Electronic and IT User Activity Logs: Handling Standard

Brief Description:

Campus requirements for handling of user activity logs.

Related Policy:

• CSU Information Security Policy
• Cal Poly Information Security Program (ISP)
• Cal Poly Information Technology Resources Responsible Use Policy

Introduction:

Cal Poly utilizes a number of electronic information technology systems for various purposes. These systems generate user activity logs in most instances. The purposes of these logs vary depending on the system. Typically, these logs are generated by systems for the following purposes:

• Support of the service, troubleshooting user issues, etc.
• Audit activity logs for security incident response or regulatory requirements.

These logs must be protected adequately and only accessible to those with a business necessity for the support of the service or the designated campus Information Security Office. In certain circumstances, these logs must be provided to other departments or outside entities. In those circumstances, approval from appropriate offices is required.

Scope:

This standard applies to employees, contractors, vendors and agents with access to campus information systems.  This standard applies to all university-owned systems connected to the network or any externally hosted service the campus subscribes to, such as a Software as a Service offering hosted in a remote data center or cloud hosting provider. These records or logs must be kept and protected from unauthorized access in accordance with the IT Security Standard: Computing Devices Logging.

Standard:

User activity logs generated and maintained in their respective systems shall at all times be protected in accordance with CSU Information Security Policies and Cal Poly Information Security Standards. Access to the records or logs must be restricted to only Cal Poly officials who are responsible for the ongoing support and maintenance of the associated service.

This standard applies in circumstances where the logs are requested by another Cal Poly department or an outside entity other than the department responsible for maintaining the service or by the designated campus Information Security Office.

Examples of user activity logs (this standard is not limited to or restricted to examples below, consult the Information Security Office for guidance at infosec@calpoly.edu):

• Cal Poly Portal authentication logs
• Cal Poly eduraom wifi access logs
• Door access logs for Campus or Residential spaces

If user activity logs are requested by another party other than a member of the department responsible for the support of the service, appropriate approval must be obtained before the records are provided. Contact the Campus Information Security Officer for assistance in obtaining appropriate approval at infosec@calpoly.edu or by entering an ITS support ticket at tech.calpoly.edu.

Records must be provided securely once approval is obtained. The campus Information Security Office can provide guidance, if needed.

Related Procedures and Resources:

• IT / Information Security Exception Request Process
• Cal Poly Information Classification and Handling Standard
• IT Security Standard: Computing Devices [PDF]