exceptions shall make such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the IT Department, initiatives, actions, and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests; and confer with the requesting department.
Related Documents
1 TAC § 202.75
National Institute of Standards and Technology (NIST) Special Publications (SP): SP 800-53a – Auditing and Accountability (AU), NIST SP 800-12, NIST SP 800-92, NIST SP 800-100
An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Texas Security Controls Standards Catalog Control Group: AU-1, AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, AU-10, AU-11, AU-12
NIST Function Groups: DE.AE-3, DE, CM-4, DE.CM-7