Logging and Monitoring Policy-XX

Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 1 of 14

LOGGING AND MONITORING POLICY

http://www.Organization.in/

Document Classification: [Internal Use]

Document Ref. XX-ISMS-LMP
Version: Draft
Dated:
Document Author:
Document Owner:

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 2 of 14

Table of Contents
1. PURPOSE.........................................................................................................................................4
2. SCOPE..............................................................................................................................................4
3. RESPONSIBILITIES.........................................................................................................................4
3.1 CHIEF INFORMATION SECURITY OFFICER (CISO)..............................................................4
3.2 MANAGEMENT........................................................................................................................5
3.3 SYSTEM/APPLICATION ADMINISTRATORS.........................................................................5
3.4 OPERATIONS/BUSINESS OWNERS......................................................................................6
4. POLICY.............................................................................................................................................6
4.1 TYPES OF AUDIT LOGS.........................................................................................................6
4.2 GENERAL EVENT LOGGING..................................................................................................7
4.3 SECURITY EVENT LOGGING.................................................................................................7
4.4 DATA REPOSITORIES (E.G., DATABASES, DIRECTORIES, FOLDERS, ETC.)..................8
4.5 SECURITY EVENT NOTIFICATION........................................................................................8
4.6 DATA EXCHANGE...................................................................................................................9
4.7 AUDIT LOG SECURITY CONTROLS......................................................................................9
4.8 PROTECTION OF AUDIT TOOLS.........................................................................................10
4.9 AUDIT REQUESTS FOR SPECIFIC CAUSE.........................................................................10
4.10 EVALUATION AND REPORTING OF AUDIT FINDINGS...................................................11
4.11 AUTOMATED AUDIT SYSTEMS........................................................................................12
4.12 AUDITING BUSINESS ASSOCIATE AND/OR VENDOR ACCESS AND ACTIVITY..........12
4.13 AUDIT LOG RETENTION................................................................................................... 13
5. POLICY COMPLIANCE.................................................................................................................13
5.1 COMPLIANCE MEASUREMENT...........................................................................................13
5.2 EXCEPTIONS........................................................................................................................ 13
5.3 NON-COMPLIANCE...............................................................................................................14
6. RELATED STANDARDS, POLICIES, AND PROCESSES...........................................................14
7. ISO 27001 CONTROL REFERENCE............................................................................................14

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 3 of 14

Revision History

Versio Date Revision Summary of Changes

n Author
Draft

Distribution List
Title

Approver Record

Name Position Signature Date

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 4 of 14

1. PURPOSE
Organization’s is dedicated to ensuring the confidentiality, integrity, and availability of all sensitive
and confidential data it generates, receives, maintains, and/or transmits, in accordance with the
standards outlined under federal and state statutory requirements (hereafter referred to as
regulatory requirements).

This procedure's goal is to specify the roles, duties, and procedures for auditing and keeping track
of user and system activities on production, test, and development systems.

2. SCOPE
The policy statements written in this document are applicable to all Organization’s resources at all
levels of sensitivity, including:

 All full-time, part-time, and temporary users employed by, or working for or on behalf of
Organization.
 Contractors and consultants working for or on behalf of Organization.
 All other individuals and groups who have been granted access to Organization’s IT systems
and information.

This policy covers all information assets defined in the Risk Assessment Scope Document and will
be used as a foundation for information security management.

3. RESPONSIBILITIES
3.1 CHIEF INFORMATION SECURITY OFFICER (CISO)

The CISO is responsible for, but not limited to, the following activities:
 This procedure has to be revised and put into practice, as well as worker education and
enforcement.
 Assistance with the implementation of log-on banners for system and application
administrators.

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 5 of 14

 Making sure that all users, including system/application administrators, privileged users, etc.,
are subject to audit and monitoring
 Ensuring that audit and monitoring are performed on all systems that handle, process, or
transfer covered information.
 Ensuring that reporting capability and filtering capabilities are available in all utilized audit
systems, which may be used to locate certain logging events depending on selectable
criteria.
 To prevent these actions and positively identify anyone who carries them out, it is important
to make sure that access to modify, disable, and destroy audit logs is restricted or well
supervised.
 Ensuring that as few individuals as possible, such as administrators, have access to audit
logs.
 Ensuring the workforce members who are in charge of overseeing and managing the audit
logging and monitoring systems are equipped to handle their responsibilities. Make sure that
any workforce employees who need to gain certifications do so for any systems that do.

