Defining the University’s approach to log management and forensic readiness
This control procedure defines the University’s approach to log management and forensic readiness, and directly supports the following policy statement from the Information Security Policy:
The University will ensure the correct and secure operations of information processing systems.
This will include documented operating procedures; the use of formal change and capacity management; controls against malware; defined use of logging; vulnerability management.
This procedure is intended to be read and understood by all users accessing University information, IT systems, networks or software using any University or personally owned device.
It is of particular relevance to ISDS and other staff who are responsible for the management of IT systems; and for those in, or working with, Legal, Security, Acadmeic Services and/or HR to pursue investigations.
Forensic readiness is the capability of an organisation to use digital evidence in an investigation into the (mis)use of its information management systems.
The requirement for forensic readiness arises from the universal use of ICT systems within the institution.
Digital evidence is likely to feature in a wide range of investigations or disputes, including but not limited to:
All users of the University network are subject to the collection of digital logs relating to their use of information management systems. This includes the logging of web and email traffic, authentication events and database transactions.
Logs identified as key indicators of security incidents are processed via a Security Information and Event Monitoring (SIEM) tool. This provides an aggregated view of key logs and also generates automated alerts based on pre-configured thresholds. These alerts and the source data are a key source of evidence for investigations and may trigger the Information Security team to undertake an investigation where a key policy or procedure has been shown to have been breached.
A forensic investigation is not a standalone investigation; it is an evidence-gathering exercise forming part of a broader investigation, falling under University policies concerning code of conduct, admission, discipline, grievance or dignity at work, etc. Authorisation to provide forensic evidence therefore needs to be gathered in accordance with the policy under which it is being requested.
The decision concerning what is requested for the purposes of an investigation will be set out within the specific Terms of Reference for a Forensic Investigation for formal investigations, specified by the investigator, or a request under Data Protection legislation from third party agencies involved in combating crime.
Complex or large scale investigations may require an investigation team to be appointed. Where possible this will remain in-house, however it may be necessary to include third party services/expertise as required but managed by the University to retain responsibility for the data.
Digital evidence must be stored and handled securely if it is to be admissible as part of a formal investigation. To ensure that all digital evidence is stored and handled in a manner that maximises its integrity a number of steps should be taken:
Log files will, where possible, be retained for 13 months for all University systems. If logs are retained for longer than this, they will be retained with a statement supporting their retention. The Information Security Team will handle log files retained as part of an ongoing investigation in line with the principles above.
Consideration must be given to log file creation, access and retention when establishing cloud services.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.