Logging and Monitoring Policy

Purpose 

The purpose of this Logging and Monitoring Policy is to establish guidelines and procedures for the systematic logging and monitoring of information systems at Southwestern Oklahoma State University (SWOSU). This policy aims to enhance the security posture of the university by ensuring the timely identification of security incidents, anomalies, and suspicious activities, thereby facilitating proactive response and mitigation efforts. 

 

Scope 

This policy applies to all hosts, networking equipment, and associated systems that are part of SWOSU's information technology infrastructure. It encompasses the necessary logging activities, centralized logging requirements, monitoring activities, authorized personnel access, and retention practices to maintain the integrity and security of SWOSU's information systems. 

 

Statement 

Southwestern Oklahoma State University (SWOSU) prioritizes the security of its information systems and data. Our Logging and Monitoring Policy establish guidelines for systematic practices to detect and respond to security incidents. By adhering to this policy, SWOSU aims to enhance overall security, minimize risks, and ensure continuous functionality. All SWOSU community members must comply with this policy, contributing to a safe and secure digital environment for academic and administrative activities. The policy will be regularly reviewed and updated to address emerging threats, reflecting our ongoing commitment to information security. 

 

Policy 

A. Required Logging Activities 

   - All hosts and networking equipment within SWOSU must generate security logs for all system components. 

   - Institutions shall ensure that each logging host’s clock is synchronized to a common time source, whenever feasible. 

   - All hosts and networking equipment must issue alerts promptly on security log processing failures, including software/hardware errors, failures in the log capturing mechanisms, and when log storage capacity is reached or exceeded. All alerts must be as close to real-time as possible. 

B. Centralized Logging Requirements 

   - All security events (refer to Appendix A) for High Impact Systems must be transferred to a managed logging service in real-time or as quickly as technology allows. 

   - Systems running workstation operating systems used for shared services (e.g., shared file storage or web services) must also meet these centralized logging requirements. 

   - Log integrity for consolidated log infrastructure must be preserved, such as storing logs in read-only mode. 

C. Required Monitoring Activities 

   - Processes must be developed and implemented to review logs for all systems to identify anomalies or suspicious activity. 

   - Security baselines should be developed, and automated monitoring tools should be utilized to generate alerts when exceptions are detected. 

   - Systems monitored for anomalies or suspicious activity through a managed logging service are not required to be further monitored for the same activity locally, although dual monitoring is encouraged. 

D. Authorized Personnel 

   - Logs shall be secured by limiting access to individuals whose access is needed to perform their job duties. 

   - Access to log management systems must be recorded to track and monitor personnel accessing log data. 

E. Retention 

   - Electronic logs created due to the monitoring outlined in this policy should be maintained and readily available for a minimum of 30 days. 

   - Systems collecting logs must maintain sufficient storage space to meet the minimum requirements for both readily available and retained logs. 

   - Storage planning must account for log bursts or increases in storage requirements resulting from system issues, including security incidents. 

4. Responsibilities 

   - The IT department at SWOSU is responsible for implementing and maintaining the logging and monitoring infrastructure. 

   - Department heads are responsible for ensuring that their respective teams comply with the logging and monitoring policy. 

   - Compliance with this policy will be periodically audited, and any deviations will be addressed promptly. 

5. Review and Revision 

   - The logging and monitoring policy will be reviewed annually to ensure its effectiveness and relevance. 

   - Any necessary revisions will be made to address emerging threats, technological advancements, or changes in the university's infrastructure. 

Appendix A: Security Events 

   - A detailed list of security events that must be logged and monitored will be maintained in an appendix, regularly updated to reflect current security concerns and requirements. 

 

Enforcement 

Individuals who violate this policy may be subject to disciplinary action based on associated handbooks. When appropriate, SWOSU may restrict a violator’s access to SWOSU resources pending further investigation of a possible violation of this policy. Individuals who violate security policies, standards, or security procedures are subject to disciplinary action up to and including dismissal but may also include criminal or civil legal actions. 

 

Incident Reporting  

Violations of this policy should be reported to the SWOSU ITS Helpdesk via phone at (580) 774-7070 or via email at helpdesk@swosu.edu 

 

Policy Review 

ITS Operations Administrator will be responsible for reviewing and updating this policy at least annually. 

 

Revision & Approval History 

Date of Change 

Version 

Responsible 

Summary of Change 

Date Approved 

Approved By 

9/14/2023 

ITS 

Created as policy 

6/26/2025 

ECC 

 

 

 

 

 

 
Print Article