Logging and Monitoring Policy

Purpose#

The purpose of this policy is to address the identification and management of the risk of system-based security events by logging and monitoring systems, and to record events and gather evidence. It also informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding logging and monitoring of all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.

Scope#

This policy applies to logging and monitoring as part of information security, covering the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team will verify compliance through business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement#

This document is updated and reviewed as part of the continual improvement process.

Requirements#

Principle#

• All systems processing, storing, or transmitting confidential data must have audit and logging enabled where possible and practical.
• Event logs for information security events are generated, retained per business needs and customer requirements, and regularly reviewed.
• Automated monitoring systems that generate consolidated reports and alerts are used where possible.

Roles and Responsibilities#

DefectDojo Staff#

• Staff are informed that their use of DefectDojo systems may be logged and monitored, in accordance with local privacy laws, to protect DefectDojo and customer systems and assets.

Security Operations Team#

The Security Operations team is responsible for ensuring logging and monitoring controls are properly implemented.

Events to be Logged#

• Successful and failed authentication (logons/logoffs)
• Successful and failed authorization attempts
• Successful and failed resource access attempts
• Changes to system configuration, variables, networks, and activities
• Privileged actions
• Use of system utilities and applications
• System restarts
• Daemon starts and stops
• Daemon installs and uninstalls
• Alarms raised by any security system
• Activation and deactivation of any security system

Event Logging Details#

• Include user IDs or other identifiers of actors
• Include date and time
• Include details of the event (success/failure)
• Include device identity or location where possible
• Include files/data accessed and type of access
• Include network addresses and protocols
• Include identity or name of affected data, system component, or resource

Event Logging Access Control#

• Logging and monitoring performed by authorized personnel only
• Logging systems and reports strictly protected and restricted
• Logs protected against tampering and unauthorized access

Clock Synchronization#

• All relevant systems’ clocks synchronized to a single reference time source
• Time settings received from industry-accepted sources

Event Log Monitoring#

• Responsibilities assigned to skilled personnel, segregated from monitored systems where possible
• High-risk events trigger the Incident Response Procedure
• Logs for all critical systems reviewed at least daily

Event Log Retention#

• Event logs from the past 90 days available for immediate analysis
• Cold-storage retention may be used for longer-term customer-mandated retention

Event Logs in Central Location#

• Logs aggregated into a central system where possible
• Distributed nodes acceptable if all logs remain visible to the logging manager at all times

Relevant Documents#

• Acceptable Use Policy
• Access Control Policy
• Data Classification Policy
• Data Classification Standard
• Data Retention Policy
• Incident Response Procedure