DAOD 6003-3, Information Technology Security Monitoring and Auditing
Table of Contents
1. Introduction
Date of Issue: 2015-11-26
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Approval Authority: Assistant Deputy Minister (Information Management) (ADM(IM)) / Chief Information Officer (CIO)
Enquiries: Director Information Management Security (DIM Secur)
2. Definitions
audit (vérification)
The process of conducting an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, and to recommend any indicated changes in controls, policy, or procedures. (Defence Terminology Bank record number 27493)
information technology (technologies de l’information)
Involves both technology infrastructure and IT applications. Technology infrastructure includes any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information. IT applications include all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements. (Directive on Management of Information Technology, Treasury Board)
monitoring (surveillance)
The continuous process of observing the operations of information systems with the objective of detecting deviations from planned or expected behaviour. (ITSG-33, IT Security Risk Management: A Lifecycle Approach, Communication Security Establishment Canada)
operational authority (autorité opérationnelle)
The person who has the authority to define requirements and operating principles, set standards and accept risk within their area of responsibility. (Defence Terminology Bank record number 43435)
security authority (autorité de sécurité)
The person who has the authority to identify risk, provide advice and security standards for endorsement by the operational authority and technical authority, and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43436)
technical authority (autorité technique)
The person who has the authority to set technical specifications and standards, manage configurations, provide technical advice and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43437)
Context
3.1 Monitoring and auditing are required to sustain and protect critical information technology (IT) infrastructure, systems and services. In accordance with the Treasury Board Directive on Departmental Security Management and the Operational Security Standard: Management of Information Technology Security (MITS), the DND and the CAF are required to ensure that:
- audit log functions are included on all IT systems;
- audit logs are continuously monitored to detect unauthorized access or attempts to access IT system resources;
- automated, real-time, incident detection tools are incorporated in high-risk IT systems; and
- implementation and effectiveness of IT security controls are monitored.
3.2 This DAOD should be read in conjunction with the DND and CF IM and IT Policy Framework and other relevant ADM(IM) policies, instructions, directives, standards and guidance.
Objectives
3.3 The objectives of this DAOD are to:
- establish an effective IT security monitoring and auditing strategy for the IT Security Programme;
- implement a systematic and consistent approach to IT security monitoring and auditing; and
- identify the roles and responsibilities for the coordination and management of IT security monitoring and auditing.
Expected Results
3.4 The expected results of this DAOD are:
- increased collection of audit log information on IT systems;
- improved quality of audit records to be used for investigations and audits; and
- improved detection of IT security incidents on IT systems.
Monitoring
4.1 The monitoring of IT systems is accomplished through a combination of technical tools and administrative processes. Operational authorities (OAs) must ensure that:
- audit logs of IT security events are reviewed and automated notifications are examined in a timely manner;
- any suspicious audit log entries or notifications are flagged for further analysis; and
- incident management processes are engaged when an IT security incident is detected or suspected.
4.2 In addition, continuous, automated, real-time, incident detection tools must be implemented for all high-risk systems. High-risk systems are those systems whose compromise will directly jeopardize critical DND business activities or CAF operations.
Audit Logs
4.3 Unusual events that occur during the operation of an IT system must be recorded in an audit log for further analysis.
4.4 Audit logs are critical for identifying and resolving IT security incidents and for holding individual users accountable for their actions. Audit log entries must be:
- accurate and time-stamped; and
- protected against tampering and unauthorized access while being stored or transmitted.
4.5 Audit logs can be important sources of evidence during legal proceedings. To ensure that the value of audit logs as evidence is not compromised, DND employees and CAF members must not modify audit logs once they have been created.
4.6 Audit logs are information resources of business value and are therefore subject to the retention requirements set out in DAOD 6001-1, Recordkeeping. For more detailed information on retention requirements for audit logs, see primary number 2102 (security – information systems) in the Defence Subject Classification and Disposition System (DSCDS).
IT Security Control Monitoring
4.7 IT security control monitoring is required to ensure that controls function properly in order to effectively safeguard the assets that they are intended to protect. See DAOD 6003-2, Information Technology Security Risk Management, for more information.
IT System Security Self-Assessment
4.8 In support of the ongoing security of IT systems, OAs must ensure that all systems within their area of responsibility have their security regularly reviewed and self-assessed, and that the results are reported to the DIM Secur.
4.9 OAs must contact the DIM Secur for details on the self-assessment methodology.
Oversight and Compliance
4.10 In addition to the monitoring and auditing requirements described above, the DIM Secur may conduct oversight and compliance activities on selected IT systems. These activities could include reviews and assessments of audit reports if warranted by IT security events or IT security incidents, or in response to OA concerns.
Privacy
4.11 IT security monitoring and auditing are subject to the provisions of the Privacy Act. In the conduct of monitoring and auditing of IT security, DND employees and CAF members must also comply with all Government of Canada (GC), DND and CAF policies, instructions, directives and standards in respect of the privacy of DND employees and CAF members.
Consequences of Non-Compliance
5.1 Non-compliance with this DAOD may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance.
Note – In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.
Responsibility Table
6.1 The following table identifies the responsibilities associated with this DAOD:
The ... | is or are responsible for ... |
---|---|
DIM Secur |
|
Commanding Officer, Canadian Forces Network Operations Centre (CFNOC) |
|
OAs |
|
technical authorities |
|
SAs |
|
DND employees and CAF members |
|
Acts, Regulations, Central Agency Policies and Policy DAOD
- Privacy Act
- Framework for the Management of Compliance, Treasury Board
- Directive on Departmental Security Management, Treasury Board
- Directive on Management of Information Technology, Treasury Board
- Operational Security Standard: Management of Information Technology Security (MITS), Treasury Board
- DAOD 6003-0, Information Technology Security
Other References
- DAOD 1002-0, Personal Information
- DAOD 6001-1, Recordkeeping
- DAOD 6003-2, Information Technology Security Risk Management
- Defence Subject Classification and Disposition System (DSCDS)
- DND and CF IM and IT Policy Framework
- IMS 6003-1-1, Information Technology Security Incident Management
- ITSG-33, IT Security Risk Management: A Lifecycle Approach, Communications Security Establishment
Page details
- Date modified: