application , compliances , policies , security

Sample – Information Secure Logging Standards

August 11, 2012

Scope

This standard applies to all corporate data, including corporate customer data, whether located at a corporate facility or a third party facility, and whether handled by corporate employees, or corporate contractors, vendors, third party service providers, or their staff or agents.  This standard also applies to all wholly owned and partially owned subsidiaries. 

The guidance in this standard shall be considered the minimum acceptable requirements for the use of any media. This standard sets forth expectations across the entire organization.  Additional guidance and control measures may apply to certain areas of corporate.  This standard shall not be construed to limit application of more stringent requirements where justified by business needs or assessed risks. 

Logging Standard

Corporate’s business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them.   Responsibilities and procedures for the management, operation and security of all information processing facilities must be established.  This Policy supports the stated objectives. 

It is the policy of corporate to provide safe, secure electronic messaging systems to its employees, contingent workforce, and other properly authorized persons, for the purpose of enabling and supporting the conduct of business.  Use of electronic messaging systems shall be in conformance with relevant corporate policies, and shall not, whether by intent or mistake, increase the risks to corporate information assets or business functions. 

Roles & Responsibilities 

The End User is responsible for the creation of electronic messages, usage of the related messaging services in a manner consistent with this Policy, and when such activity is within their span of control, the retention and disposal of electronic messages sent and received. 

The IT Custodian is responsible for defining and implementing security measures and controls to ensure the system(s)/application(s) are managed and operated in a secure and effective manner. 

The Chief Information Security Officer has overall responsibility for security policy, and in conjunction with the Information Security Department will be responsible for defining, implementing, managing, monitoring and reviewing compliance with the Electronic Messaging Policy. 

The Information Security Department will assist End Users and IT Custodians in assessing, defining, implementing, managing and monitoring appropriate controls and security measures. 

The Information Security Department will audit and review the adequacy of controls and security measures in place to measure and enforce conformance to this policy. 

Requirements and Implementations 

Security Administration

There are certain constraints on logging that need to be adhered to across the specific environments.  In order to ensure the accuracy of the data that is being logged, no system can overwrite the logs until the specified log duration has passed.  These log durations will be detailed per environment. 

Exceptions under this policy must be detailed in a Risk Acceptance form approved by the System/Application Business Owner, Executive Lines of Business representative and the IT Custodian and the Information Security Compliance Department.