Logging and Monitoring Policy
Home » Information Security » Logging and Monitoring Policy

Introduction

Logging is important for developers, system administrators and information security team members.

Log Aggregation

OrgChart logs are aggregated using Splunk SIEM (Security information and event management). Log aggregation allows for monitoring of all servers using a single system.

Log Monitoring

Logs are monitored by data center operations team. Errors, warnings, security alerts and performance issues are proactively detected in order to minimize (or eliminate) impact to customer.

  • Logs are actively monitored from 6AM PST to 6PM PST Monday through Friday
  • Rules are in place to generate events (for out of bound conditions such as large number of user login attempts in short time period)
  • All critical events generate email notifications (24 X 7)
  • There is always one or more data center operations team members monitoring for critical events (24 X 7)
  • Data center operations is responsible for reporting incidents (as defined in the Incident Management Procedure). As soon as an incident is reported, senior management must be informed of the incident via email.

Log Contents

Logs shall contain enough information so that developers and customers can understand and remediate issues. Logs shall never contain confidential customer information.

All log entries contain:

  • Correlation ID
  • Time Stamp
  • Event Description (e.g. Export to Excel, Failed Login, Security Permission Update, etc.)
  • Data Set ID (not applicable for all transactions)

The Correlation ID is used to determine:

  • User ID
  • Tenant ID
  • Source IP (Client Network Address where possible)
  • Source Browser

Log Auditing

Logs are manually audited on a monthly basis for anomalies. Anomalies are managed using the Incident Management Procedure.

Log Retention

The minimum retention for logs is one year; however, certain logs may be retained indefinitely for forensic analysis.

Log Access

Access to logs is granted only if required by job function. Reference Access Control Policy and Procedure for additional details.

Policy Audit

The Management Oversight Policy and Procedure requires an annual review of this policy.

page revision: 13, last edited: 07 Jun 2020 23:05
Edit Tags History Files Print Site tools + Options