Feb 28, 2024  
DMACC Policies and Procedures 
    
DMACC Policies and Procedures
Add to Portfolio (opens a new window)

IS7035 - Logging & Monitoring


Procedure

Section: INFORMATION SOLUTIONS PROCEDURES

SubSection: Information Security

Master List Section: Information Solutions

Purpose

IT infrastructure components forms a crucial part of DMACC operations. IT assets are constantly under threat from malicious users and as a result, needs to be monitored effectively on a continuous basis for any abnormal activities. Security controls have been implemented on the IT assets to protect it from unforeseen threats. This procedure aims to establish effective enterprise level system to centrally log and monitor information security controls.

Scope

This procedure applies to:

  • All staff (permanent and on contractual basis) and non-employees (contractors, consultants, suppliers, vendors etc.) of DMACC and other individuals, entities or organizations that have access to and use DMACC’s information processing systems and card holder data environment to perform their daily job-related responsibilities or meet their contractual obligations.
  • All Students of DMACC that access DMACC resources.
  • Any individual accessing a DMACC owned asset.
  • Relevant third-party personnel responsible for logging, monitoring, analysing, and reporting DMACC’s IT infrastructure.
  • All critical information assets owned by DMACC.

Procedure Statements

Logging shall be enabled on all information processing assets. All access to critical applications and DMACC’s network shall be logged and monitored for suspicious activities or security breaches and adequate response mechanism shall be set up for controlling security breaches.

Monitoring Responsibility

The DMACC IT Security Team (IST) shall monitor the security logs.

Monitoring of security logs is the responsibility of the DMACC IST and would be carried out during business hours (8AM 5PM).

The DMACC IST shall report to the Executive Director, Information Solutions on the status of the activities monitored and reviewed for any security related incidents

Identified incidents shall be immediately reported. Information shall be submitted to the Executive Director, Information Solutions whenever an incident is identified

Logging and Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

Log Monitoring

Log monitoring system (SIEM solution) shall be in place to record any information security events.

A centralized log monitoring solution shall be implemented.

Systems can be configured to push logs to a central log server to avoid deletion by unauthorized users.

Logging shall be enabled for all the critical devices including application servers, network devices and security devices.

Server system administrators/Application administrators/ Network and security administrators are responsible for ensuring that all logs that will be generated by the core servers, applications, routers, switches, IPS and Firewall are identified and classified.

The logs of the applications shall be monitored periodically to ensure proper functioning and procedure compliance.

Some of the following activities and parameters shall be logged and monitored, but not limited to:

  • Access to all audit trails
  • Initialization of audit logs
  • Stopping or pausing of audit logs
  • Remote access activities of vendors
  • All individual access to cardholder data
  • Actions taken by any individual with root or administrative privileges
  • Invalid logical access attempt
  • Identification and authentication mechanisms
  • Creation and deletion of system level objects
  • Parameters related to audit trails:
  • Ensure user identification is included in log entries
  • Ensure type of event is included in log entries.
  • Ensure date and time stamp is included in log entries.
  • Ensure success or failure indication is included in log entries.
  • Ensure origination of event is included in log entries.
  • Ensure identity or name of affected data, system component, or resources is included in log entries.
  • Ensure logs for external-facing technologies are offloaded or copied onto a secure centralized internal log server or media.
  • Ensure file-integrity monitoring or change-detection software for logs by examining system settings and monitored files and results from monitoring activities.
  • Ensure security logs are monitored daily and exceptions detected are followed-up.
  • Log retention should be implemented on a per application basis to ensure security related information is retained for an acceptable period of time.
  • Ensure that audit trails are enabled and active for system components
  • Ensure ONLY individuals who have a job-related need, can view audit trail files. Access to audit trail files shall be monitored regularly.
  • Ensure current audit trail files are protected from unauthorized modifications (via access control mechanisms, physical segregation, and/or network segregation).
  • Ensure current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
  • The logs shall be analysed for the following:
  • Unauthorized access
  • Configuration changes
  • Abnormalities in mail routing events
  • Failed logins
  • Denial of service attempts
  • Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.

Intrusion Prevention System

Intrusion Prevention System (IPS) shall be installed to monitor the real-time network-based attacks, administrative activities, and unauthorized access.

A Network based Intrusion Prevention System (NIPS) shall be deployed to monitor the traffic to the following systems:

Systems being accessed from the Internet and Third-Party Networks

Critical internal application servers: Critical Internal Application servers shall be monitored by the Network Intrusion Prevention System (NIPS).

For Critical Servers, HIPS (Host Based Intrusion Prevention System) shall be deployed to monitor the traffic.

Alerts shall be configured in the IPS system to automate the monitoring activity. Different types of alerts need to be configured for different attacks based on the severity.

Network security team is responsible for tracking the IPS alerts.

The respective application owners shall be informed about the attacks targeted towards their systems

The action that needs to be taken for each type of alert shall be identified and documented by the Information Security. If feasible, the IPS shall be configured to send alerts automatically.

Performance Monitoring

IT Infrastructure and Operations is responsible for setting up automated systems for monitoring the performance of critical servers and devices.

The performance of all critical application servers shall be continuously monitored. The parameters that need to be monitored include CPU usage, Memory, and disk space utilization. High levels of system resource utilization could occur if the system is under attack.

The Executive Director, Information Solutions in coordination with the DMACC IST shall define acceptable threshold levels for all parameters that are being monitored.

For example, NFS (Network File System) Server could have the acceptable usage level for the CPU to be defined at 50%. If the CPU utilization exceeds 50%, it is an indication of some abnormal activity and shall be reported and investigated.

Performance monitoring systems shall have a provision for real-time monitoring and automatic alerting.

Incident Reporting

Any incident shall immediately initiate the IT Incident Management Process as per the IT Incident Management Procedure.

The DMACC IST along with the corresponding system/application/network administrators shall prepare the “Log Analysis Report,” post any event identified.

Backup

Logs in the centralized log repository shall be backed up on a periodic basis as per Data Backup and Recovery Procedure.

The backup logs shall be protected from unauthorized access.

Documentation

Information Security shall maintain updated documents related with the monitoring process, records, log configuration documents, SOP’s for the DMACC IST Operations etc.

The access and distribution of these documents and records shall be controlled.

Annexure

Logs need to be enabled on various systems:

Logs Events / To be reviewed/logged

Server/Applications

Event Logs

  • ALL

Security Logs

  • Authentication failures
  • Account created/deleted/disabled
  • Password change for privileged accounts
  • Changes in security configuration settings
  • Start and stop of service
  • System errors or failures
  • Administrator & Operator Logs

Application Logs

  • User access; log on- log off
  • Use of privileges
  • Changes to application
  • Password changes
  • Application errors/failures
  • Application service start/stop
  • Administrator & Operator Logs
Switches/Routers

Syslog

  • Number of login & log-off attempts
  • User id / Change in privileges
  • Configuration Changes
  • Console alerts
  • Administrator & Operator Logs
Firewall / Other Security devices

Logs

  • Number of login & log-off attempts
  • User id
  • Configuration Changes
  • Console alerts
  • VPN Tunnels
  • Administrator & Operator Logs
Database Logs

Logs (Database, Oracle, and SQL)

  • Successful Login attempts
  • Failed Login attempts
  • Relevant Audit Options for Database




Add to Portfolio (opens a new window)