This policy details event logging and monitoring requirements to support information security.
This policy outlines implementation guidance on event logs recording user activities, exceptions, faults, and information security events that should be
produced, kept, and regularly reviewed.
Information Security Logging and monitoring are necessary to identify, respond to, and prevent security incidents, suspicious activity, and operational issues.
The information can be used for auditing, root cause analysis, and in case security events for forensic investigations.
This document applies to the entire Information Security Management System (ISMS) scope and all personal data processing activities.
Users of this document are employees of the IT and DevOps departments.
The standard applies to Resolver’s on-prem Production servers (Active Directory (AD) DC servers), Cloud production environments, network firewalls, and cloud solutions. Security solutions should be monitored and events recorded.
The logs, where feasible, must be sent to the corporate centralized SIEM solution for log aggregation, monitoring, and alerting.
The log events must be retained per the retention period defined for the respective data sets based on compliance or industry-specific requirements.
To ensure Resolver’s information assets are kept secure at all times, it is necessary to monitor the activities of both authorized and unauthorized users to identify any actions that are not in keeping with the secure use of the facilities provided.
Such actions may include:
Sr No | Field Name | Description |
1 | Event id or id | A unique identifier of the event/log entry |
2 | Log Source | The source location where the log originated from |
3 | Host | The host where the log originated |
4 | User id | Details to identify the user/actor |
5 | Action | The activity or action performed by user/actor |
6 | Location | Source and/or destination details captured when doing the action |
7 | Timestamp | The timestamp of the event with the time zone details |
Field/Event Exceptions |
|
It shall be the responsibility of the product or solution or server owners to ensure appropriate local logging, retention, and monitoring is in place. The information security logs must be forwarded to a centralized SIEM solution for aggregation and analysis.
Members of the InfoSec & Compliance team are required to log in to the SIEM daily and review the last 24 hours of activities on the main dashboards, including but not limited to:
Log files will be kept for at least six months or for a period specified according to other industry-specific Compliance regulations or standard requirements, will guide the maximum retention period of some data subsets; as such, the SIEM solution should be able to accommodate varying retention periods.
Strict permissions will ensure that the contents of log files cannot be altered after they have been written. Where possible, key events from log files will be copied to a central point and archived. Backups of log files will be taken daily.
The logs, where feasible, must be stored in immutable storage (no one, including admins, should not be able to edit the data) and must be sent to the corporate centralized SIEM solution for log aggregation, monitoring, and alerting.
The logs forwarded to SIEM must be available for search for at least 90 days. After which they can be archived to a cheaper storage.
In a cloud environment, particularly where personally identifiable information (PII) is recorded as part of logging activities, logs should be encrypted at rest, and appropriate access control must be in place to prevent such data from being used for any other purpose.
All servers/devices defined in scope should forward system audit logs. For Windows servers, the Application, System, and Security logs generated at the OS level need to be forwarded.
For Linux machines, the logs in /var/log folders that capture the audit information must be forwarded.
These logs must contain at least the below minimum fields that could be used for analysis.
Sr No | Field Name | Description |
1 | User Id | Details to identify the user/actor |
2 | Log Source | The source location where the log originated from |
3 | Host | The host where the log originated |
4 | IP address/Location | The source and destination IP addresses of the requests |
5 | Action | The activity or action performed by user/actor |
6 | Timestamp | The timestamp of the event with the time zone details |
Field/Event Exceptions |
|
All the firewalls in the environment should forward the traffic and IPS/IDS logs to the centralized SIEM.
These logs must contain at least the below minimum fields that could be used for analysis:
Sr No | Field Name | Description |
1 | Log Source/Host | The source location or the host details where the log originated |
2 | IP address/Location | The source and destination IP addresses of the requests |
3 | Signature | Signature details for IPS/IDS events |
4 | Action | The activity or action performed by user/actor |
5 | Timestamp | The time of the event with the time zone details |
Field Exceptions | The field list might vary based on the event codes and Firewall vendor. The list is an indicative list and the real data/fields ingested could vary. |
Cloud providers provide services where the Resolver’s infrastructure or applications are hosted. These Cloud services generate logs for actions performed on their portals. Several additional types of logs are generated based on the services in use. The logs that contain audit or relevant security-related events should be ingested in the SIEM solution where feasible.
The logs must contain at least the below minimum fields that could be used for analysis:
Sr No | Field Name | Description |
1 | Event id or id | A unique identifier of the event/log entry |
2 | Log Source | The source location where the log originated from |
3 | Log Type | Details related to the type of the logs that would provide details related to the service that generates the logs |
4 | User id | Details to identify the user/actor |
5 | Action | The activity or action performed by user/actor |
6 | Location | Source and/or destination details captured when doing the action |
7 | Timestamp | The timestamp of the event with the time zone details |
Field Exceptions | High volume could be generated by certain log types, as such a decision can be taken to ingest only the required subset of events in the SIEM that is relevant for Security use cases. The decision can be taken on a case-to-case basis. |
The team manages and uses the different Info Sec tools (VPN) to generate logs based on their use case.
These logs should be ingested in the SIEM solution where feasible so all the required information for security analysis is available centrally.
Below are the minimum fields from the Security Tools that could be used for analysis. Based on the use case of the Info Sec tool, certain additional fields will be required for analysis:
Sr No | Field Name | Description |
1 | User Id | Details to identify the user/actor |
2 | Log Source | The source location where the log originated from |
3 | Log Type | Details related to the type of the logs that would provide details related to the service that generates the logs |
4 | IP address/Location | The source and destination IP addresses of the requests |
5 | Action | The activity or action performed by user/actor |
6 | Timestamp | The timestamp of the event with the time zone details |
Field/Event Exceptions | If there is an intersection in the capabilities related to log ingestion and processing with any other Info Sec tool, that the Info Sec team has, with what the SIEM has to offer, a decision can be taken to ingest only the processed alerts from the Security Tool instead. This can be considered based on the use case and the overall Info Sec Team requirement |
Where possible, all systems will synchronize their date and time either with a single internal source or an appropriate external time source. This is important so that events on different systems can be correctly compared during incident investigation without considering differences in system times.
Within Resolver, the following convention will be used:
This document is valid as of September 2023.
The owner of this document is an InfoSec & Compliance team who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2023
REVIEW CYCLE: Annual at least and as needed