Logging, Monitoring & Audit Policies

Document Version & Control

  • Version: 1.0
  • Last Review Date: 6 Jan 2025
  • Next Review Date: [12 months from last review or upon significant changes]
  • Approver: CTO, DPO

Purpose & Scope
These policies establish the standards for generating, collecting, storing, reviewing, and auditing logs, as well as monitoring system performance and security events. They ensure critical security, operational, and compliance events are recorded, monitored, and available for audit and forensic analysis.

These policies apply to all production environments, systems, applications, and databases storing client or applicant data, as well as supporting services hosted on AWS, Digital Ocean, and integrated third-party solutions.

Compliance & References

  • Standards & Frameworks:
    • ISO 27001: A.12 (Operations Security), A.13 (Communications Security)
    • NIST SP 800-53 (AU - Audit and Accountability)
    • SOC 2 (Security, Availability)
  • Regulations: PDPA (Singapore), GDPR (if applicable)
  • Related Internal Policies:
    • Information Security Policy
    • Data Management & Database Policies
    • Encryption & Key Management Policy
    • Authentication & Access Control Policy
    • Incident Response & Breach Notification Policy
    • Change Management & Release Management Policies

Roles & Responsibilities

  • CTO: Ensures logging and monitoring infrastructure is properly implemented and maintained.
  • DPO: Oversees the security aspects of logging and monitoring, ensuring logs meet compliance and audit requirements.
  • DevOps & Infrastructure Team: Implements and maintains log collection, monitoring solutions, and ensures log integrity and availability.
  • Security & Compliance Team: Reviews logs for anomalies, coordinates with Incident Response if suspicious activity is detected, and supports audits.
  • Internal Audit Team (if applicable): Conducts periodic reviews to ensure adherence to these policies.

Logging Policy

  1. Log Sources & Events:
    • Log critical system events including authentication attempts (successful/failed), user account changes, privileged actions, configuration changes, and access to sensitive data.
    • Capture logs from servers, applications, databases, network devices, and security tools (e.g., firewalls, IDS/IPS).
  2. Log Content & Format:
    • Include timestamps, user identifiers, source IP addresses, event descriptions, and other relevant metadata where applicable.
    • Use standardized formats (e.g., JSON, syslog) for consistency and easier parsing.
  3. Log Storage & Retention:
    • Store logs in a secure, centralized repository with appropriate access controls and encryption.
    • Determine log retention periods based on regulatory, contractual, and business requirements.
    • Ensure log integrity by using cryptographic checks or WORM (Write-Once-Read-Many) storage if necessary.
  4. Access Control to Logs:
    • Restrict log access to authorized personnel with a defined business need.
    • Integrate log access management with existing IAM solutions (e.g., AWS IAM) and enforce MFA for privileged log access.
    • Apply the principle of least privilege for viewing and analyzing logs.
  5. Log Backup & Recovery:
    • Back up logs according to the established backup schedule in the Data Management & Database Policies.
    • Periodically test log restoration procedures to ensure availability during incidents or audits.

Monitoring Policy

  1. Monitoring Scope & Tools:
    • Continuously monitor critical systems, applications, and network components for performance, security events, and SLA compliance.
    • Use AWS CloudWatch and other approved tools to collect metrics, logs, and events.
  2. Thresholds & Alerts:
    • Establish thresholds and alert conditions as part of ongoing operations (e.g., CPU usage, memory consumption, login failure rates).
    • Configure alerts to notify relevant teams (Security, DevOps) via Teams alerts or other agreed-upon channels for timely response.
  3. Performance & Availability Monitoring:
    • Track key performance indicators (e.g., response times, uptime, error rates) and investigate issues that impact SLAs or user experience.
    • Promptly remediate performance degradation or resource contention.
  4. Security Monitoring:
    • Monitor for suspicious logins, privilege escalations, abnormal traffic patterns, and potential data exfiltration.
    • Correlate events from multiple sources to identify complex threats or persistent attacks.
  5. Incident Response Integration:
    • Integrate monitoring solutions with the Incident Response & Breach Notification Policy.
    • Trigger investigation, containment, and remediation workflows when alerts indicate potential incidents.

Audit Policy

  1. Audit Scope & Objectives:
    • Conduct periodic internal audits of logging, monitoring practices, and related security controls.
    • External audits may occur as required by contracts or internal decisions.
  2. Audit Trail & Evidence:
    • Maintain comprehensive records of log sources, retention periods, and access controls.
    • Document procedures for log review, alert handling, and incident response to demonstrate due diligence.
  3. Audit Frequency & Methodology:
    • Perform internal audits at least annually or after major infrastructure, process, or regulatory changes.
    • Follow recognized auditing methodologies (e.g., ISO 27001 internal audit procedures).
  4. Remediation & Follow-up:
    • Address audit findings promptly and update policies, procedures, and controls to improve security posture and compliance.

Compliance & Auditability

  • Regulatory Compliance:
    Comply with PDPA, GDPR (if applicable), and other relevant regulations. Retain logs and audit trails as required to demonstrate compliance.

  • Internal & External Audits:
    Provide evidence and documentation to auditors as requested.
    Remediate findings and incorporate lessons learned into continuous improvement efforts.

  • Policy Exceptions:
    Document and approve exceptions through a formal risk acceptance process overseen by the CTO and DPO.

Training & Awareness

  • Staff Training:
    Train Security, DevOps, and other relevant teams on proper log analysis, incident detection, and monitoring tools.
    Reinforce the importance of prompt alert response and accurate logging in security awareness sessions.

Policy Review & Maintenance

  • Review Cycle:
    Review these policies annually or after significant changes to systems, tools, or regulatory requirements.
    Update policies, runbooks, and procedures to reflect enhancements, lessons learned, and evolving best practices.

Copyright © 2024. All Rights Reserved by TechKnowledgey Pte Ltd. Scout is an AI-powered, all-in-one talent sourcing tool built for recruiters, by recruiters.