Northeastern University Audit and Accountability Standard
Related Policy: Northeastern University Information Security Policy
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the audit and accountability criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following:
Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
Audit and Accountability Overview
This domain focuses on Audit and Accountability (AU). AU involves the process of establishing the required audit logs to be captured by IT systems within the Northeastern University environment. To balance monitoring and auditing requirements with other IT system needs, a measured approach is used to identify the appropriate subset of event types to be captured. Accountability involves ensuring that audit logs are appropriately protected and reviewed to identify indicators of IT system issues or suspicious user activity.
Roles and Responsibilities
The following high-level functional roles support the audit and accountability processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with risk assessment within the Northeastern University environment.
Chief Information Security Officer (CISO): Individual responsible for the overall Northeastern University information security program.
System Administrator: An organization or individual responsible for setting up and maintaining an IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the environment. Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an IT system.
Also responsible for maintaining the appropriate operational security posture for an IT system or enclave and for ensuring the information assurance of a program or organization. Depending on the size of the IT system, these responsibilities can be assigned to someone with a role closely aligned to that of an Information System Security Officer.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.3.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the audit and accountability capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Baseline Auditing Requirements
(3.3.2) Audit logs must contain sufficient information to ensure that the actions of individual IT system users can be uniquely traced across the relevant Northeastern University IT system components. Specifically, audit logs must contain enough information to establish the following:
- What type of event occurred (e.g., event descriptions)
- When the event occurred (e.g., time stamps)
- Where the event occurred (e.g., source and destination addresses)
- Source of the event (e.g., user or process identifiers)
- Outcome of the event (e.g., success or failure indicators)
- Identity of any individuals, subjects, or objects/entities associated with the event (e.g., username, filenames involved)
In addition to the general requirements above, the following categories of audit logs must be captured:
Table 1. Audit Log Categories
| Audit Category | Required Setting Types |
|---|---|
| Account Logon Events | Logon Success: Logon Failure [Failed User Authentication – Unknown username/bad password, Multiple Login Attempts/Logon Failures, Account Locked Out]; Logoff |
| Account Management | Account Created; Privileged Account Created; Local Account Created [Outside of Standard Account Creation Process]; Account Deleted; Account Disabled; Account Expired; Password Changed |
| Audit Policy Change | All Changes; All Group Policy Object (GPO) Changes |
| Directory Service | Object (user, machine, etc.) Added to Domain/Directory; Object Removed from Domain/Directory; Domain Policy Change; Linux Systems Joined to Active Directory (AD) [via Centrify] |
| Filesystem Events | Directory Created; Directory Deleted; Directory Read; Directory Write, Directory Permissions Changed; File Created; File Deleted; File Read; File Write, File Permissions Changed; Object Access |
| Logging Event | Event Log Full [Local (System); Centralized (SIEM); Event Log Overwritten [Local (System); Centralized (SIEM) |
| Network Events | Access Control List (ACL) Changed; Traffic Blocked at Firewall; Network Devices Logs [Forwarded to SIEM]; Host-based Firewall Logs [Linux, Windows] |
| Privilege Use | Privilege Escalation (e.g., Sudo); Privileged Object or Service Called; Object Accessed by Privileged Account |
| Process Tracking | Process Executed, Process Terminated; Scheduled Event Executed; Scheduled Event Failed |
| System Events | Service Stopped; System Startup; System Shutting Down; Session Disconnected |
(3.3.3) The listing of implemented audit events types (e.g., logon success, event log full, etc.), as defined in the This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.3.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the audit and accountability capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Baseline Auditing Requirements section, must be reviewed by the System Owner at least annually, or whenever there is a significant change to the IT system. The audit event types must be updated by the System Owner, as appropriate, and implemented by the System Administrator to ensure that the appropriate operational security posture is maintained for the IT system.
The System Administrator is responsible for managing and monitoring the log management infrastructures, configuring logging on security devices, reporting on the results of log management activities, and assisting others with configuring logging and performing log analysis.
