DAOD 6003-3, Information Technology Security Monitoring and Auditing


1. Introduction

Date of Issue: 2015-11-26

Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).

Approval Authority: Assistant Deputy Minister (Information Management) (ADM(IM))

Enquiries: Director Information Management Security (DIM Secur)

2. Definitions

audit (vérification)

The process of conducting an independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, and to recommend any indicated changes in controls, policy, or procedures. (Defence Terminology Bank record number 27493)

information technology (technologies de l’information)

Involves both technology infrastructure and IT applications. Technology infrastructure includes any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information. IT applications include all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements. (Directive on Management of Information Technology, Treasury Board)

monitoring (surveillance)

The continuous process of observing the operations of information systems with the objective of detecting deviations from planned or expected behaviour. (ITSG-33, IT Security Risk Management: A Lifecycle Approach, Communication Security Establishment Canada)

operational authority (autorité opérationnelle)

The person who has the authority to define requirements and operating principles, set standards and accept risk within their area of responsibility. (Defence Terminology Bank record number 43435)

security authority (autorité de sécurité)

The person who has the authority to identify risk, provide advice and security standards for endorsement by the operational authority and technical authority, and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43436)

technical authority (autorité technique)

The person who has the authority to set technical specifications and standards, manage configurations, provide technical advice and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43437)

3. Overview

Context

3.1 Monitoring and auditing are required to sustain and protect critical information technology (IT) infrastructure, systems and services. In accordance with the Treasury Board Directive on Departmental Security Management and the Operational Security Standard: Management of Information Technology Security (MITS), the DND and the CAF are required to ensure that:

  1. audit log functions are included on all IT systems;
  2. audit logs are continuously monitored to detect unauthorized access or attempts to access IT system resources;
  3. automated, real-time, incident detection tools are incorporated in high-risk IT systems; and
  4. implementation and effectiveness of IT security controls are monitored.

3.2 This DAOD should be read in conjunction with the DND and CF IM and IT Policy Framework and other relevant ADM(IM) policies, instructions, directives, standards and guidance.

Objectives

3.3 The objectives of this DAOD are to:

  1. establish an effective IT security monitoring and auditing strategy for the IT Security Programme;
  2. implement a systematic and consistent approach to IT security monitoring and auditing; and
  3. identify the roles and responsibilities for the coordination and management of IT security monitoring and auditing.

Expected Results

3.4 The expected results of this DAOD are:

  1. increased collection of audit log information on IT systems;
  2. improved quality of audit records to be used for investigations and audits; and
  3. improved detection of IT security incidents on IT systems.

4. Requirements

Monitoring

4.1 The monitoring of IT systems is accomplished through a combination of technical tools and administrative processes. Operational authorities (OAs) must ensure that:

  1. audit logs of IT security events are reviewed and automated notifications are examined in a timely manner;
  2. any suspicious audit log entries or notifications are flagged for further analysis; and
  3. incident management processes are engaged when an IT security incident is detected or suspected.

4.2 In addition, continuous, automated, real-time, incident detection tools must be implemented for all high-risk systems. High-risk systems are those systems whose compromise will directly jeopardize critical DND business activities or CAF operations.

Audit Logs

4.3 Unusual events that occur during the operation of an IT system must be recorded in an audit log for further analysis.

4.4 Audit logs are critical for identifying and resolving IT security incidents and for holding individual users accountable for their actions. Audit log entries must be:

  1. accurate and time-stamped; and
  2. protected against tampering and unauthorized access while being stored or transmitted.

4.5 Audit logs can be important sources of evidence during legal proceedings. To ensure that the value of audit logs as evidence is not compromised, DND employees and CAF members must not modify audit logs once they have been created.

4.6 Audit logs are information resources of business value and are therefore subject to the retention requirements set out in DAOD 6001-1, Recordkeeping. For more detailed information on retention requirements for audit logs, see primary number 2102 (security – information systems) in the Defence Subject Classification and Disposition System (DSCDS).

IT Security Control Monitoring

4.7 IT security control monitoring is required to ensure that controls function properly in order to effectively safeguard the assets that they are intended to protect. See DAOD 6003-2, Information Technology Security Risk Management, for more information.

IT System Security Self-Assessment

4.8 In support of the ongoing security of IT systems, OAs must ensure that all systems within their area of responsibility have their security regularly reviewed and self-assessed, and that the results are reported to the DIM Secur.

4.9 OAs must contact the DIM Secur for details on the self-assessment methodology.

Oversight and Compliance

4.10 In addition to the monitoring and auditing requirements described above, the DIM Secur may conduct oversight and compliance activities on selected IT systems. These activities could include reviews and assessments of audit reports if warranted by IT security events or IT security incidents, or in response to OA concerns.

Privacy

4.11 IT security monitoring and auditing are subject to the provisions of the Privacy Act. In the conduct of monitoring and auditing of IT security, DND employees and CAF members must also comply with all Government of Canada (GC), DND and CAF policies, instructions, directives and standards in respect of the privacy of DND employees and CAF members.

5. Consequences

Consequences of Non-Compliance

5.1 Non-compliance with this DAOD may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance.

Note – In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.

6. Responsibilities

Responsibility Table

6.1 The following table identifies the responsibilities associated with this DAOD:

The ... is or are responsible for ...
DIM Secur
  • coordinating DND and CAF IT security monitoring and auditing;
  • identifying baseline monitoring and auditing requirements for DND and CAF IT systems;
  • identifying standardized processes and tools to assist in the implementation of IT security monitoring and auditing requirements; and
  • assessing the effectiveness and efficiency of DND and CAF IT security monitoring and auditing.
Commanding Officer, Canadian Forces Network Operations Centre (CFNOC)
  • performing assigned IT security monitoring tasks for DND and CAF IT systems; and
  • notifying the appropriate authorities when unauthorized accesses or attempts to access IT system resources are detected or suspected.
OAs
  • within their area of responsibility:
    • ensuring an appropriate level of IT security monitoring and auditing for IT systems and services;
    • ensuring all IT security monitoring responsibilities have been assigned to the applicable security authority (SA) or the CFNOC;
    • ensuring IT security monitoring and auditing results are provided to the DIM Secur, the Canadian Forces Information Operations Group and the applicable IT security practitioners in support of authorized investigations;
    • ensuring that the implementation and effectiveness of IT security controls that support their business activities and operations are monitored and that their results are reported to the applicable SAs; and
    • ensuring that IT security self-assessments are performed on IT systems and that the results are reported to the DIM Secur.
technical authorities
  • within their area of responsibility:
    • implementing and maintaining IT system monitoring and auditing in accordance with business, operational, technical and IT security requirements;
    • retaining audit log files in accordance with recordkeeping standards; and
    • notifying the appropriate SAs when unauthorized accesses or attempts to access IT system resources are detected or suspected.
SAs
  • within their area of responsibility:
    • identifying IT system-specific security requirements for monitoring and auditing;
    • regularly reviewing the security of audit log files;
    • performing assigned IT security monitoring tasks; and
    • notifying the appropriate authorities in accordance with approved IT incident management processes when unauthorized accesses or attempts to access IT system resources are detected or suspected.
DND employees and CAF members
  • notifying the appropriate SAs in accordance with approved IT incident management processes when unauthorized accesses or attempts to access IT system resources are detected or suspected; and
  • complying with all GC, DND and CAF policies, instructions, directives and standards in respect of IT security monitoring and auditing.

7. References

Acts, Regulations, Central Agency Policies and Policy DAOD

Other References

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: