University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Logging And Monitoring

UPPM 87.50

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
- 4.1 General
- 4.2 Moderate- and High-Impact Systems
- 4.3 High-Impact Systems
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Effective logging and monitoring are essential to protecting WSU’s information systems by enabling the timely detection of security events, misuse, and system anomalies. This policy establishes the requirements for logging and monitoring as well as generating, reviewing, and securing audit records to support operational oversight, incident investigation, and regulatory compliance.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General

Information System Owners, or their delegates, must enable logging and monitoring on all institutionally owned information systems and network devices.

Logging and monitoring are to be conducted in compliance with all applicable laws and regulations.

WSU reserves the right to access any WSU owned system, including networks, computers, electronic communication devices, phones, and cell phones to monitor for suspicious activities and security events.

Information System Owners, or their delegates, must monitor the use of unauthorized network services and alert the WSU Security Operation Center (SOC) when detected.

Information System Owners must identify the information systems within their area for which they are responsible and determine the security-related events each information system is capable of logging in support of auditing.

Information System Owners, or their delegates, in coordination with WSU’s SOC, must determine, document, and regularly update a list of events within their information systems that are to be logged.

WSU must log and monitor the execution of privileged functions.

Information System Owners, or their delegates, must coordinate their logging functions with WSU’s SOC and auditing functions with Internal Audit.

Information System Owners, or their delegates, are to determine and document the event types to be logged for audit record generation which contain information that is relevant to the recorded event.

Only authorized individuals are permitted to make changes to system logging parameters.

Information System Owners, or their delegates, must allocate adequate audit record storage capacity to meet institutional data retention requirements in accordance with UPPM 90.01.

In the event of an audit log processing failure appropriate business unit personnel are to be notified and take appropriate action.

System audit records are to be regularly reviewed and analyzed for indications of inappropriate or unusual activity. Analysis findings are to be reported to appropriate business unit personnel. The level of analysis must be adjusted during times of elevated risk, based on law enforcement, intelligence information, or other credible sources of information.

Logging systems must generate audit records with time stamps that are synchronized with an approved time source.

WSU must maintain a Security Information and Event Management (SIEM) system to process, sort, and search audit records, as well as generate on-demand reports to support investigative, regulatory, and/or legal requirements.

Information systems must be configured to protect audit information and audit logging tools from unauthorized access, modification, and deletion.

The management of audit logging functionality is to be limited to appropriate business unit personnel according to their roles. An alert must notify appropriate business unit personnel, upon detection of unauthorized access, modification, or deletion of audit information.

Logs are to be saved in accordance with UPPM 87.75 and disposed of in accordance with UPPM 87.72.

All Information System Owners and network administrators shall be properly trained on logging and monitoring in accordance with UPPM 87.21.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate- and high-impact systems.

Audit records for moderate- and high-impact systems must include additional information to support after-the-fact investigations.

For moderate- and high-impact systems, audit record review, analysis and reporting must be integrated using automated mechanisms and correlated across different repositories to gain WSU-wide situational awareness.

Moderate and high-impact system logs are to be stored on a system different than the one that generated the logs. Cryptographic mechanisms must be used to protect the integrity of audit information in accordance with UPPM 87.33.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to all high-impact systems.

Logs from high-impact systems must provide non-repudiable evidence of actions taken on the system.

For high-impact systems, Information System Owners, or their delegates, must allocate a threshold level of audit log storage volume. Appropriate personnel are to be notified when the allocated log storage volume reaches the threshold percentage of storage capacity.

For high-impact systems, WSU Information System Owners, or their delegates, must define audit log processing failures that will generate real-time alerts to be sent to the appropriate business unit personnel.

Audit record analysis for high-impact systems must be integrated with other data collection activities, including information obtained from physical access logs.

Audit trail records from high-impact systems must be compiled system-wide with correlated time stamps.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (Rev. 654); July 2020 – new policy (Rev. 552)