Re: Advice on Network Security Policies[Message Scanned]

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Funny you should ask .. I just came back from a meeting about this very topic :-)

1) I agree with Theresa - you need to speak to your GC office

2) the general answer is that log & data retention is defined by "operational necessity" there are no firm laws, in 
general, about how long you have to retain
anything - however their may be specific laws about specific data that may have to be kept for a certain length of time 
.. for example HIPPA or TAX data.

3) you need to meet with any group that uses log information and find out what they need to properly maintain the 
things that they are responsible for.  Our
systems people said "about 6 hours", our mail people said "about 2 weeks" our network people said "about 6 months", our 
security people (me) said "about 4-6
weeks", and our statistics people say "about 1 year" ... our lawyers said not to keep anything :-)

4) We are planning to have more meetings :-)

5) You can audit lots of things .. the better question is "how much time (resources) do you have to look at the audit 
logs" - you have to do risk analysis and
figure out what is important to your institution.

6) You should look at your policies and decide what is important, then see if you can answer questions about what 
happened or what went wrong .. if you need to
know, then make sure that you are collecting the proper information, then go back to step 1

Good Luck :-)

Joel Rosenblatt

Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Thursday, January 13, 2005 12:59 PM -0500 Theresa M Rowe <rowe () oakland edu> wrote:

> I encourage you to review your questions with your legal
> staff and your police department.
>
> After much review here, the decision was that personally
> identifiable log info is kept for 48 hours.  No email is
> kept; we do not even backup our email system for emergency
> purposes.  We specify our practice in our system
> administrator policy
> http://www2.oakland.edu/audit/POLCY880.HTM
> The feeling was if we don't have it, we cannot turn it over.
>
> And yes, the FBI and "other sorts" have been here, expressed
> surprise, but no other issues have come up.
>
> Theresa Rowe
>
>
>
> ---- Original message ----
> > Date: Thu, 13 Jan 2005 11:40:14 -0500
> > From: "Parker, Ben C" <parkerbc () MUC EDU>
> > Subject: [SECURITY] Advice on Network Security Policies
> [Message Scanned]
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> >
> >   Question in which I am hoping for some advice from
> >   those with expertise? Where is a good place to find
> >   out what we as a small private liberal arts college
> >   are required to keep/have as far as legal issues are
> >   concerned with some of the following things?
> >
> >   1.       How detailed and how long do we need to
> >   keep firewall logs? Currently we are logging denies
> >   and NAT timeouts.  What are we required to keep, and
> >   what would be good to have in case we get file
> >   sharing notice( Since in the year and a half I have
> >   been here we have kept things locked down tight
> >   enough that  students haven't been able to file
> >   share, but there is strong pressure to open things
> >   up more.)
> >
> >   2.       What other things should we be auditing and
> >   how extensively?
> >
> >   3.       What are the other questions I should be
> >   asking be don't even know what to ask about?
> >
> >
> >
> >   ********** Participation and subscription
> >   information for this EDUCAUSE Discussion Group
> >   discussion list can be found at
> >   http://www.educause.edu/groups/.
> Theresa Rowe
> Assistant Vice President
> University Technology Services
> www.oakland.edu/uts - the latest news from University Technology Services
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/groups/.



Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.