Logging & Monitoring Policy
| Property | Value |
|---|---|
| Document ID | POL-007 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC4.1, CC4.2, CC7.2, CC7.3 / ISO 27001: A.12.4 |
1. Purpose
This policy establishes requirements for security logging and monitoring to detect, respond to, and investigate security events. Comprehensive logging provides visibility into system activities, supports incident response, and enables compliance with audit requirements.
2. Scope
This policy applies to:
- Systems: All servers, applications, databases, network devices, cloud services, and endpoints
- Events: Security events, access events, system events, and application events
- Personnel: IT Operations, Security Team, and individuals with log access
- Locations: On-premises and cloud environments
3. Policy Statements
3.1 Logging Requirements
All systems must implement logging according to the following requirements:
| Requirement | Standard |
|---|---|
| Logging Enabled | Logging must be enabled on all systems |
| Centralized Collection | Logs must be forwarded to central SIEM/log management |
| Tamper Protection | Logs must be protected from modification or deletion |
| Time Synchronization | All systems must use NTP for accurate timestamps |
| Retention | Logs retained per retention schedule |
3.2 Events to Log
3.2.1 Authentication Events
| Event | Log Level | Required |
|---|---|---|
| Successful login | Info | Yes |
| Failed login | Warning | Yes |
| Account lockout | Warning | Yes |
| Password change | Info | Yes |
| Password reset | Info | Yes |
| MFA enrollment/change | Info | Yes |
| Session timeout/logout | Info | Yes |
| Privilege escalation (sudo, etc.) | Warning | Yes |
3.2.2 Authorization Events
| Event | Log Level | Required |
|---|---|---|
| Access granted | Info | Yes |
| Access denied | Warning | Yes |
| Permission changes | Info | Yes |
| Role assignments | Info | Yes |
| Privileged operations | Info | Yes |
3.2.3 System Events
| Event | Log Level | Required |
|---|---|---|
| System startup/shutdown | Info | Yes |
| Service start/stop | Info | Yes |
| Configuration changes | Info | Yes |
| Backup operations | Info | Yes |
| Software installation | Info | Yes |
| Security tool status | Info | Yes |
| Resource thresholds (CPU, memory, disk) | Warning | Yes |
3.2.4 Application Events
| Event | Log Level | Required |
|---|---|---|
| Application errors | Error | Yes |
| Transaction failures | Warning | Yes |
| API calls (critical endpoints) | Info | Recommended |
| Data exports | Info | Yes |
| Admin operations | Info | Yes |
3.2.5 Network Events
| Event | Log Level | Required |
|---|---|---|
| Firewall allow/deny | Info/Warning | Yes |
| VPN connections | Info | Yes |
| DNS queries (critical systems) | Info | Recommended |
| Network anomalies | Warning | Yes |
3.2.6 Cloud Events
| Event | Log Level | Required |
|---|---|---|
| IAM changes | Info | Yes |
| Resource creation/deletion | Info | Yes |
| Security group changes | Warning | Yes |
| API calls (CloudTrail, etc.) | Info | Yes |
| Cost anomalies | Warning | Recommended |
3.3 Log Content Requirements
Each log entry must include:
| Field | Description | Required |
|---|---|---|
| Timestamp | UTC timestamp with millisecond precision | Yes |
| Event Type | Category of event | Yes |
| Severity | Log level (Debug, Info, Warning, Error, Critical) | Yes |
| Source | System/application generating the log | Yes |
| User/Account | Identity associated with event (if applicable) | Yes |
| Source IP | IP address of the actor | Yes |
| Action | What action was performed | Yes |
| Object | What resource was affected | Yes |
| Outcome | Success or failure | Yes |
| Details | Additional context | Recommended |
3.4 Log Protection
| Requirement | Standard |
|---|---|
| Integrity | Logs must be immutable or write-once |
| Access Control | Log access restricted to authorized personnel |
| Encryption | Logs encrypted at rest and in transit |
| Segregation | Logs stored separately from source systems |
| Backup | Logs included in backup procedures |
3.5 Log Retention
| Log Type | Retention Period | Storage Tier |
|---|---|---|
| Security events | 1 year (hot) + 6 years (cold) | Hot → Cold after 90 days |
| Authentication events | 1 year | Hot |
| System events | 90 days | Hot |
| Application events | 90 days | Hot |
| Debug logs | 30 days | Hot |
| Firewall/network logs | 90 days | Hot |
| Cloud audit logs | 1 year | Hot → Cold after 90 days |
3.6 Monitoring and Alerting
