UM Audit Log Management

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Technology and Platform Security

IN PLAIN LANGUAGE

Audit logs are the University's digital record of who did what, when, and where across our systems and networks. This standard requires that University systems generate, collect, and retain these logs so that security incidents can be detected, investigated, and responded to effectively. IT teams are responsible for making sure logging is enabled and that logs are sent to centralized, protected storage. Logs must be kept for an appropriate period based on the sensitivity of the system, and critical alerts must be acted on promptly.

1. Purpose

The purpose of this Standard is to establish minimum requirements for the generation, collection, retention, review, and protection of audit logs for University Information Technology Resources. Effective audit log management supports the University's ability to detect security incidents, investigate anomalous activity, meet compliance obligations, and respond to operational and cybersecurity risks.

This Standard implements logging and monitoring requirements under the University's Information Security Program and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.

2. Scope

This Standard applies to:

  • University-owned or University-managed information systems
  • Network devices, servers, endpoints, applications, and cloud services
  • Systems that store, process, or transmit University Data
  • Centrally managed and distributed IT environments across the University of Montana System

This Standard applies regardless of hosting location, including on-premises, cloud, and third-party-managed systems used for University business.

3. Roles and Responsibilities

3.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to audit logging requirements
  • Escalating material logging or monitoring risks to executive leadership

3.2 Information Security Operations

Information Security Operations is responsible for:

  • Defining enterprise security logging requirements
  • Collaborating with Cyberinfrastructure on the operation and tuning of centralized logging and monitoring capabilities
  • Using audit logs to support threat detection, incident response, and investigations

3.3 Cyberinfrastructure and Information Technology Organizations

Cyberinfrastructure (UM's central infrastructure operations team) is responsible for:

  • Operating and maintaining the centralized logging infrastructure
  • Ensuring availability, performance, and scalability of log collection platforms
  • Implementing log storage, retention, and access controls in coordination with Information Security Operations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Enabling required audit logging on systems under their management
  • Ensuring logs are transmitted to approved logging platforms where technically feasible
  • Addressing logging deficiencies identified through review or assessment

3.4 System and Application Owners

System and Application Owners are responsible for:

  • Ensuring logging requirements are met for systems under their authority
  • Coordinating remediation of logging gaps or failures

4. Audit Logging Principles

Audit logging must be implemented according to the following principles:

Sufficiency — Logs must provide adequate detail to support detection, investigation, and attribution.

Integrity — Logs must be protected from unauthorized modification or deletion.

Availability — Logs must be available when needed for security, operational, or compliance purposes.

Proportionality — Logging depth and retention must align with system risk and data classification.

5. Log Generation Requirements

5.1 Required Log Events

Systems must generate audit logs for security-relevant events, including where applicable:

  • Authentication and authorization attempts
  • Privileged or administrative actions
  • Configuration changes
  • Access to sensitive or restricted resources
  • System start-up, shutdown, and failure events

Specific log event requirements may be further defined in procedures or system-specific guidance.

5.2 Time Synchronization

Systems generating audit logs must synchronize clocks using approved time sources to ensure log accuracy and correlation.

6. Log Collection and Transmission

  • Audit logs should be transmitted to centralized log management systems where technically feasible
  • Transmission of logs must be protected against unauthorized access or alteration
  • Systems with limited connectivity or storage must implement compensating controls

7. Log Storage and Retention

7.1 Protection of Logs

  • Audit logs must be protected from unauthorized access, modification, and deletion
  • Access to logs must be restricted based on job role and business need

7.2 Retention

  • Log retention periods must align with data classification, regulatory requirements, and operational needs
  • Minimum retention periods may be defined in supporting procedures
  • Extended retention may be required for investigations, litigation holds, or compliance obligations

8. Log Review, Monitoring, and Analysis

  • Automated monitoring and alerting should be used to detect anomalous or suspicious activity
  • Logs must be reviewed at intervals appropriate to system risk and criticality
  • High-risk or critical alerts must be acted upon in accordance with incident response procedures

9. Integration with Incident Response

Audit logs must support:

  • Detection and analysis of security incidents
  • Containment and recovery activities
  • Post-incident review and lessons learned

Audit logging requirements must align with the Incident Response Standard.

10. Enforcement and Risk Response

When audit logging requirements are not met and no approved exception exists:

  • Additional controls or compensating measures may be required
  • Systems may be restricted or monitored more closely
  • Risk may be escalated to appropriate management or executive leadership

11. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

12. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or regulatory requirements.

13. References

  • UM Information Security Policy
  • UM Incident Response Standard
  • UM Network Security Standard
  • UM Endpoint Management & Configuration Standard
  • NIST Cybersecurity Framework (CSF) 2.0
  • NIST SP 800-92, Guide to Computer Security Log Management
  • Center for Internet Security (CIS) Critical Security Controls
Print Article