To ensure that Information Technology (IT) resources and information systems are established with effective security controls and control enhancements that reflect applicable federal and state laws, Executive Orders, directives, regulations, policies, standards, and guidance.
National Institute of Standards and Technology (NIST) Special Publications (SP): NIST SP 800-53a – Auditing and Accountability (AU), NIST SP 800-12, NIST SP 800-92, NIST SP 800-100
This policy is applicable to all Science Program cloud environments.
The information systems owners, in cooperation with audits and IT, shall:
The Science Program Collaboration and Emerging Technologies (SPCMT) Operations team shall review and update the audited events yearly.
The information system shall generate audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
The information owner shall ensure audit record storage capacity is allocated when required and that it will meet the retention period.
The information system shall off-load audit records daily onto a different system or media than the system being audited.
The Science Program Collaboration and Emerging Technologies (SPCMT) Operations team shall:
The information system shall provide a warning to Science Program Collaboration and Emerging Technologies (SPCMT) Operations team within 24 hours of when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
The information system shall provide an alert in 2 hours to Science Program Collaboration and Emerging Technologies (SPCMT) Operations teams when the following audit failure events occur:
The information system shall enforce configurable network communications traffic volume thresholds reflecting limits on auditing capacity and rejects or delays network traffic above those thresholds.
The information system shall invoke a partial system shutdown in the event of any of the audit failures below, unless an alternate audit capability exists.
The information system owner shall:
The information system owners shall ensure automated mechanisms are employed to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
The information system owner shall ensure analysis and correlation of audit records across different repositories to gain situational awareness.
The information system shall provide an audit reduction and report generation capability that:
The information system shall:
Timestamps will rely on the cloud provider time sync services which uses a fleet of redundant satellite-connected and atomic clocks in each Region to deliver a highly accurate reference clock. Using the cloud providers service will ensure that all timestamps match even for services where it cannot be set.
The information system shall protect audit information and audit tools from unauthorized access, modification, and deletion.
The organization shall authorize access to management of audit functionality to only to Science Program Collaboration and Emerging Technologies (SPCMT) Operations and Security teams.
The information system owners shall retain audit records in accordance to the Library and Archives Canada (LAC) event logging guidance and Government of Canada Security Control Profile for Cloud-based GC Services retention requirements.
The information system owners shall employ query and archive retrieval mechanisms to ensure that long-term audit records generated by the information system can be retrieved.
The information system shall:
The information system shall produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
The information system shall provide the capability for Science Program Collaboration and Emerging Technologies (SPCMT) Operations and Security roles to change the auditing to be performed on the cloud environments based on agreed upon values from the team.
The following should be performed at least every 90 days:
The following should be done at least every 7 days:
The following should be done daily:
See AWS security audit guidelines and AWS Operational Best Practices for additional tips and procedures.
Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to IT resources, and other actions as well as both civil and criminal penalties.
Requests for exceptions to this policy shall be reviewed and approved by the Science Program Collaboration and Emerging Technologies (SPCMT) Management team and Director.
| Date Issued: | 03/01/23 |
| Date Reviewed: | 03/01/23 |
| Next Review: | 03/01/24 |