Information Security Audit and Accountability

Purpose

The purpose of this policy is to establish information security standards for the Security Log collection, analysis, reporting, and retention activities that support the audit and accountability processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. Actions of individual system users should be uniquely traced to those users so they can be held accountable for their actions.
2. Information System Stewards need to capture information in audit logs. This ensures that they can trace the actions that they audit to a specific user. This may include capturing information from users, including but not limited to:
   1. What type of event occurred;
   2. When the event occurred (i.e. time stamps);
   3. Where the event occurred;
   4. Source of the event;
   5. Outcome of the event (i.e. success or fail indications, event-specific results); and Identity of any individuals, subjects, or objects/entities associated with the event.
3. Security Logs should be created and retained to the extent needed to enable the monitoring, analysis, investigation, and Reporting of unlawful or unauthorized system activity. Audit logs must be retained for a minimum of 60 days. Official records should be retained in accordance with the UMGC Records and Information Management Policy.
4. System capabilities should be provided that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
5. Security Logs shall be reviewed periodically and at a minimum, quarterly.
6. All security events found shall be reported to secops@umgc.edu.
7. Updated logged events shall be reviewed on an annual basis.
8. Alerts shall be configured that will be triggered in the event of a Security Logging process failure.
9. Automated notifications need to be sent to designated security personnel to immediately take appropriate action.
10. If technically and administratively feasible, audit information should be collected (e.g., logs) into one or more central repositories.
    
    For example – Information System Stewards should aggregate and store audit logs in a centralized location or locations within the organization. Storing audit logs in a centralized location supports orchestration, automation, correlation, and analysis activities by enabling a full picture of the audit logs and can support automated analysis capabilities including correlation of events across the enterprise. Information System Stewards should ensure that the central repository has the appropriate infrastructure, including protection mechanisms, and the capacity level to meet the logging requirements of the organization.
11. Audit information and audit logging tools should be protected from unauthorized access, modification, and deletion.
12. Security Logs should be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being accessed directly from logs or from audit tools.
13. Management of audit logging functionality should be limited to a subset of Privileged Users.
14. Audit logging functions should have restricted access by a limited number of Privileged Users that can modify Security Logs and audit settings.
15. Audit record review, analysis, and reporting processes should be correlated for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
16. Audit record reduction and report generation should be provided to support on-demand analysis and reporting. In addition, the security relevant audit information must be made available to personnel on-demand for immediate review, analysis, reporting, and event investigation support.

Exceptions

Exceptions to this policy should be submitted to the Sr. Director, Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020.
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021

1. UMGC Policy X-1.02 Data Classification 
2. UMGC Policy X-1.03 Records & Information Management
3. UMGC Policy X-1.04 Information Security 
4. UMGC Policy X-1.06 Information Security Incident Response
5. UMGC Policy X-1.08 IT Resources Configuration Management
6. UMGC Policy X-1.10 Identity and Access Management
7. UMGC Policy X-1.12 Acceptable Use
8. UMGC Policy X-1.22 System and Information Integrity