3.2 MANAGEMENT

Business units must follow this method and identify the operations/business owners for their
respective systems (e.g., Financial system = CFO, People and Culture system = VP of People and
Culture).

In order to ensure compliance with all applicable legal obligations for the use and activity of
workforce system monitoring, management will engage with general counsel.

3.3 SYSTEM/APPLICATION ADMINISTRATORS

System/application administrators are responsible for, but not limited to, the following activities
 Ensuring that every user—including administrators and other privileged users—is being
watched, and that their actions are being recorded in the system audit logs

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 6 of 14

 Restricting all users, including administrators and privileged users, from altering, turning off,
and deleting audit logs, as well as monitoring to catch these actions and positively identify
anyone who carries them out.
 Setting up the audit log functionality to record all of the activities needed for this procedure.
 Examining audit logs every day for odd or suspicious activities, then taking the necessary
action, including notifying the CISO.
 Examining any unlawful remote access connections to the company's network and
information systems after receiving a warning, and taking the necessary action if any
unauthorized connections are found. Additionally, conduct a quarterly review with
management.
 Periodically ensuring that the audit logging and monitoring systems are operating properly,
gathering data as anticipated, and resolving any errors that are found

3.4 OPERATIONS/BUSINESS OWNERS

Operations/business owners are responsible for, but not limited to, the following activities
 Limiting user access to audit logs to the bare minimum required based on duties.
 Ensuring that all user behavior, including that of privileged users and system/application
administrators, is being watched over and analyzed.
 Ensuring that access to modify, turn off, and destroy audit logs is restricted or kept track of in
order to spot these actions and positively identify anyone who carries them out.

4. POLICY
4.1 TYPES OF AUDIT LOGS

All systems have one audit log. Described below are several types of audit activity that are
captured in logs:
 User: All commands directly initiated by the user, all attempts at identification and
authentication, and all files and resources accessed are typically tracked and recorded
through user level audit trails.

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 7 of 14

 Application/Database: Application/database level audit trails often keep track of and record
user actions, such as the opening and closing of data files, the precise actions listed in this
method, and the printing of reports.
 System: User activities, programs used, and other specifically defined system operations are
typically tracked and recorded through system level audit trails.
 Network: Audit trails at the network level typically keep tabs on what is running, attempts at
illegal access, and vulnerabilities. Audit trails at the network level typically keep tabs on what
is running, attempts at illegal access, and vulnerabilities.

4.2 GENERAL EVENT LOGGING

The following general attributes are mandatory audit requirements:

 Audit log entries must include:
o The user ID or service name that initiated an event
o The unique data subject ID or function that was performed
o Date and time the event was performed (timestamp)
o Any privileged operations (root, admin, security, supervisory, etc.) performed by the
endpoint
o System storage capacity issues
o Packet denials (network perimeter devices)
o System startup, reboot, or shutdown
 Covered information will never be captured in audit logs. Approval is needed for any
exceptions to this rule.
NOTE: Organization will at times require a unique and elevated level of system auditing and
monitoring for the purpose of:
o Business continuity
o Complying with regulatory and contractual requirements

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 8 of 14

4.3 SECURITY EVENT LOGGING

At a minimum, the following security related events will be captured in audit logs:
 Successful and unsuccessful access attempts to access the system
 User accounts that have been inactive for longer than 30 days
 Changes to access rights and privileges
 Unsuccessful attempts to use or access privileged operations
 Inbound and outbound communications from external entities
 File integrity monitoring
 System configuration and security policy (i.e., function/control) changes
 Date and time password changes are made
 Access to and changes to covered information, critical resources, and processes involved
 Attempts to reactivate or access disabled accounts
 Changes to access rights/privileges and security attributes, specifically those that increase
authority
 System alerts or failures
 Access to and attempts to modify audit log attributes
 Authorized and unauthorized remote access connections to the organization’s network

