To ensure that Information Technology (IT) resources and information systems are established with effective security controls and control enhancements that reflect applicable federal and state laws, Executive Orders, directives, regulations, policies, standards, and guidance.
National Institute of Standards and Technology (NIST) Special Publications (SP): NIST SP 800-53a – Auditing and Accountability (AU), NIST SP 800-12, NIST SP 800-92, NIST SP 800-100
This policy is applicable to all Science Program cloud environments.
The information systems owners, in cooperation with audits and IT, shall:
- Determine that the information system is capable of auditing the following events:
- changes to administration roles
- all actions taken by a user
- login actions with secure accounts (ex: breakglass accounts, root accounts)
- network and security changes to core infrastructure
- changes and/or access to logs
- changes and/or access to auditing systems
- sign-in failures
- environment policy changes
- Coordinate the security audit function with other organizational entities requiring audit (ex: Canadian Cyber Center for Security).
- Provide a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents.
- Determine that the following events are to be audited within the information system:
- changes to administration roles
- all actions taken by a user
- login actions with secure accounts (ex: breakglass accounts, root accounts)
- network and security changes to core infrastructure
- changes and/or access to logs
- changes and/or access to auditing systems
- sign-in failures
- environment policy changes
¶ REVIEWS AND UPDATES
The Science Program Collaboration and Emerging Technologies (SPCMT) Operations team shall review and update the audited events yearly.
The information system shall generate audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
The information owner shall ensure audit record storage capacity is allocated when required and that it will meet the retention period.
The information system shall off-load audit records daily onto a different system or media than the system being audited.
The Science Program Collaboration and Emerging Technologies (SPCMT) Operations team shall:
- Review and document why the audit is failing.
- Fix any issues with logging and auditing.
The information system shall provide a warning to Science Program Collaboration and Emerging Technologies (SPCMT) Operations team within 24 hours of when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
The information system shall provide an alert in 2 hours to Science Program Collaboration and Emerging Technologies (SPCMT) Operations teams when the following audit failure events occur:
- login actions with secure accounts (ex: breakglass accounts, root accounts)
- network and security changes to core infrastructure
- changes to security logs
- changes to auditing system rules
- environment policy changes
- breach by a known threat group
The information system shall enforce configurable network communications traffic volume thresholds reflecting limits on auditing capacity and rejects or delays network traffic above those thresholds.
The information system shall invoke a partial system shutdown in the event of any of the audit failures below, unless an alternate audit capability exists.
- login actions with secure accounts (ex: breakglass accounts, root accounts)
- network and security changes to core infrastructure
- changes to security logs
- changes to auditing system rules
- environment policy changes
- breach by a known threat group
¶ AUDIT REVIEW, ANALYSIS, AND REPORTING
The information system owner shall:
- Review and analyze information system audit records weekly for indications of any inappropriate or unusual activity.
- Report findings to Science Program Collaboration and Emerging Technologies (SPCMT) Operations and Management team.
The information system owners shall ensure automated mechanisms are employed to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
The information system owner shall ensure analysis and correlation of audit records across different repositories to gain situational awareness.
¶ AUDIT REDUCTION AND REPORT GENERATION
The information system shall provide an audit reduction and report generation capability that:
- Supports on-demand audit review, analysis, and reporting requirements and after-the-fact.
- Does not alter the original content or time ordering of audit records.
The information system shall:
- Use internal system clocks to generate time stamps for audit records.
- Record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets one second granularity of time measurement or lower.
Timestamps will rely on the cloud provider time sync services which uses a fleet of redundant satellite-connected and atomic clocks in each Region to deliver a highly accurate reference clock. Using the cloud providers service will ensure that all timestamps match even for services where it cannot be set.
The information system shall protect audit information and audit tools from unauthorized access, modification, and deletion.
The organization shall authorize access to management of audit functionality to only to Science Program Collaboration and Emerging Technologies (SPCMT) Operations and Security teams.
The information system owners shall retain audit records in accordance to the Library and Archives Canada (LAC) event logging guidance and Government of Canada Security Control Profile for Cloud-based GC Services retention requirements.
- CSP: Time period = [at least 90 days]
- GC: Time period = [events and logs at least 3 months online and at least 6 months in storage; events and logs associated with a security incident for at least 2 years]
The information system owners shall employ query and archive retrieval mechanisms to ensure that long-term audit records generated by the information system can be retrieved.
The information system shall:
- Provide audit record generation capability for the auditable events as defined above.
- Allow Science Program Collaboration and Emerging Technologies (SPCMT) Operations and Security teams to select which auditable events are to be audited by specific components of the information system.
The information system shall produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
The information system shall provide the capability for Science Program Collaboration and Emerging Technologies (SPCMT) Operations and Security roles to change the auditing to be performed on the cloud environments based on agreed upon values from the team.
