Overview
System logs are essential to the operational management of an organization ("Shuffl"). They provide a primary mechanism for review and reporting for audit and compliance as well as are useful for tracking changes and troubleshooting.
Purpose and Scope
Organization's log management and review policy defines specific requirements for information systems to generate, store, process, and aggregate appropriate audit logs the entire systems environment. This includes infrastructure and software in order to provide key information and detect indicators of potential compromise including but not limited to logging of unusual activities in systems or identifies anomalies in operations. This policy applies to:
All information systems within the Shuffl production systems.
All Shuffl employees, consultants contractors, and partners that administer or provide maintenance on the organization’s production systems.
Background
In order to measure an information system’s level of security through confidentiality, integrity, and availability, the system must collect audit data that provides key insights into system performance and activities. This audit data is collected in the form of system logs. Logging from critical systems, applications, and services provides information that can serve as a starting point for metrics and incident investigations. This policy provides specific requirements and instructions for how to manage such logs.
Policy
All production systems within the organization shall record and retain audit-logging information that includes the following information:
Activities performed on the system.
The user or entity (i.e. system account) that performed the activity, including the system that the activity was performed from.
The file, application, or other object that the activity was performed on.
The time that the activity occurred.
The tool that the activity was performed with.
The outcome (e.g., success or failure) of the activity.
Specific activities to be logged:
Information (including authentication information such as usernames or passwords) that is created, read, updated, or deleted.
Accepted or initiated network connections.
User authentication and authorization to systems and networks.
Granting, modification, or revocation of access rights, including adding a new user or group; changing user privileges, file permissions, database object permissions, firewall rules, and passwords.
System, network, or services configuration changes, including software installation, patches, updates, or other installed software changes.
Startup, shutdown, or restart of an application.
Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault.
Detection of suspicious and/or malicious activity from a security system such as an Intrusion Detection or Prevention System (IDS/IPS), anti-virus system, or anti-spyware system.
Unless technically impractical or infeasible, all logs must be aggregated in a central system so that activities across different systems can be correlated, analyzed, and tracked for similarities, trends, and cascading effects.
Log aggregation systems must have automatic and timely log ingest, event and anomaly tagging and alerting, and ability for manual review. Logs must be manually reviewed on a regular basis:
When using an outsourced cloud environment, logs must be kept on cloud environment access and use, resource allocation and utilization, and changes to PII.
Logs must be kept for all administrators and operators performing activities in cloud environments.
Shuffl's systems architecture utilizes AWS CloudWatch to handle error logging and traffic monitoring to ensure appropriate automated technical safeguards are in place. This provides complete visibility, automation of risk tasks, and ensures organization service stack with high industry standards around privacy and data security.
AWS CloudWatch provides proactive tooling such as logging data and actionable insights to monitor applications, respond to system-wide performance changes, optimize resource utilization, and provides a unified view of operational health.
All information systems within the organization must synchronize their clocks by implementing Network Time Protocol (NTP) or a similar capability. All information systems must synchronize with the same primary time source.
Non-compliance
This policy is accessed by and distributed to all Shuffl employees. Any employee found in this policy violation may be subject to disciplinary action.