Log Management and Forensic Readiness control procedure
Defining the university’s approach to log management and forensic readiness.
Log management and forensic readiness
Contents
Policy statement
This control procedure defines the university’s approach to log management and forensic readiness, and directly supports the following policy statement from the Information Security Policy:
“The university will ensure the correct and secure operations of information processing systems.”
“This will include documented operating procedures, the use of formal change and capacity management, controls against malware, defined use of logging and vulnerability management.”
Audience
This procedure is intended to be read and understood by all users accessing university information, IT systems, networks or software using any university or personally owned device.
It is of particular relevance to IT & digital and other staff who are responsible for the management of IT systems, as well as those in, or working with, Legal, Security, Academic Services and/or HR to pursue investigations.
Control statements
- Forensic readiness
- Use of digital evidence
- Collection of digital evidence
- Storage and handling of digital evidence
- Log management
Forensic readiness
Forensic readiness is the capability of an organisation to use digital evidence in an investigation into the (mis)use of its information management systems.
The requirement for forensic readiness arises from the universal use of ICT systems within the institution.
Use of digital evidence
Digital evidence is likely to feature in a wide range of investigations or disputes, including but not limited to:
- Security incidents: unauthorised access to data or the university infrastructure, tampering with or use of IT Systems, electronic attack including denial of service and malware attacks;
- Criminal activities: identity theft, fraud, deception, money laundering, blackmail, extortion, stalking, threat to national security;
- Disciplinary issues: malpractice, abuse of acceptable use policy, grievance procedures;
- Privacy issues: identity theft, compliance with the Data Protection Act and other associated legislation.
Collection of digital evidence
All users of the university network are subject to the collection of digital logs relating to their use of information management systems. This includes the logging of web and email traffic, authentication events and database transactions.
Logs identified as key indicators of security incidents are processed via a Security Information and Event Monitoring (SIEM) tool. This provides an aggregated view of key logs and also generates automated alerts based on pre-configured thresholds. These alerts and the source data are key sources of evidence for investigations and may trigger the Information Security team to undertake an investigation where a key policy or procedure has been shown to have been breached.
IT & digital may apply a ‘legal or retention’ hold to information held within IT systems following consultation with HR and/or Legal services.
A forensic investigation is not a standalone investigation; it is an evidence-gathering exercise forming part of a broader investigation, falling under university policies concerning code of conduct, admission, discipline, grievance or dignity at work, etc. Authorisation to provide forensic evidence therefore needs to be gathered in accordance with the policy under which it is being requested.
The decision concerning what is requested for the purposes of an investigation will be set out within the specific Terms of Reference for a forensic investigation for formal investigations, specified by the investigator, or a request under Data Protection legislation from third-party agencies involved in combating crime.
Complex or large-scale investigations may require an investigation team to be appointed. Where possible this will remain in-house, however, it may be necessary to include third-party services/expertise as required but managed by the university to retain responsibility for the data.
Storage and handling of digital evidence
Digital evidence must be stored and handled securely if it is to be admissible as part of a formal investigation. To ensure that all digital evidence is stored and handled in a manner that maximises its integrity, a number of steps should be taken:
- Only authorised personnel should have access to digital evidence and it should only be accessed in accordance with this policy.
- The location of digital evidence should remain confidential and secure.
- Digital evidence must not be removed from university systems without the approval of the Information Security team
- The Information Security team will log all evidence collected. This will involve holding details regarding the date on which the evidence was requested, stored and submitted as well as the name of the owner/person who submitted the request.
- The handling of any piece of digital evidence should be logged. This log should include the reason for using the data, the person who accessed it and the date and time it was accessed.
- The recovery and analysis of digital evidence should be completed in accordance with this policy ensuring it is. systematic and standardised in order to ensure the admissibility of that evidence if required in a legal or disciplinary case.
- Use of digital evidence for reasons other than those stated may be viewed as a violation of data privacy legislation.
Log management
Log files will, where possible, be retained for 13 months for all university systems. If logs are retained for longer than this, they will be retained with a statement supporting their retention. The Information Security Team will handle log files retained as part of an ongoing investigation in line with the principles above.
Consideration must be given to log file creation, access and retention when establishing cloud services.
Compliance
Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure.
Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.
Version: | 4.3 |
Release date: | 22/10/2024 |
Review date: | 22/09/2025 |