• Logging and monitoring
  • Metadata
  • Log events automatically on all operational systems
  • Log service activity on all systems that handle PHI
  • Protect the logs
  • Retain logs until whichever comes first
  • Synchronize the clocks of servers
  • Enforcement
  • References

Logging and monitoring

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Log events automatically on all operational systems

• admin activity
• user activity
• exceptions
• faults
• information security events
• remote access, logins and logouts
• privilege escalation (such as sudo and su)
• actions that require administrator access
• changes to accounts (such as passwords)
• changes to system settings

Code	Section	Title
ISO	A.12.4.1	Event logging
ISO	A.12.4.3	Administrator and operator logs
HIPAA	164.308(a)(5)(ii)(C)	Log-in monitoring (Addressable)
SOC2	CC7.2	The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

Log service activity on all systems that handle PHI

• Examples of activity to log
  • HTTP activity
  • Database activity

Protect the logs

• Store on a central log server.
• Require administrator access to view logs at a customer level.
• Require superadmin access to view all logs.
• Do not permit services that ship logs to modify or delete logs.
• Back up the logs.

Code	Section	Title
ISO	A.12.4.2	Protection of log information

Retain logs until whichever comes first

• For information security logs
  • for at least six months
  • longer if they are needed for an active investigation
• For non-information security logs
  • An appropriate time
  • until the affected customer is no longer under contract

Code	Section	Title
NIST	Special Publication 800-92	Guide to Computer Security Log Management

Synchronize the clocks of servers

• using ntp

Code	Section	Title
ISO	A.12.4.4	Clock synchronisation

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.12.4	Logging and monitoring
HIPAA	164.308(a)(1)(ii)(D)	Information system activity review (Required)
HIPAA	164.312(b)	Standard: Audit controls
OWASP		Logging Cheat Sheet
NIST	Special Publication 800-92	Guide to Computer Security Log Management

August 30, 2022

Powered by