Policy Number: 12-005

Audit and Logging Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose To provide accurate and comprehensive audit logs in order to detect and react to inappropriate access to, or use of, information systems or data.
  2. Applicability This policy applies to all Information Systems that store, process or transmit University Data.
  3. Definitions Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

4. Policy Statement

  1. Access to Information Systems and data, as well as significant system events, must be logged by the Information System.
  2. Information System audit logs must be protected from unauthorized access or modification.
  3. Information System audit logs must be retained for an appropriate period of time, based on the Document Retention Schedule and business requirements. Audit logs that have exceeded this retention period should be destroyed according to UF document destruction policy.

Additional Resources

AUDITABLE EVENTS AND RECORD CONTENT STANDARD

Purpose

In order for Information Technology activity and audit logs to be useful, they must record sufficient information to serve the operational needs, preserve accountability, and detect malicious activity. This standard defines these events and content.

Standard:

  1. All information systems will produce audit records for at least the following events:
    1. System startup and shutdown
    2. User logon and logoff
    3. Privilege escalation
    4. Account creation
    5. Password changes
  2. Information systems should produce audit records for the following event types, depending on system capabilities:
    1. Starting and stopping of processes and services
    2. Installation and removal of software
    3. System alerts and error messages
    4. System administration activities
    5. Access to and modification of Restricted Data
  3. Log records will include at least the following elements:
    1. Identifier of the system that generated the event
    2. Timestamp of the event
    3. The action or type of event and any relevant data
    4. Success or failure of the action
    5. The user associated with the event
    6. Remote address, if the event occurs over a network connection

RELATED STANDARDS

PDF DOWNLOADS

History

Revision Date Description
March 7, 2017 Policy originally adopted
Policy updated