(3.3.4) All relevant Northeastern University IT system components must be configured to notify the System Administrator and/or System Owner via an alert (e.g., email) within 15 minutes of the audit event failure for the following audit log categories:
Table 2. Audit Event Failure Notifications
| Audit Category | Alert Criteria |
|---|---|
| Account Logon Events | 20+ Login Attempts/Logon Failures within 10 minutes |
| Filesystem Events | File access attempts by unauthorized user accounts |
| Logging Event | Event Log Full; Event Log Overwritten |
| Privilege Use | Improper or unauthorized usage of administrator privileges; Use of service accounts for interactive log on |
| Process Tracking | Audit Process Termination/Failure |
Auditing Implementation
(3.3.1) All audit events defined in the This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.3.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the audit and accountability capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Baseline Auditing Requirements section are required to be implemented by the System Administrator on all relevant Northeastern University IT system components. All audit events are required to be retained for a minimum of 6 (six) months in a readily accessible format.
(3.3.7) An authoritative time server must be implemented and configured by the System Administrator to provide relevant Northeastern University IT system components with a time source. Relevant Northeastern University IT system components must be configured by the System Administrators to synchronize internal system clocks with the authoritative time server daily, at a minimum, to allow for the generation of accurate audit record time stamps.
Protection of Audit Information
(3.3.8) All audit log information must be protected in transit and at rest from unauthorized access, modification, and deletion. System Administrators must configure IT systems to allow access to only privileged users explicitly authorized to access audit information and audit logging tools.
(3.3.9) The System Administrator must authorize and restrict all access to audit management functionality on relevant Northeastern University IT system components to a designated subset of privileged users.
The System Owner must develop and maintain an updated listing of all designated privileged users with access to audit management functionality within the relevant Northeastern University IT systems.
Process Audit Logs
(3.3.5) The System Owner must ensure that the audit record review, analysis, and reporting processes are correlated to allow for investigation and response to indications of unlawful or suspicious activity.
The System Administrator must immediately report any suspected malicious activity to the System Owner for resolution.
(3.3.6) An audit record reduction and report generation tool (e.g., SIEM) must be implemented and configured by the System Administrator to ingest audit logs from relevant Northeastern University IT system components. The audit reduction solution must support on-demand analysis and reporting against the ingested audit logs.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary1 and, where appropriate, tailored for Northeastern University’s IT environment.
Audit Log: A chronological record of IT system activities, including records of IT system accesses and operations performed in each period.
Event: Any observable occurrence in an IT system.
Information Technology (IT): Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software.
Organization: An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
The industry standard definitions of the terms above are provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary, https://csrc.nist.gov/glossary
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The University recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 12/19/2024 | Initial draft for Stakeholder Review | 0.1 | Kwaku Danquah |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Northeastern University Audit and Accountability Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling audit and accountability capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| NIST Practice ID | NIST Practice Statement | Derived Requirement | Northeastern University Environment Criteria (Northeastern University Practice Implementation) |
|---|---|---|---|
| 3.3.2 | Ensure that the actions of individual IT system users can be uniquely traced to those users so they can be held accountable for their actions. | Audit Record Content | Audit logs must contain enough information to establish the following: What type of event occurred (e.g., event descriptions).When the event occurred (e.g., time stamps).Where the event occurred (e.g., source and destination addresses).Source of the event (e.g., user or process identifiers).Outcome of the event (e.g., success or failure indicators).Identity of any individuals, subjects, or objects/entities associated with the event (e.g., username, filenames involved). |
| Types of logs that must be captured. | Account Logon Events: Logon Success: Logon Failure [Failed User Authentication -Unknown username/bad password, Multiple Login Attempts/Logon Failures, Account Locked Out]; Logoff. |
| Account Management: Account Created; Privileged Account Created; Local Account Created [Outside of Standard Account Creation Process]; Account Deleted; Account Disabled; Account Expired; Password Changed. | |||
| Audit Policy Change: All Changes; All Group Policy Object (GPO) Changes. | |||
| Directory Service: Object (user, machine, etc.) Added to Domain/Directory; Object Removed from Domain/Directory; Domain Policy Change; Linux Systems Joined to Active Directory (AD) [via Centrify]. | |||
