Page 27 - Information_Security_Program
P. 27

SYSTEM LOGGING AND MONITORING [DP280]
        Back to Table of Contents

        Scope: IT Staff (I.S.).
        Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; IT Staff, Directors, Managers
        and Supervisors.
        Purpose: To detect unauthorized access to and use of information systems.
        External Regulation or Standard: 45 CFR 164.312(b); 45 CFR 164.308(a)(1)(ii)(D) ‐ Security Management Process, PCI DSS 5.2, 10.1 –
        10.7

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         IT Staff                DP280.1     The organization will track and review system activity by unique ID according
                                             to the parameters in this policy to track and report quarterly to Chief Financial
                                             Officer
         IT Staff                DP280.2     Daily review unauthorized and failed log‐on attempts for systems processing,
                                             storing, or transmitting payment card data or PHI.  Report 5 or more
                                             unauthorized or failed log‐on attempts to Chief Financial Officer, and Director
                                             of Information Technology, Privacy and Data Security as soon as identified.
         IT Staff                DP280.3     Review audit logs for any changes made to the system security settings for
                                             systems processing, storing, or transmitting payment card data or PHI, and
                                             report changes to Chief Financial Officer, and Director of Information
                                             Technology, Privacy and Data Security.

         IT Staff                DP280.4     Enable anti‐virus software log generation for systems processing, storing, or
                                             transmitting payment card data.
         IT Staff                DP280.5     Configure automated synchronization to a centralized time standard on all
                                             servers, internetworking equipment, and access control devices that support it.
         IT Staff                DP280.6     Retain audit logs according to the Board Retention Policy.
         IT Staff                DP280.7     Secure audit trails so they cannot be altered by:

                                             Limiting the viewing of audit trails to those with a job‐related need,
                                             Protecting audit trail files from unauthorized modifications,
                                             Promptly backing up audit trail files to a centralized log server or media that is
                                             difficult to alter,
                                             Writing logs for external‐facing technologies onto a log server on the internal
                                             LAN
                                             Use file‐integrity monitoring or change‐detection software on logs to ensure
                                             that existing log data cannot be changed without generating alerts (although
                                             new data being added should not cause an alert).























                                                                                                         26 | P a g e
        GES CONFIDENTIAL
   22   23   24   25   26   27   28   29   30   31   32