Policy Owner: Principal Engineer
...
| Anchor | ||||
|---|---|---|---|---|
|
Production infrastructure applications, production components, and production cloud platform accounts shall be configured to produce detailed logs appropriate to the function served by the system or device. Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and reviewed through manual or automated processes as needed. Appropriate alerts shall be configured for events that represent a significant threat to the confidentiality, availability or integrity of production systems or Confidential data.
Logging should meet the following criteria for production applications and supporting infrastructure8, production components, and production cloud platform accounts:
Log user log-in and log-out
Log CRUD (create, read, update, delete) operations on application and system users and objects
Log security settings changes (including disabling or modifying of logging)
Log application owner or administrator access to customer data (i.e. Access Transparency)
Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
Logs must be stored for at least 30 days, and should not contain sensitive data or payloads
Protection of Log Information
...
Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy.
The company shall perform an annual network security assessment that includes a review of major changes to the environment such as new system components and network topology.
| Anchor | ||||
|---|---|---|---|---|
|
...