[unisog] Survey: Monitoring/Logging Policies

Nick Lewis lewisnic at acm.org
Tue Oct 24 00:54:19 GMT 2006

>----- Original Message ----- 
>From: "Giulini,Chad" <Cgiulini at uchc.edu>
>To: <unisog at sans.org>
>Sent: Monday, October 23, 2006 4:04 PM
>Subject: [unisog] Survey: Monitoring/Logging Policies

>I am hoping some of you on this list may be willing to state whether or
>not your institution collects, monitors, and/or archives logs from
>firewalls and/or IDS/IPS devices.  The specific concern here involves
>logging user-identifiable activity.  I am particularly interested in how
>this is implemented in other Academic Medical Centers, but any feedback
>is welcome.  This topic is cause for some discussion at our institution,
>and I would greatly appreciate feedback as to how other institutions are
>addressing this.  Links to publicly posted policy or procedure
>statements on topic would be very helpful.
>Please note I am well aware of best-practices and am a strong advocate
>for logging and monitoring these devices.

We centrally log and archive these logs for 13 months from our firewall 
(along with many other devices), but our IDS alerts are not intentionally 
archived and rollover around every 3 months.

In other areas including our clinical systems, user-identifiable activity is 
heavily logged for when a patient record is accessed. This logging is 
usually application specific.


More information about the unisog mailing list