The following should be performed at least every 90 days:
- Rotate account access keys
- Review IaM users and groups removing any people that are not required.
- Review IaM roles and permission sets deleting those that are no longer required.
- Review EC2 Security groups, key pairs, running instances, and instance sizes. Adjust, turn off or remove as required.
- Review Azure group synchronization.
- Review Service Control Policies and adjust as required.
- Review Amazon Secure Environment Accelerator repo for updates and remediate as required.
The following should be done at least every 7 days:
- Review SecurityHub, AWS Config, GuardDuty, CloudTrail and Defender for Cloud findings and remediate as required.
The following should be done daily:
- Review Microsoft Sentinel for incidents and investigate when required. See the Sentinel incident handling section.
- Review any alerts coming into the operations mailbox and remediate as required.
See AWS security audit guidelines and AWS Operational Best Practices for additional tips and procedures.
¶ GCP AUDIT AND ACCOUNTABILITY PROCEDURES
¶ 1. Roles and Responsibilities
The Science Program Collaboration and Emerging Technologies (SPCMT) Operations Team is responsible for implementing, maintaining, and monitoring audit and accountability controls across Science Program cloud environments.
Information System Owners are responsible for ensuring that audit logging is enabled for their systems and that required audit records are generated and retained.
Security and Audit Personnel are responsible for reviewing audit records, investigating anomalies, and coordinating with external audit or security organizations when required.
Prior to system deployment, the SPCMT Operations Team shall verify that audit logging is enabled for all required audit event categories.
- Audit logging configurations shall ensure that the following events are captured:
- Changes to administrative roles and privileges
- All actions performed by authenticated users
- Authentication and login events, including privileged and break-glass accounts
- Network and security configuration changes
- Access to and modification of audit logs
- Changes to audit and logging systems
- Sign-in failures
- Environment and organizational policy changes
Audit event configurations shall be validated following major system changes or security-impacting modifications.
¶ 3. Audit Record Generation and Content Procedure
The information system shall generate audit records for all defined auditable events.
Audit records shall include, at a minimum:
- Type of event
- Date and time of event
- Location or system component where the event occurred
- Source of the event
- Outcome (success, failure, or error)
- Identity of the user, service account, or process associated with the event
- Audit records shall be generated automatically and without reliance on manual intervention.
¶ 4. Audit Log Storage and Retention Procedure
- Audit records shall be stored in a centralized logging repository approved by the organization.
- The Information System Owner shall ensure that sufficient storage capacity is allocated to meet defined audit retention requirements.
- Audit logs shall be retained in accordance with organizational retention policies and applicable regulatory requirements.
- Audit records shall be protected from unauthorized modification or deletion.
- Audit records shall be off-loaded daily from the originating system to an alternate storage system or repository.
- The alternate storage system shall be logically separate from the system generating the audit records.
- Successful transfer of audit records shall be verified as part of routine operational checks.
Audit Logs are stored indefienetly in Big Query.
¶ 7. Audit Review and Analysis Procedure
Audit records shall be reviewed periodically by authorized personnel to identify:
- Unauthorized access attempts
- Privilege misuse
- Configuration changes outside approved processes
- Indicators of compromise or anomalous behavior
- The frequency of audit review shall be commensurate with system risk and operational requirements.
- Findings resulting from audit reviews shall be documented and tracked to resolution where required.
When audit processing failures are detected, the SPCMT Operations Team shall:
- Identify and document the cause of the failure
- Restore audit logging functionality as soon as practicable
- Verify that audit records are being generated correctly after remediation
- Any loss of audit data or prolonged audit outages shall be documented and reported in accordance with organizational incident management procedures.
¶ 9. Coordination with External Audit and Security Organizations
- Audit activities shall be coordinated with external entities requiring audit information, including the Canadian Centre for Cyber Security, as applicable.
- Audit records shall be made available to authorized external parties in accordance with legal, regulatory, and organizational requirements.
¶ 10. Review and Update Procedure
The SPCMT Operations Team shall review these audit and accountability procedures at least annually.
Procedures shall be updated as required to reflect:
- Changes to system architecture
- Changes to audit tooling or logging mechanisms
- Updated regulatory or policy requirements
- Reviews and updates shall be documented, including the date of review and responsible party.
Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to IT resources, and other actions as well as both civil and criminal penalties.
Requests for exceptions to this policy shall be reviewed and approved by the Science Program Collaboration and Emerging Technologies (SPCMT) Management team and Director.
|
|
| Date Issued: |
03/01/23 |
| Date Reviewed: |
03/01/24 |
| Date Reviewed: |
03/01/25 |
| Date Reviewed: |
29/01/26 |
| Next Review: |
03/01/27 |