Audit log management policy

Purpose 

Audit log management includes generating, storing, and analysing log files to identify and respond to suspicious or anomalous events occurring within the enterprise.  The Audit Log Management Policy provides the processes and procedures for ensuring logs are created and properly analysed. This policy applies to all Faculties and Directorates, and all assets connected to the University network.

Responsibility

Digital and Technology Services (DTS) is responsible for all audit log management functions. Specifically, administrators are responsible for configuring the correct devices to generate, store, and transmit logs. DTS is responsible for informing all users of their responsibilities in the use of any assets assigned to them, such as applying updates in a regular manner or restarting their systems. All University assets are required to comply with audit logging procedures.

It is the user’s responsibility to read and understand this policy and to conduct their activities in accordance with its terms. Users who find the policy statements to be unclear are encouraged to reach out to Digital and Technology Services (DTS) (https://www.dundee.ac.uk/it) to clarify ambiguities.

Exceptions

Exceptions to this policy must be made in writing and approved by your manager. This must contain:

• The reason for the request, 
• Risk to the University of not following the written policy, 
• Specific mitigations that will not be implemented, 
• Technical and other difficulties, and 
• Date of review. 

All exceptions must be requested to DTS via the University Service Desk Self-Service Portal: https://help4u.dundee.ac.uk.

Policy

Generation

1. An enterprise-wide strategy must be developed to establish and maintain an audit log process. 
2. This strategy must be documented.
3. Documentation must be updated annually, or when significant changes have occurred. 
4. The contents of logs must be specified within the Secure Configuration Policy. 
5. Audit logging must be enabled on all enterprise assets.
6. Audit logs must not be disabled on enterprise assets. 

Transmission 

1. Procedures must be developed to move logs from enterprise assets to an audit log datastore. 
2. Access controls must be used to prevent audit logs from being modified in an unauthorised manner. 

Storage

1. Procedures must be developed to collect audit logs from enterprise assets. 
2. Sufficient storage space must be allocated for audit logs for the period required for analysis and retention. 
3. Sufficient space must be allocated to store audit logs on all enterprise assets. 
4. Sufficient space must be allocated to store audit logs on any centralised audit log datastore. 
5. Retention timeframes for audit logs should be in accordance with the enterprise data management process.

Review and Analysis 

1. All high severity events must be acted upon in accordance with the audit log management process. 

Disposal 

1. All audit logs must be stored for a period specified by the audit log management process. 
2. Archived logs must be available for analysis. 
3. Disposal of audit logs should be in accordance with the enterprise data management process.

Review and Updates

This policy will be reviewed annually by the University and updated as necessary to reflect changes in technology, legislation, or institutional priorities.