Policy Concerning Collection, Access, Analysis, Retention, and Destruction of NYU Log Data

System logs, also known as log files, are created automatically during system operation and contain entries about the events that happened in a system. These logs record events occurring within NYU systems and networks, and may be held by NYU or by third-party vendors.

Technology staff at NYU, including NYU IT staff, store this information for specific business reasons or to satisfy legal requirements. Business reasons include protecting NYU information and systems, as well as supporting other information and system operation functions. Security, software, operating system, and application log data are critical components in detecting, analyzing, preventing, and responding to potential information security incidents including unauthorized data disclosures and activities on NYU systems.

• Examples of security logs include, but are not limited to: Antivirus/Anti-malware; intrusion detection systems; vulnerability scanning; authentication; email logs; network and wireless logs; firewalls; routers.
• Examples of operating systems and application logs include, but are not limited to: System events; audit records.

Log files that contain personally identified or personally identifiable information (PII) or sensitive data are considered to be High Risk data within the NYU Electronic Data and System Risk Classification Policy and are subject to institutional privacy requirements and retention and destruction requirements. NYU IT and other technology units take active measures to prevent unauthorized access during the retention period. System administrators or responsible parties should purge log files after their business use is completed, consistent with regulatory requirements; business use reasons include, but are not limited to, compliance, troubleshooting, collecting metrics on usage and activity, billing, documentation, electronic discovery requirements, and security investigations.

Technology units at NYU, including NYU IT, create log files during the course of doing business. These must be retained and managed to ensure smooth operation, privacy, and appropriate use.

All technology staff at NYU who have job-related access to logs, authentication, network, or email logs are required to:

1. Follow the provisions of the Policy on Responsible Use of NYU Computers and Data;
2. Access, monitor, or analyze logs, network connections, or location information of individuals only for legitimate business and job-related purposes; and
   
3. Keep such information confidential and not disclose such information to others unless there is a job-related or legal requirement to do so.

Further, logs will be used for their intended purpose described above. The University will not, unless an exception requires it, use logs to:

1. Monitor personal information about individual users; or
   
2. Monitor the websites that individual users have visited or from which they have downloaded files.

This Policy applies to all technology staff at NYU (including student employees) and contractors who are responsible for or use system log files. The practices described here inform system and security administrators of their responsibilities to safeguard the privacy of personally identified and identifiable information that may have been captured in system logs they handle and to identify the retention and destruction rules for system logs on servers and networked devices that are owned and managed by technology units at NYU, including NYU IT.

Global University Chief Information Security Officer (Global CISO):

• Collaborates and coordinates with University units and unit technology staff to develop and implement unit-level log procedures; coordinates with unit technology staff if there is a need to examine or collect log data from a specific unit.
  
• Where appropriate and in consultation with the Office of General Counsel, coordinates review and release of log data across the University and to law enforcement agencies, in alignment with the University Access to Personal Digital Content policy.
  
• Oversees compliance with this Policy for NYU IT-collected and -maintained logs.

University Technology Units:

• Adhere to the requirements of this Policy (see Specifications) in all instances where logging of systems or applications include Moderate, High or Sensitive data;
  
• Protect the confidentiality, integrity, and availability of logs under the unit’s control;
  
• Maintain awareness of and compliance with regulatory log collection and analysis requirements that apply to the types of data within the unit, for example, HIPAA, PCI, or GLBA;
  
• Provide log data to the Global CISO upon request for incident detection, incident response, and to satisfy policy and regulatory requirements; and
  
• Establish, maintain, and make available to the Global CISO upon request a systematic process for the recording, retention, destruction, and access to log files in accordance with these practices.

A. Retention of Log Files

Log files are historical and current digital records, created automatically during system operation, concerning the use and operation of a virtual or physical computer system or networked device, and necessary for system troubleshooting and analysis.

In setting the retention period, NYU has considered a variety of competing interests, including but not limited to, the need to maintain operational reliability and the importance of reducing opportunities for inadvertent disclosure of data.

In general, log files should not be retained beyond their usefulness for system operations or as required by applicable laws and regulations. Where no regulatory requirements exist, log files should be retained for not more than ninety (90) days. Exceptions, where log information is kept for either a shorter or longer period of time, may be granted on a case-by-case basis by the Global CISO. Technology units may be granted exceptions through NYU school or unit leadership. This includes retention periods dictated by regulations.

If system log files contain relevant information that is useful for a pending transaction, is needed for documentation purposes, or could be used as evidence of a management decision, the specified log(s) should be retained. It is the responsibility of the technology staff to move the specified log(s) to another IT-owned system for retention just before it has reached its maximum retention time, or temporarily extend the log collection period. Additional retention time will not be provided to collect data needed for statistical log analysis or information needed for proper administration of systems.

