Policy Statement:

Rockhurst University is committed to maintaining the security and privacy of its information assets, ensuring compliance with the Gramm-Leach-Bliley Act (GLBA), and mitigating the risk of cyber incidents or breaches. This policy outlines the best practice steps for reviewing Security Information and Event Management (SEIM) logs to detect and proactively respond to potential threats and vulnerabilities.

Purpose:

The purpose of this policy is to establish guidelines for the regular review of SEIM logs to identify security incidents, assess risks, and take proactive measures to reduce the likelihood and impact of cyber incidents or breaches. The policy aims to ensure compliance with GLBA requirements and safeguard sensitive information.

Scope:

This policy applies to all employees, contractors, and authorized individuals who have access to Rockhurst University's information assets and SEIM logs.

Responsibilities:

  • Chief Information Officer (CIO): The CIO or designated representative shall be responsible for overseeing the implementation and compliance of this policy. They will ensure that appropriate resources and tools are available to facilitate the SEIM log review process.
  • Information Security Officer (ISO): The ISO or designated representative shall be responsible for coordinating the SEIM log review activities. They will ensure that the review is conducted promptly and in accordance with this policy.
  • IT Administrators: IT administrators shall perform regular SEIM log reviews in accordance with the guidelines outlined in this policy. They will investigate and escalate any identified security incidents or suspicious activities to the ISO or designated representative.

SEIM Log Review Process:

  • Log Collection and Aggregation: Rockhurst University has implemented a SEIM solution capable of collecting and aggregating logs from various systems, network devices, applications, and security tools across the organization. The SEIM system will be appropriately configured to ensure comprehensive log collection.
  • Log Retention: SEIM logs shall be retained for a minimum period as required by applicable regulations or industry standards. The retention period shall be documented and reviewed periodically to meet legal and operational requirements.
  • Regular Review: 
    1. Frequency: SEIM logs shall be reviewed based on the criticality of the system by designated IT administrators.
      • High-Risk Systems or Critical Infrastructure: Daily log review is recommended to detect and respond to potential threats promptly.
      • Medium-Risk Systems: Weekly log review is typically sufficient to identify and respond to security incidents in a timely manner.
      • Low-Risk Systems: Monthly log review may be appropriate, considering the lower likelihood and impact of security incidents.
    2. Review Guidelines: IT administrators shall follow the guidelines provided by the ISO to review the SEIM logs effectively. The guidelines should include the identification of common indicators of compromise (IOCs), patterns, anomalies, and potential security incidents.
    3. Incident Detection and Response: Any identified security incidents or anomalies shall be promptly investigated. IT administrators shall escalate potential incidents to the ISO or designated representative for further analysis and appropriate response.

SEIM Log Review Process

The log review process should consist of the following key components:

  • Log Analysis: Review the collected logs from various systems, applications, network devices, and security tools for potential security incidents or suspicious activities. This includes analyzing log entries, timestamps, event types, and relevant details.
  • Event Correlation: Identify patterns, anomalies, or correlations between different log entries to uncover potential indicators of compromise (IOCs) or signs of unauthorized access, malicious activities, or system vulnerabilities.
  • Threshold Monitoring: Set thresholds or baseline metrics for specific log entries to trigger alerts or notifications when unusual or abnormal events occur, indicating a potential security incident.
  • User and Account Activity: Monitor and analyze user and account activities, including login attempts, access privileges, user behavior, and authentication logs, to identify any unauthorized access, privilege abuse, or suspicious behavior.
  • Network Traffic Analysis: Review network logs and traffic patterns to detect any unusual or malicious network activity, such as unauthorized connections, data exfiltration attempts, or unusual communication protocols.
  • System and Application Logs: Analyze system logs, including operating systems, databases, web servers, and critical applications, to identify potential security vulnerabilities, errors, or system misconfigurations that could be exploited.
  • Security Event Correlation: Correlate security events with threat intelligence feeds, known vulnerabilities, or external indicators of compromise (IOCs) to identify potential threats or attacks that match known patterns or signatures.
  • Incident Escalation and Response: Promptly escalate identified security incidents or suspicious activities to the appropriate incident response team or designated personnel for further investigation and response. Follow the incident response plan to mitigate the impact of the incident and initiate appropriate actions.
  • Documentation: Maintain detailed and accurate records of log reviews, including findings, actions taken, and any remediation measures implemented. This documentation is crucial for auditing, compliance, and future reference.
  • Continuous Improvement: Regularly evaluate and refine the log review process based on the analysis of historical logs, incident response feedback, emerging threats, and industry best practices. Implement necessary adjustments to enhance the effectiveness and efficiency of the log review process.

Incident Response and Mitigation: 

  • Incident Response Plan: Rockhurst University shall maintain an incident response plan that outlines the steps to be taken in the event of a security incident. The plan shall include the roles and responsibilities of relevant stakeholders, communication procedures, and the escalation process.
  • Proactive Measures: Upon identifying potential security incidents or vulnerabilities, the ISO or designated representative shall coordinate with IT administrators to initiate proactive measures to reduce the risk and impact of the incident. This may include system patching, network segmentation, user awareness training, or other appropriate actions.

GLBA Compliance and Auditing:

  • GLBA Compliance: The SEIM log review process shall be conducted in accordance with GLBA requirements, including the protection of non-public personal information (NPI) and ensuring appropriate access controls, monitoring, and incident response procedures.
  • Audit and Monitoring: Rockhurst University shall conduct periodic internal and external audits to assess the effectiveness of the SEIM log review process, adherence to this policy, and compliance with GLBA regulations. Audit findings and recommendations shall be documented and addressed in a timely manner.

Training and Awareness:

Rockhurst University shall provide regular training and awareness programs to employees and authorized individuals regarding the importance of SEIM log review, incident detection, and their roles in maintaining information security.

Non-Compliance:

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract, as well as legal consequences in accordance with applicable laws and regulations.

Policy Review:

This policy shall be reviewed annually or as deemed necessary by the CIO or designated representative to ensure its relevance, effectiveness, and compliance with changing regulatory requirements.