Standard number: DS-19
Date issued: 7/1/2018
Date last updated: 6/25/2025
Date last reviewed: 6/25/2025
Date of next review: 6/25/2027
Version: 1.5
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance
This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
I. Overview
In order to appropriately protect U-M information and systems, as well as support other information and system operation functions, it is necessary for campus units to appropriately generate, store, and analyze logs that record events occurring within U-M systems and networks. Security software, operating system, and application log data are critical components in detecting, analyzing, preventing, and responding to potential information security incidents including unauthorized data disclosures, and activities on U-M systems.
The key objectives of this Standard are to:
- Describe the university’s preferred approach to computer security log management, including roles and responsibilities, logging configuration, and privacy considerations;
- Ensure that an appropriate log collection and analysis infrastructure at both the central and unit level is in place so that IT security incidents can be detected and responded to in a timely manner;
- Ensure that appropriate log collection, analysis, and retention are in place to satisfy legal, regulatory, and contractual requirements;
- Appropriately balance the university’s risk level with the time and resources needed to perform log management functions, as well as the impact on performance of systems and applications;
- Ensure that the information captured by logs can be used to support incident response or a forensic analysis in the event of a suspected data breach, IT security incident, or other administratively or legally necessary investigations.
Other federal or state regulations or contractual agreements may require additional actions that exceed those included in this Standard.
II. Scope
This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates.
It further applies to all units, faculty, principal investigators, staff, and workforce members that maintain or store data on any university-owned or third party vendor contracted-for systems, applications, or devices (including cloud provider services).
III. Roles and Responsibilities
Information Assurance (IA)
- Collaborates and coordinates with university units and unit IT staff to develop and implement unit-level security log procedures;
- Provides detailed technical guidance related to implementation of this Standard;
- Coordinates with Security Unit Liaisons in the event that there is a need to examine or collect log data from a specific unit;
- Where appropriate, and in consultation with the Office of the General Counsel (OGC), coordinates review and release of university IT security log data within the university, and to law enforcement agencies;
- Assists and advises unit IT staff in responding to internal or external requests to access security logs to ensure that the most accurate and relevant log data is released.
University Units
- Adhere to the requirements of this Standard;
- Ensure logs are actively monitored for IT security threats, attacks, information security incidents, and inappropriate use of IT resources;
- Protect the confidentiality, integrity, and availability of security logs under the unit’s control;
- Maintain awareness of and compliance with regulatory log collection and analysis requirements that apply to the types of data processed or stored by the unit, e.g., HIPAA, PCI, GLBA, etc.;
- Provide locally-generated log data to IA upon request for incident detection, incident response, and to satisfy policy and regulatory requirements;
- Never release logs to any campus or external entity, including law enforcement, without prior consultation with IA and/or OGC, except under exigent circumstances where preventing imminent risk of harm or threat to life safety overrides the prior consultation requirement; IA or OGC should be contacted as soon as possible after such interventions;
- Contact IA or OGC immediately if served with a legal order (e.g., subpoena, warrant, request for discovery) to turn over logs. Units or individual staff members should not respond in any way prior to the above consultation.
IV. Standard
Security logs are records of events occurring within the university’s systems and networks. A security log captures information associated with information security-related events.
Specifically, security logs:
- Can identify anomalies for further analysis and potential remediation;
- Allow for 24/7 monitoring of security-related issues; and
- Are critical for successful forensic examination of events related to security incidents.
Examples of security software logs include (non-exhaustive): Antivirus; intrusion prevention system; vulnerability management; authentication servers; firewalls; routers.
Examples of operating systems and application logs include (non-exhaustive): System events; audit records.
Security logs, which capture information associated with security events and may contain personally identifiable information about the users of information resources, are a type of IT security information and are classified as High data.
Logging must be enabled at the operating system, application and database, and device levels when data classified as Restricted, High, and Moderate are created, processed, maintained, transmitted, or stored. It is recommended that logging is enabled for systems, applications, and databases that maintain data classified as Low.
Individual faculty members that maintain student records (FERPA data) on their own devices, whether or not university-maintained, are exempt from this requirement.
All log data for systems, devices, and applications must be collected and stored as described in Table 1.