4.4 DATA REPOSITORIES (E.G., DATABASES, DIRECTORIES, FOLDERS, ETC.)

Data repositories containing covered information will record the following activity by name,
date, and time of event:
 Creation, viewing, modification, copying, moving, or deletion of covered information
 Creation, viewing, modification, copying, moving, or deletion of objects, tables, cells, folders,
directories, etc.
 Authorized access and unsuccessful attempts to access databases or network folders and
directories
 Every 90 days, Organization will review each extract of covered information on these

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 9 of 14

repositories and determine if the data can be erased or its use is still required

4.5 SECURITY EVENT NOTIFICATION

Systems will be set up to notify administrators of malicious or shady behavior (system

capabilities permitting). All alerts about alleged infractions or shady conduct will be examined
and looked into. This category of action includes, but is not restricted to:
 Several unsuccessful efforts (in a short amount of time) to access important files, objects,
directories, processes, administrative activities, etc.
 suspicious behavior or erroneous use of system privileges, with special focus on
administrative or privileged accounts
 Unexpected modifications to important files, objects, directories, processes, etc.
 Attempts to alter the audit logs' properties or destroy them.

4.6 DATA EXCHANGE

For all types of data communication, an audit log will be kept (i.e., email, instant messaging,
texting, etc.). The date, time, origin, and destination of messages sent and received will be
recorded in logs, but not their contents.

The audit log will record any disclosures of protected information made inside or outside the
organization and will include information about the type of disclosure, the day and time the
disclosure occurred, the receiver, and the sender.

4.7 AUDIT LOG SECURITY CONTROLS

Make sure that audit logs are set to "read-only" to prevent unauthorized access or change.
System administrators, privileged users, and anybody else with access rights must limit their use
to "read-only." This is done to prevent unauthorized access to and manipulation of audit logs. No
one at Organization should be able to access, alter, or use information systems without
authorization or being caught by the audit logging systems at some point.
Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 10 of 14

To reduce the influence that auditing may have on production resources, audit trail data should
always be kept on a separate system. To prevent time drift and spot manipulation, system
administrators will synchronize their system clocks on a weekly basis (or sooner if necessary, such
as during daylight savings time, system resets, etc.). To preserve the integrity of the data being
stored in audit logs, accurate clock time is required. To prevent any unwanted access or alteration,
time data must be restricted and safeguarded.

On a server connected to the internal network, audit logs are kept for all devices, particularly those
that use technologies that are externally facing (such as wifi, firewalls, webservers, portals, DNS,
etc.). To reduce the influence that auditing may have on production resources, audit trail data
should always be kept on a separate system. To prevent time drift and spot manipulation, system
administrators will synchronize their system clocks on a weekly basis (or sooner if necessary, such
as during daylight savings time, system resets, etc.). To preserve the integrity of the data being
stored in audit logs, accurate clock time is required. To prevent any unwanted access or alteration,
time data must be restricted and safeguarded.

On a server connected to the internal network, audit logs are kept for all devices, particularly those
that use technologies that are externally facing (such as wifi, firewalls, webservers, portals, DNS,
etc.).

4.8 PROTECTION OF AUDIT TOOLS

Access to audit tools, including their associated services and hardware, must be tightly
regulated to prevent abuse or compromise. Unauthorized or inexperienced individuals using
these tools may cause downtime, business disruption, and privacy concerns. The CISO and
business/operations owners will give their approval for the use of auditing tools. These
instruments will consist of, but not be limited to:
 Scanning tools and devices
 War dialing software
Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 11 of 14

 Password cracking utilities

 Network “sniffers”
 Passive and active intrusion detection systems

4.9 AUDIT REQUESTS FOR SPECIFIC CAUSE

Requests to monitor user activity or to access a workforce member’s account without their
knowledge and with the intent to investigate fraud or inappropriate activity, to discipline or
terminate the member, or to dismiss a contractor/consultant requires approval from People and
Culture (HR).

Requests will be sent by People and Culture to the CISO, who will work with Information and
Technology Services (ITS) and management and if appropriate, coordinate and setup
monitoring. These requests must include the time frame, frequency, and nature of the request.