3.6.1 Monitoring Requirements
| Requirement | Standard |
|---|---|
| Real-time Monitoring | Security events monitored 24/7 |
| SIEM Integration | All logs aggregated in SIEM platform |
| Correlation | Events correlated across sources |
| Dashboards | Security dashboards for visibility |
| Regular Review | Daily review of security alerts |
3.6.2 Alert Categories
| Category | Priority | Response Time | Examples |
|---|---|---|---|
| Critical | P1 | 15 minutes | Active breach, ransomware, data exfiltration |
| High | P2 | 1 hour | Privilege escalation, multiple failed logins, malware detected |
| Medium | P3 | 4 hours | Policy violations, suspicious access patterns |
| Low | P4 | 24 hours | Informational, compliance checks |
3.6.3 Required Alert Rules
| Alert | Trigger | Priority |
|---|---|---|
| Multiple failed logins | >5 failures in 5 minutes | High |
| After-hours access | Access outside business hours to critical systems | Medium |
| Privilege escalation | Non-admin gains admin access | High |
| New admin account | New privileged account created | High |
| Security tool disabled | AV, EDR, or firewall disabled | Critical |
| Large data export | Unusual data download volume | High |
| Geographic anomaly | Login from unusual location | Medium |
| Service account login | Interactive login from service account | High |
| Root/admin login | Direct root or admin login | High |
| Configuration change | Critical system config modified | Medium |
3.7 SIEM Requirements
| Requirement | Standard |
|---|---|
| Log Sources | All in-scope systems forwarding logs |
| Parsing | Logs normalized to common schema |
| Retention | Per retention schedule above |
| Search | Ability to search logs within 30 seconds |
| Alerting | Real-time alerting on detection rules |
| Reporting | Automated compliance and security reports |
| Integration | Integration with ticketing/SOAR |
4. Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| CISO / Security Lead | Define logging standards, oversee monitoring program |
| Security Operations | Monitor alerts, investigate events, tune detection rules |
| IT Operations | Configure logging on systems, ensure log forwarding |
| Application Teams | Implement logging in applications per standards |
| Compliance | Define retention requirements, audit log availability |
5. Implementation Checklist
Technical Controls
- SIEM platform deployed and operational
- All servers forwarding logs to SIEM
- All applications logging per standards
- Cloud audit logs enabled (CloudTrail, etc.)
- Network device logging enabled
- Authentication logs captured
- Log integrity controls implemented
- Time synchronization (NTP) configured
- Detection rules implemented
- Alerting configured and tested
- Security dashboards created
Process Controls
- Log sources inventory documented
- Log review procedures documented
- Alert response procedures documented
- Log retention policy implemented
- Log access controls defined
- Regular tuning of detection rules
6. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| SIEM Configuration | System configuration and settings | SIEM platform | Current |
| Log Source Inventory | List of systems forwarding logs | Documentation | Current |
| Alert Rules | Documentation of detection rules | SIEM platform | Current |
| Alert Response Records | Evidence of alert investigation | Ticketing system | 1 year |
| Log Retention Settings | Configuration showing retention | SIEM platform | Current |
| Log Review Reports | Evidence of regular log review | SIEM/reports | 1 year |
| Sample Logs | Example logs showing required fields | SIEM exports | Quarterly |
7. Related Documents
- Incident Response Policy (POL-008)
- Access Control Policy (POL-002)
- Incident Response Playbook (PROC-005)
8. Sensitive Data in Logs
The following must NOT be logged:
- Passwords or authentication credentials
- Full credit card numbers (PANs)
- Social Security Numbers
- Encryption keys or secrets
- Session tokens (in full)
- Sensitive PII without masking
Data masking must be applied when logging:
- API keys: Show only last 4 characters
- Credit cards: Mask all but last 4 digits
- Personal data: Minimize or pseudonymize
9. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
10. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | _________________ | _________________ | ________ |
| IT Director | _________________ | _________________ | ________ |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.