Table 1. Logging Configuration Settings by Data Classification Levels
Category | Restricted | High | Moderate | Low |
---|---|---|---|---|
Logging enabled (except endpoints) | Required | Required | Required | Recommended; operating system logging required for systems accessible from the internet |
Endpoint logging enabled (workstation, desktop) | Required | Operating system logging required; application logging recommended | Operating system logging required; application logging recommended | Operating system logging required; application logging recommended |
Log retention periods | 180 days | 180 days | 90 days | 90 days recommended; 90 days required for operating system logging |
Automated Logging Failure Alerts | Required | Required | Recommended | Recommended |
Additional criteria, such as regulatory requirements and system risk exposure, may affect logging configuration and retention requirements. For example, PCI requires logs to be retained for a year and Michigan Medicine Corporate Compliance requires logs related to HIPAA to be retained for three years. IA may allow logging exceptions for Moderate data stored in low-risk exposure systems, while requiring logging for Moderate data in high-risk exposure systems. Detailed guidance can be found on Safe Computing at Security Logging for U-M Systems.
Security logs must be stored in an external log collection system and maintained in a format that allows them to be immediately available for the retention periods specified above. After this time, logs can be archived with the ability to make them available within ten business days after a request is received.
Security logs that no longer need to be retained should be disposed of by following the procedures detailed in Securely Dispose of U-M Data and Devices.
Privacy and Security Logs
Security logs may contain personally identifiable information (PII) about individuals accessing U-M information resources.
The university is committed to ensuring the privacy of its community members. Privacy and the Need to Monitor and Access Records (SPG 601.11) establishes general standards for accessing and monitoring all types of university records. Security logs are considered business records as defined in the policy.
U-M faculty, staff, and workforce members that have job-related access to security logs, network monitoring tools, or location data are responsible to:
- Abide by the provisions of Responsible Use of Information Resources (SPG 601.07);
- Only access, monitor, or analyze logs, network connections, or location information of individuals for legitimate business and job-related purposes;
- Keep such information confidential, and not disclose such information to others unless there is a job-related or legal requirement to do so.
Further, security logs will generally be used for their intended purpose described above. The university will not routinely use security logs to:
- Monitor personal information about individual users, including location at a given time;
- Monitor the web activity of individual users.
However, in the event of a declared health or safety emergency, the Chief Information Security Officer or a delegated authority, in consultation with the Office of General Counsel, may authorize accessing PII contained in security logs in accordance with provisions of Privacy and the Need to Monitor and Access Records (SPG 601.11).
In some cases, the university may be compelled by law, such as a court order, subpoena, or Freedom of Information Act request, to retain or release information contained in security logs. All such releases must be coordinated by IA and OGC.
Security Log Retention
For legal and operational purposes, the university has adopted the following minimum security log retention schedule. Security logs of systems and applications that create, process, maintain, transmit, or store university information classified as Restricted to Moderate must be retained by units that generate the logs as follows.
- Moderate data: 90 days, unless longer retention times are required by law;
- Restricted and High data: 180 days, unless longer retention times are required by law;
- There are some types of data that have specific log retention requirements:
- PCI data: Minimum of one year, with three months immediately available for analysis.
- HIPAA data: Minimum of three years for systems (Michigan Medicine); 180 days for Ann Arbor, Dearborn, and Flint campuses.
Security Log Maintenance
Security logs must be maintained in a format that allows them to be immediately available for 90 days. After 90 days, logs can be archived or stored remotely with the ability to make them available within 10 business days after a request is received.
Security Log Disposal
Security logs that no longer need to be retained should be disposed of by following the procedures detailed in Securely Dispose of U-M Data and Devices.
V. Violations and Sanctions
Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.
Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.
Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.
VI. Implementation
Information Assurance is responsible for the implementation, maintenance, and interpretation of this Standard.
VII. References
- Security Logging for U-M Systems
- Information Security Incident Reporting (SPG 601.25)
- Information Security (SPG 601.27)
- Privacy and the Need to Monitor and Access Records (SPG 601.11)
- Responsible Use of Information Resources (SPG 601.07)
- Safe Computing, Server & Database Hardening
- NIST SP 800-92 Guide to Computer Security Log Management
- NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
VIII. Related NIST Security Controls
- NIST SP 800-53 Revision 5
- AU-02 Audit Events
- AU-03 Content of Audit Records
- AU-04 Audit Storage Capacity
- AU-05 Response to Audit Processing Failures
- AU-06 Audit Review, Analysis, and Reporting
- AU-07 Audit Reduction and Report Generation
- AU-08 Timestamps (Testable)
- AU-09 Protection of Audit Information
- AU-11 Audit Record Retention (Testable)
- AU-12 Audit Generation