| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 38.0 | Logs Required on Application Systems Handling Sensitive Information | All production application systems which handle sensitive State of Alaska information must generate logs that show every addition, modification, and deletion to such sensitive information. | The intention behind this policy is to be able to account for all changes to sensitive information like personnel records, strategic plans, and product design specifications. For example, the payroll database in most organizations should have an associated log which shows who updated the payroll amounts and when. This type of information will be very helpful when attempting to investigate and correct problems like errors and fraud. This policy essentially indicates which applications should have associated logs (also called "audit trails"). The log data elements (for example, whether a before-and-after image should be logged) will need to be determined on a case-by-case basis. |
| 39.0 | Inclusion of Security Relevant Events in System Logs | Computer systems handling sensitive, valuable, or critical information must securely log all significant computer security relevant events. Examples of computer security relevant events include: password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software. | This policy is intended to specify which computer systems must have system logs reflecting security relevant events. It is particularly relevant to microcomputers, workstations, local area network servers, client/server systems, and similar small systems that often lack adequate logs. It may be necessary to further specify what constitutes a "security relevant event" in the policy. Note that the policy only requires logs for systems handling sensitive, valuable, or critical information. |
| 40.0 | Required Retention Period of Logs | Logs containing computer security relevant events must be retained for at least three (3) months. During this period, such logs must be secured such that they cannot be modified, and such that they can be read only by authorized persons. These logs are important for error correction, forensic auditing, security breach recovery, and related efforts. | The intention of this policy is to clearly specify the retention period for logs as well as the need for secure storage of logs. The policy can be expanded to define explicitly what events are deemed as "security relevant." There is nothing special about three months; the figure will vary by agency and the nature of the business and the information involved. Be sure to check with internal legal counsel and records management staff about the appropriate time period to retain such records. The retention period for business transactions will generally be much longer than the retention period for security relevant events; a log of security relevant events generally does not contain business transactions. |
| 41.0 | Logs of User-Initiated Security Relevant Activities | To assure that users are held accountable for their actions on State of Alaska computer systems, one or more records tracing security relevant activities to specific users must be securely maintained for a reasonable period of time. | The intention of this policy is to clearly specify that all user-initiated security relevant activities must be logged and retained for a certain period (three months for instance). This information will be helpful to those people in security administration, computer operations, and internal auditing. The information also serves as a deterrent to abusive acts, as well as important information for the "help desk" to use when figuring out the nature of a problem. The policy makes reference to security relevant activities like user changes to file access privileges, user changes to a secret password, and the like. |
| 42.0 | Information to Capture When Computer Crime or Abuse is Suspected | To provide evidence for investigation, prosecution, and disciplinary actions, certain information must be immediately captured whenever it is suspected that a computer crime or abuse has taken place. The relevant information must then be securely stored off-line until such time as the State Computer Security Officer determines that State of Alaska will no longer need the information. The information to be immediately collected includes the current system states, as well as back-up copies of all potentially involved files. | This policy is intended to put systems management on notice that certain information must be captured and securely stored until needed by internal auditors, prosecuters, security administrators, and others. The policy allows evidence to be captured and secured, so that it will later be admissible in court. On the other hand, if the evidence remained on the computer for a certain period, there is a possibility that it could have been modified by unauthorized parties. If the evidence could have been modified, it will not be convincing in the eyes of the court. Note also that the process of capturing information should take place even if there is only a suspected problem. It is better to have this information and then dispose of it if it's not needed, than to not have the information and then be unable to take certain courses of action (such as prosecution). The policy thus makes sure that a snap-shot of the current situation is preserved for later use. |
| 43.0 | Persons Authorized to View Logs | All security, system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. A person is unauthorized if they are not a member of the internal audit staff, systems security staff, systems management staff, or if they do not clearly have a need for such access to perform regular duties. Unauthorized users must obtain written permission from the Agency Computer Security Officer prior to being granted such access. | The intention of this policy is to limit access to all logs--including security, application and system logs--to only those persons who have a bone fide need to have such access. Access by unauthorized persons can reveal user-IDs, transaction specifics, and other information that may be instrumental in fraud, sabotage, and other abuses. If logs are encrypted, they will be exceedingly difficult for unauthorized people to view or modify. In terms of off-site storage, encryption is really the only truly effective way to prevent unauthorized access. Rather than encryption, in less secure environments, use of file access controls may be sufficient. In some circumstances, written permission for access to application logs may be granted by the information owner/sponsor, rather than the Agency Computer Security Officer. This policy assumes that other types of access control will also be in place. |
| 44.0 | Regular and Prompt Review of System Logs | To allow proper remedial action, computer operations or information security staff must review records reflecting security relevant events in a periodic and timely manner. | The intention of this policy is to require that computer operations or information security staff promptly review logs. This review process can be greatly facilitated if the logs produce exception reports indicating items of a suspicious nature in need of follow-up. To ask a person to go through a log reflecting all system events on a busy multi-user system is like asking them to find a "needle in a haystack." Prompt review of logs might, for example, be important if there was a hacker who was attempting to guess passwords via a dial-up line. If the logs were never reviewed, and if there were no other mechanism (like pager alerts) to notify the people who could do something about it, the organization may never have become aware of the attacks. If the attacks were not stopped--or at least discouraged by telling the hacker that they are being closely monitored--the hacker may be encouraged to continue. Likewise, the chronological window for taking remedial action (such as stopping an employee from making copies of personell records) closes quickly unless corrective steps are promptly initiated. In some environments, such as electronic funds transfer systems, the window in which adjustments must be made is very slim (a few days). In environments such as this, the time frame for log review may also be included in an agency specific policy. The policy could be expanded to include application logs, in which case user management or information owners/sponsors may be involved in the review process. |
| 45.0 | Notification of Users About Logging of Security Violations | Users must be put on notice about the specific actions that constitute security violations. Users must also be informed that such violations will be logged. Violations will subject users to disciplinary actions up to and including termination and prosecution. | The intention of this policy is to require that all users be clearly informed about the actions which constitute a security violation. To discourage users from engaging in these actions, they should be told that their activities will be logged. Disciplinary action will be very difficult if users have not been told about, and do not clearly understand what is expected of them. Violations will subject users to disciplinary actions up to and including termination and prosecution. Typically these violations would include attempts to compromise controls through password guessing, changing system access controls, as well as other actions such as crashing the system. |