Logging and Monitoring Policy

Template

This template is part of ISACA’s Policy Template Library Toolkit. The policy
template should be modified to ensure it conforms to the control posture and
reflects the risk tolerance of the specific enterprise environment.

1
FOR INTERNAL USE ONLY
POLICY NAME Logging and Monitoring Policy
Ensure a record of system events is stored for analysis, investigation, and
DESCRIPTION
resolution.

OWNER Chief information officer (CIO)

EFFECTIVE DATE Immediately

REVIEW FREQUENCY At least annually

INTRODUCTION

Purpose for Policy

The purpose of this policy is to set out principles for ensuring that Company LLC’s logging and monitoring
process for production and infrastructure support servers and applications reduces the risk that system
issues will go undetected. It also establishes how to ensure disciplinary actions are taken against those
who violate this policy.

Scope of Policy
This policy applies to:
a) All employees, contractors, consultants, temporary staff, interns, visitors, and other workers at
Company LLC, including all personnel affiliated with third parties
b) All Company LLC locations where IT resources are located or used
c) All Company LLC IT resources
d) Any information not specifically identified as the property of other parties that is transmitted or
stored on Company LLC IT resources (including email, text and chat messages, and files)
e) All devices connected to a Company LLC network or used to access Company LLC IT resources
f) Third-party environments where company/customer data is hosted (e.g., Amazon Web Services
[AWS]/Azure or software as a service [SaaS] platforms)

Exceptions
Any exceptions to this policy require submission and approval of appropriate documentation in
accordance with the established policy exception process “xxxxx.” Exceptions deemed high risk will be
escalated to and reviewed by the “xxxxx Risk Forum” and recorded in the risk register.

GUIDELINES AND REQUIREMENTS

1. Issue Logging
• Logging and monitoring criteria must be defined and implemented in accordance with an
established framework or standard (e.g., NIST, COBIT, DTEF, ISO 27001) to identify and report
issues.
• Identified issues must be investigated and diagnosed with the relevant subject matter experts
to assess and analyze root causes in a timely manner.

2
FOR INTERNAL USE ONLY
 2. Required Log Monitoring
• Logs must be forwarded from individual devices and ingested into the central security
information and event management (SIEM) system and integrated with threat intelligence.
• The continuing impact of issues with systems and services must be monitored through
resolution.
• Resolution of major issues will be evaluated, reviewed, and confirmed as successful.
• A SIEM system must be established and integrated with threat intelligence system(s).
• Normal behavior must be measured and baselined to determine anomalies in activity.
• Firewall and other network perimeter access control system alarms and alert functions must be
enabled.

3. Log Protection
• The log data folder must be located in a secure location with restricted permissions.
• Access to the log data folder must be limited to specific user groups or roles to ensure only
authorized individuals can view or modify the log data.
• Audit logs must be stored in a secure environment with restricted access.
• System audit logs must be continuously backed up, secured, and retained for at least three
months online and one year offline or as specified by applicable law and regulations.
• A mechanism must be established to ensure that existing log data cannot be changed without
generating an alert (e.g., file integrity monitoring and change detection software).
• Privileged access must be used and approved to delete log data.
• Logs in transit and at rest must be protected using AES 256 encryption or greater.
• The ability to successfully restore logs must be tested at least quarterly.
• Logs must not be uploaded to generative artificial intelligence (AI)-enabled systems or tools.
• Personal and health data as defined by regulation (e.g., GDPR, HIPPA) or law must be masked in
logs.
• Administrators of systems should not modify/alter access to the system’s logs.
• Firewalls, routers, wireless access points, and authentication server logs must be continuously
reviewed for unauthorized traffic. An event log management system may be used to achieve
compliance with this policy.

4. Administrator and Operator Logs

• Only designated administrators who belong to a specific access group will be authorized to
actively monitor network, Domain Name Servers (DNS), and security logs and related
information to minimize the risk of log tampering or unauthorized access.
• Each user in the administrator group must have a unique access identifier to help accurately
track and attribute any actions or changes to the logs.

5. Account Lockout Notification

• A process must be in place to automatically notify the appropriate IT operations/help desk
team/information security resource whenever an administrator account is locked out.

6. Clock Synchronization
• Company LLC must be fed by a certified time source or internet time service.

3
FOR INTERNAL USE ONLY
 7. Intrusion Detection and Prevention
• Intrusion detection system (IDS) or Intrusion prevention system (IPS) security alerts must be
continuously monitored.
• IDS and IPS systems must be continuously updated with the latest signatures/patches/updates.
• IDS and IPS alerts must be prioritized, investigated, and resolved based on severity and
potential impact on Company LLC security.

8. Log Retention
• Logs must be retained for 90 days or longer, depending on legal or regulatory requirements.
• Log rotation and disk space alerting must be established to ensure log space is sufficient and
continuously maintained.
• Logs must be stored in an isolated environment (e.g., another cloud provider).
• Log backup files must be retained in accordance with Company LLC’s data backup policy.

9. Reporting
• The appropriate information security resource must be immediately notified of all suspected or
confirmed instances of attempted or successful system intrusions.
• Metrics on log volume, retention, completeness, and accuracy must be developed, analyzed,
reported, and reviewed daily to ensure they are relevant and effective.

10. Training or Awareness Program

• All log reviewers are mandated to attend annual incident management training. The training
completion rates must be closely monitored.

ROLES AND RESPONSIBILITIES

1. The Company LLC board, audit and risk committee, and IT committee are ultimately accountable
for the management of logging and monitoring risk associated with computer systems and are
supported by the senior leadership team (SLT) and the chief operating officer (COO), who oversee
the logging and monitoring strategy, funding, and resourcing.

2. The chief information officer (CIO) has the authority to:

a. Implement logging and monitoring policies, standards, and guidelines with help from the CISO
team.
b. Assign management responsibilities for logging and monitoring processes.

3. The chief information security officer (CISO) is accountable for:

a. Management of overall Company LLC system logging and monitoring risk
b. Providing system logging and monitoring advice and user awareness
c. Designing and implementing the Company LLC system logging and monitoring strategy
d. Managing system logging and monitoring incidents

4. Company LLC senior management is accountable for the management of system logging and
monitoring within their area of responsibility.

5. Information resource owners are responsible for:

a. Assessing, reporting, and escalating system logging and monitoring risk associated with their IT
resources

4
FOR INTERNAL USE ONLY
 b. Assessing and managing system logging and monitoring risk associated with their system
logging and monitoring service providers
c. Overseeing all access to their IT resources
d. Management assurance over their system logging and monitoring controls

CONSEQUENCES OF POLICY VIOLATIONS

Breaches of this policy and/or the Code of Conduct may be considered grounds for disciplinary action up
to and including dismissal.

QUESTIONS/CONTACT INFORMATION

For questions about the Logging and Monitoring Policy or any material addressed herein, please email
the CIO Policy group (or Information Security or CISO group) at xxxxxxx@CompanyLLC.com.

5
FOR INTERNAL USE ONLY
DOCUMENT INFORMATION
Document
Z:\Policies & Procedures\Policies\IT Policies
Location

VERSION HISTORY
Version Date Author Additional Information

V1.0 xx/xx/xx

DOCUMENT REVIEW
Version Date Reviewed By Additional Information
V1.0 Approved

6
FOR INTERNAL USE ONLY