Situations that do not require approval are:

 As long as they are not addressed to a specific employee, request to inspect telephone logs
is acceptable.
 Access to the voicemail or email accounts of the fired employee is requested.
 A request by one individual to permit another person access to their voicemail, emails, or
phone calls (e.g., manager giving access to their administrative support person).

4.10 EVALUATION AND REPORTING OF AUDIT FINDINGS

Daily checks of audit log data are required to look for potentially harmful activities. Audit results
must be promptly communicated to the correct operations/business owners. The CISO must be
notified right away of any significant findings that would suggest a security breach has already
occurred or is likely to do so.

Every month, routine findings must be recorded and reported to the CISO and the

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 12 of 14

operations/business owners.

False positives must also be dealt with, and a potential impact analysis for crucial information
systems must be done for big events.

Reports of audit findings must only be used internally and only by those who have a minimal
need to know. Without the chief privacy officer's and/or legal counsel's consent, audit results
may not be made public.

Security audits may be considered a private, internal monitoring procedure that is used to
assess a worker's performance. It must be carefully ensured that only the proper supervisor and
People and Culture are given access to the findings of these kinds of audits. We will share audit
data that can reveal organizational hazards very carefully.

4.11 AUTOMATED AUDIT SYSTEMS

Organization will gather audit log data from all important systems across the firm using
automated systems and technologies (such a Security Information and Event Management, or
SIEM). This procedure's main events are consolidated, real-time analyzed, alerted to, and
reported on using the tool. The logs and other types of data collected will be connected with
many non-technical inputs (such as security newsfeeds/newsletters) to ensure the tools are up
to date on the risks they should be searching for.

4.12 AUDITING BUSINESS ASSOCIATE AND/OR VENDOR ACCESS AND ACTIVITY

To ensure that access and activity are appropriate for rights granted and essential to the
agreement between Organization and the external company, business associate and vendor
information system activities must periodically be monitored.

The business relationship will be reviewed by Organization leadership if it is found that the
business partner or vendor has gone beyond the bounds of their access rights.
Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 13 of 14

Organization must act right once to correct the problem if it is found that a business partner has
broken the terms of their agreement. The commercial connection will be terminated if there are
further violations.

4.13 AUDIT LOG RETENTION

Depending on the requirements of the company, audit logs must be kept. Reports detailing audit
activities must be kept for six years in order to ensure regulatory and contractual compliance.
The following are the retention criteria for the audit logs themselves:
 A minimum of 90 days must pass before active logging is permitted.
 Unless otherwise directed by People and Culture, legal counsel, or another organization,
logging data must be archived for a year after it has been more than 90 days since it was
last used (i.e., evidence, investigation, etc.).
 The regular backup process for the system must include a backup of the logging data.
 The security officer must also conduct regular availability and integrity audits of the data
itself.
 The retention period for audit logs related to online actions that are currently under
investigation for incidents or breaches, litigation, or disciplinary action may be extended,
according to management. Management at least once a year reviews all incidents that have
been recorded.
Systems will shut down and stop generating audit logs or overwrite the oldest records first,
should storage media (i.e., hard drive) become unavailable. An alert will be sent to designated
personnel for any audit processing failure.

5. POLICY COMPLIANCE
5.1 COMPLIANCE MEASUREMENT

All information security policies and procedures must be followed by workforce members as a
condition of their employment or contract with Organization.
Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.
 Logging and Monitoring Policy-XX
Version
XXXX
Doc. No: XX-ISMS-LMP Date: Page: 14 of 14

5.2 EXCEPTIONS

Exceptions to this policy will be assessed according on Organization’s information security

exception management policy.

5.3 NON-COMPLIANCE

An employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.

6. RELATED STANDARDS, POLICIES, AND PROCESSES

 Data Classification Policy
 Asset Management Policy
 Change Management Policy
 Risk Assessment Policy
 Anti-Virus Policy

7. ISO 27001 CONTROL REFERENCE

 A.12.4 Logging and Monitoring

Only the electronic file of this document is CONTROLLED. Printed copies of this document are UNCONTROLLED. Users of this
document are responsible for ensuring that printed copies are valid at time of use.