Policy
Policy Name
Security and System Logging Policy

Overview
The recording (or logging) of system, application, user activities and information security events must be produced and kept for an agreed period of time. Audit logging should be enabled on systems (and devices) to log user activity at the application or transaction level. Audit logs are critical to assist in incident response, future investigations, audit trail and troubleshooting.

Statement
The following logging requirements shall be implemented:
  • Organizations must enable audit logging (to include security events) on systems and devices to include workstations, servers, and network devices.
  • Production applications and databases must have logging of user access and privileged activities.
  • Security event logging must include the following elements at minimum: user or system ID, evidence of log on/log-off, event date and time, invalid log on attempts, type of access (e.g. log on, create, read, write, update), action success/failure, and privileged activities (e.g. changes to configurations, access rights, accounts/IDs or password resets).
  • Logs must be protected from tampering and reviewed periodically.
  • Security event logs must be retained or archived for at least 12 months.

Justification
The following benefits will be achieved:
  • Security, system and application events will be recorded and available for incident response, future investigations, forensics or for operational support activities
  • To ensure accountability of user and system access activities

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Logging (system, security, application)