Policy Number: 12-005

Information Technology Audit and Logging

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Information Technology


1. Purpose

To provide accurate and comprehensive audit logs in order to detect and react to inappropriate access to, or use of, information systems or data.

2. Applicability

This policy applies to all Information Systems that store, process or transmit University Data.

3. Definitions

Information System means an individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, Student Information System, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

University of Florida Data means data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

4. Policy Statement

4.1. Access to Information Systems and data, as well as significant system events, must be logged by the Information System.

4.2. Information System audit logs must be protected from unauthorized access or modification.

4.3. Information System audit logs must be retained for an appropriate period of time, based on the Document Retention Schedule and business requirements. Audit logs that have exceeded this retention period should be destroyed according to UF document destruction policy.

5. References and Related Information

University Regulation 1.0102: Policies on Information Technology and Security
University of Florida Records Retention Schedules

NIST 800-53 revision 5: AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-10, AU-11, AU-12


Additional Resources


Standard Number: SEC-TS-006.01
Standard Family: Information Security
Standard Category: Technical Security
Effective: 3-7-2017, Amended 7-18-2024 (substantive)

AUDITABLE EVENTS AND RECORD CONTENT STANDARD

Purpose:

In order for Information Technology activity and audit logs to be useful, they must record sufficient information to serve the operational needs, preserve accountability, and detect malicious activity. This standard defines these events and content.

Standard:

  1. All information systems will produce audit records for at least the following events:
    1. System startup and shutdown
    2. User logon and logoff
    3. Privilege escalation
    4. Account creations, changes or deletions
    5. Password changes
  2. Information systems should produce audit records for the following event types, depending on system capabilities:
    1. Starting and stopping of processes and services
    2. Installation and removal of software
    3. System alerts and error messages
    4. System administration activities
    5. Access to and modification of Restricted Data
  3. Log records will include at least the following elements:
    1. Identifier of the system that generated the event
    2. Timestamp of the event
    3. The action or type of event and any relevant data
    4. Success or failure of the action
    5. The user associated with the event
    6. Remote address, if the event occurs over a network connection

History

History: New 3-7-2017, Amended 7-18-2024 (administrative)