Care should be taken not to retain unneeded logs. The cost of long-term retention can be significant and could expose the University to high costs of retrieving and reviewing the otherwise unneeded records in the event of litigation.

B. Destruction of Log Files

System administrators must destroy log data when its retention time passes in accordance with the Data and System Security Policy which states that "system logs must be retained for thirty (30) days and then destroyed unless further retention is necessary due to legal, regulatory, or contractual requirements." When specified for destruction, all originals, backups, and copies of logs should be destroyed. For this reason, log files should not be backed up to removable media and should stay on the centralized log server or the local file system of the machine on which they are generated. In addition, care should be taken to exclude log files from computer disk images.

Log files should be destroyed in the most destructive and economical way available.

The destruction of logs must be postponed whenever a subpoena, discovery motion, or other legal notice is received. Such destruction also should be postponed if the material might be needed for an imminent legal action.

See the Standard for Destruction and Disposal of Electronic Equipment and Data.

C. Privacy Concerns and Procedures for Accessing Logs

Access to log data is guided by several related policies:

• Policy on Responsible Use of NYU Computers and Data
  
• Policy on University Access to Personal Digital Content
• Data and System Security Policy

In addition, NYU IT is also guided by:

• Code of Conduct: IT@NYU
  
• Policy on Requests to NYU Information Technology (NYU IT) to Support Investigations

System logs may contain personally identified or personally identifiable information (PII) about individual users of NYU information resources.

The University is committed to ensuring the privacy of its community members' PII. The policy on University Access to Personal Digital Content establishes general standards for accessing and monitoring all types of University records. Security logs are considered business records as defined in the Policy.

1. Permission to Access Logs

Employees who need access to system, authentication, network, security, or email logs in order to perform their jobs must be approved. Log access cannot be shared. Log access should be provided for the appropriate use and period of time when needed. When an individual’s role changes, their access to the log data should also change.

NYU IT Procedure
Requests for log access are handled by contacting ciso@nyu.edu. The accounts have a 90-day password reset requirement, as these accounts are considered to have elevated access.

Technology Units
Technology units must create and document their procedure for granting access to log data maintained by the unit, with the appropriate permissions and access controls. This procedure must be approved by the Global CISO.

2. Auditing Access to Logs

Log access must be audited at least every ninety (90) days to ensure that access is appropriate. Technology staff outside of NYU IT are responsible for auditing access to their logs.

3. Procedures for Accessing Logs

NYU IT-collected and -managed Logs

Email security logs (containing recipient, sender, subject, date, and delivery information) may be consulted:

1. By specific and approved IT staff (security, network engineering, service desk) to resolve specific delivery, impersonation, or spoofing issues. These requests must come from the sender or recipient of the email and must, in the case of NYU IT, be documented in an NYU ServiceLink ticket.

2. By NYU IT Global Office of Information Security (GOIS) in response to a security alert of malicious email in order to determine scope of threat or to block malicious email addresses.

Wireless logs (containing location of authentication to specific access points) may be consulted by specific and approved IT staff (network engineering) to respond to specific and approved uses. These requests must be documented, in the case of NYU IT, in an NYU ServiceLink ticket, and approved by the Office of the VP/CIO. Non-NYU IT units must decide on the process they will use for authorization.

Authentication and other security logs (containing authentication, date, and time) may be consulted by specific and approved IT staff to respond to specific and approved uses. These requests must, in the case of NYU IT, be documented in an NYU ServiceLink ticket and must be approved by the Office of the VP/CIO. Non-NYU IT units must decide on the process they will use for authorization..

Any other requests for email or other log information must follow the Policy on Requests to NYU Information Technology (NYU IT) to Support Investigations.

Whenever possible, individual notification is done consistently with the Policy on University Access to Personal Digital Content.

Other Technology-Unit Collected and Managed Logs:

Other technology units that collect and maintain logs must have documented procedures for accessing those logs in scope for this policy. These procedures must be approved by the Global CISO.

In the event of a declared health or safety emergency, the Global CISO or a delegated authority, in consultation with the Office of General Counsel (OGC), may authorize accessing logs with PII contained in security, wireless, authentication, or email logs.

In some cases, the University may be compelled by law, such as a court order or subpoena, to retain or release information contained in security logs. All such releases must be coordinated by the Office of the VP/CIO and the OGC.

D. Violations

Violations of this Policy may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. For NYU IT staff, the Code of Conduct: IT@NYU applies. In addition, connectivity of machines and servers to the NYU network that do not comply with this Policy may be limited or disconnected.