| Filesystem Events Directory Created; Directory Deleted; Directory Read; Directory Write, Directory Permissions Changed; File Created; File Deleted; File Read; File Write, File Permissions Changed; Object Access. | |||
| Logging Event: Event Log Full [Local (System); Centralized (SIEM); Event Log Overwritten [Local (System); Centralized (SIEM). | |||
| Network Events: Access Control List (ACL) Changed; Traffic Blocked at Firewall; Network Devices Logs [Forwarded to SIEM]; Host-based Firewall Logs [Linux, Windows]. | |||
| Privilege Use: Privilege Escalation (e.g., Sudo); Privileged Object or Service Called; Object Accessed by Privileged Account. | |||
| Process Tracking: Process Executed, Process Terminated; Scheduled Event Executed; Scheduled Event Failed. |
| System Events: Service Stopped; System Startup; System Shutting Down; Session Disconnected. | |||
| 3.3.1 | Create and retain IT system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized IT system activity. | Audit Event Retention | The System Administrator is responsible for: Implementing all audit events defined in the This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.3.1) in the text below to identify where each listed responsibility inherits its requirements from. As the audit and accountability capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard. Baseline Auditing Requirements section on all relevant Northeastern University IT system components. All audit events are required to be retained for a minimum of 6 (six) months in a readily accessible format. |
| 3.3.7 | Provide a IT system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | Time Stamps | The System Administrator is responsible for: Implementing and configuring an authoritative time server to provide relevant Northeastern University IT system components with a time source.Configuring relevant Northeastern University IT system components to synchronize internal system clocks with the authoritative time server daily, at a minimum, to allow for the generation of accurate audit record time stamps. |
| 3.3.3 | Review and update logged events. | Audited Event Review | The System Owner is responsible for: Reviewing the listing of implemented audit event types (e.g., logon success, event log full, etc.), as defined in the This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.3.1) in the text below to identify where each listed responsibility inherits its requirements from. As the audit and accountability capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard. Baseline Auditing Requirements section at least annually, or whenever there is a significant change to the Northeastern University environment. |
| 3.3.4 | Alert in the event of an audit logging process failure. | Account Logon Events | Notify System Administrator and System Owner via alert within 15 minutes of 20+ Login Attempts/Logon Failures within 10 minutes. |
| Filesystem Events | Notify System Administrator and System Owner via alert within 15 minutes of File access attempts by unauthorized user accounts. |
| Logging Event | Notify System Administrator and System Owner via alert within 15 minutes of Event Log Full; Event Log Overwritten. | ||
| Privilege Use | Notify System Administrator and System Owner via alert within 15 minutes of Improper or unauthorized usage of administrator privileges; Use of service accounts for interactive log on. | ||
| Process Tracking | Notify System Administrator and System Owner via alert within 15 minutes of Audit Process Termination/Failure. | ||
| 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Audit Protection | The System Administrator is responsible for: Configuring IT systems to allow access to only privileged users explicitly authorized to access audit information and audit logging tools. All audit log information must be protected in transit and at rest from unauthorized access, modification, and deletion. |
| 3.3.9 | Limit management of audit logging functionality to a subset of privileged users. | Audit Management | The System Administrator is responsible for: Authorizing and restricting all access to audit management functionality on relevant NU IT system components to a designated subset of privileged users. The System Owner is responsible for: Developing and maintaining an updated listing of all designated privileged users with access to audit management functionality within the relevant Northeastern University IT systems. |
| 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity | Correlation & Analysis | The System Owner is responsible for: Ensuring that the audit record review, analysis, and reporting processes are correlated to allow for investigation and response to indications of unlawful or suspicious activity. The System Administrator is responsible for: Immediately reporting any suspected malicious activity to the System Owner for resolution. |
| 3.3.6 | Provide audit record reduction and report generation to support on- demand analysis and reporting. | Reduction & Reporting | The System Administrator is responsible for: Implementing and configuring an audit record reduction and report generation tool (e.g., SIEM) to ingest audit logs from relevant Northeastern University IT system components. The audit reduction solution must support on-demand analysis and reporting against the ingested audit logs. |
Appendix B. Audit and Accountability References
The following list of references are common industry standards used to carry out the audit and accountability criterion defined within this standard.
- National Institute of Standards and Technology (NIST) Special Publication 800-92, Guide to Computer Security Log Management. https://csrc.nist.gov/publications/detail/sp/800-92/final
- Center for Internet Security (CIS) Benchmarks. https://www.cisecurity.org/cis-benchmarks/
- Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs). https://public.cyber.mil/stigs/