Logging and Monitoring Policy
Download PDF
Controlled copy — valid on date of download only
Internal Use
Logging and Monitoring Policy
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 2.0 |
| Cadence | Annual |
| Policy Owner | Chief Information Security Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-10, DCF-11, DCF-12, DCF-13, DCF-14, DCF-21, DCF-22, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-48, DCF-49, DCF-51, DCF-52, DCF-55, DCF-56, DCF-57, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-96 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy is to define requirements for logging and monitoring of system activity at Dispel to support security monitoring, incident detection, and forensic analysis.
1.2 Scope
This policy applies to:
- All Dispel system components, including applications, infrastructure (including cloud infrastructure), networks, and security tools.
- Any other components that could impact the security of Dispel and the data it manages and processes.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC4.1, CC7.2 | Logging, monitoring, incident detection, and response. |
| 2 | ISO/IEC 27001 | A.8.15 | Logging, monitoring, and review of events that may impact information security. |
| 3 | NIST SP 800-53 | AU-2, AU-3, AU-6, AU-9, AU-11, AU-12, SI-4 | Logging and monitoring requirements are implemented in conjunction with AU and SI controls. |
| 4 | IEC 62443 | 62443-2-1, 62443-3-3.SR2.8, 62443-3-3.SR2.9, 62443-3-3.SR3.8 | Monitoring communications, detecting anomalous activity, and protecting log data in industrial/OT environments. |
| 5 | HIPAA | 164.312(b), 164.312(a)(2)(iii), 164.316(b)(2)(i) | Audit controls, authentication, and documentation for systems handling ePHI. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL generate, centralize, and monitor logs for systems that may impact the confidentiality, integrity, or availability of company and customer data.
2.3 Secondary Policy Statement
- Logging and monitoring SHALL be integrated with incident response and vulnerability management processes.
- Logs and monitoring outputs SHALL be protected from unauthorized access or tampering.
3. REQUIREMENTS
3.1 Event Logging
Objective: Ensure that all relevant systems generate sufficient audit data for security monitoring and investigations.
Mandatory Activities:
- Systems that handle sensitive information, accept network connections, manage access control, or impact security (e.g., anti-malware, firewalls, IDS/IPS) SHALL record and retain audit logs sufficient to answer: what activity was performed, who performed it, where, when, how, and with what outcome.
- Logs SHALL be generated for at least the following activities:
- Attempts to create, read, update, or delete sensitive or confidential authentication information.
- Create/update/delete operations on important information assets.
- Initiating and accepting network connections.
- User authentication and authorization events (login, logout, access decisions).
- Invalid logical access attempts.
- Administrative actions and changes to access rights.
- Access to audit logs and start/stop of logging services.
- System, network, or service configuration changes.
- Application startup, shutdown, and abnormal termination.
- Detection of suspicious or malicious activity by security tools.
- When using cloud service providers, Dispel SHALL assess whether provider logging capabilities are sufficient and implement additional logging where required.
Required Outputs:
- Documented logging standard or configuration for in-scope systems.
3.2 Log Content and Structure
Objective: Ensure logs contain standardized fields to support correlation and analysis.
Mandatory Activities:
- Each log record SHALL include, directly or by inference:
- Type of action.
- Subsystem performing the action.
- Subject identifiers (e.g., user, host, IP address).
- Object identifiers (e.g., resource accessed or modified).
- Date and time of the action with relevant time information.
- Outcome (success/failure) and, where applicable, reason codes.
- Where logs may contain personal data, collection and retention SHALL comply with applicable privacy and data protection requirements.
Required Outputs:
- Logging schemas or formats that include the above fields.
3.3 Clock Synchronization
Objective: Maintain accurate and consistent timestamps across logging sources.
Mandatory Activities:
- System clocks SHALL be synchronized using a trusted time source (e.g., NTP with a reliable external reference).
- Time synchronization configurations SHALL be restricted to authorized personnel and changes SHALL be logged.
Required Outputs:
- Time synchronization configurations and monitoring records.
3.4 Protection and Monitoring of Logs
Objective: Protect logs from unauthorized access and monitor for failures of critical security controls.
Mandatory Activities:
- Read access to audit log files SHALL be limited to individuals with a job-related need.
- Audit log files SHALL be protected to prevent unauthorized modification or deletion.
- Logs from critical systems SHALL be backed up or forwarded to a centralized log collection system not under the sole control of system administrators.
- Changes to logging configurations and failures of logging or monitoring mechanisms SHALL be detected and alerted on.
- Activities by system administrators and operators SHALL be logged and subject to routine review.
Required Outputs:
- Access control configurations for logs.
- Evidence of centralized logging and monitoring.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this Logging and Monitoring Policy.
- Ensures coordination with Audit and Accountability and Incident Response policies.
4.2 Security Operations / Monitoring Team
Responsibilities:
- Define and maintain logging and monitoring requirements.
- Operate and tune log collection, SIEM, and monitoring tools.
- Review alerts and coordinate with Incident Response.
4.3 System Owners / Administrators
Responsibilities:
- Implement and maintain logging configurations on systems they manage.
- Ensure logs are generated, transmitted, and retained according to this policy.
5. PROCEDURES
5.1 Logging and Monitoring Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Identify logging and monitoring requirements for a system. | Security Team, System Owner | During design/onboarding |
| 2 | Configure logging and monitoring on the system and integrate with central tools. | Administrators / DevOps | Before production use |
| 3 | Monitor logs and alerts and escalate potential incidents. | Security Operations | Ongoing |
| 4 | Periodically review logging coverage, configurations, and retention. | Policy Owner, Security Team | At least annually |
6. MONITORING AND COMPLIANCE
Compliance with this policy SHALL be monitored through:
- Reviews of logging and monitoring configurations.
- Audits of log retention, access controls, and alert handling.
7. EXCEPTIONS AND WAIVERS
Exceptions to this policy SHALL follow the documented exception management process and require appropriate approvals.
8. DEFINITIONS
Log: A record of events or activities generated by a system or application.
9. REFERENCES
- Audit and Accountability Policy and Procedures.
- System and Information Integrity Policy and Procedures.
- NIST SP 800-53, AU and SI families.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 2.0 | Predates version control | Ethan Schmertzler | Aligned Logging and Monitoring Policy to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial Logging and Monitoring Policy. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |