Policy Monitoring

1. Purpose

The purpose of this policy is to define monitoring requirements across the organization to detect, respond to, and investigate security threats, operational issues, and policy violations. This policy supports the Security, Availability, and Confidentiality principles.

2. Scope

This policy applies to all employees, contractors, third-party users, and systems that are part of the organization’s IT and cloud environments. It includes monitoring of users, applications, network traffic, and malware activity.

3. Policy Requirements

3.1 User Activity Monitoring

Objective: Detect unauthorized access, privilege misuse, and insider threats.

• Login Tracking: All user logins to cloud and internal systems must be logged and monitored for anomalies (e.g., geo-velocity, unusual hours).

• Privileged Access Monitoring: Sessions involving elevated privileges (e.g., admin, root) must be recorded and reviewed periodically.

• Command and API Logging: Access to critical resources via CLI or API must be logged using appropriate cloud audit logging capabilities.

• Behavioral Baselines: Establish user behavior baselines to identify anomalies such as unusual access patterns or data exfiltration attempts.

• Alerting: Trigger real-time alerts for suspicious activity (e.g., multiple failed logins, privilege escalation).

3.2 Application Monitoring

Objective: Ensure application availability, performance, and security.

• Uptime and SLA Monitoring: Monitor application availability against defined SLAs using industry-standard monitoring tools.

• Error Tracking: Implement centralized error and exception logging.

• API Usage Monitoring: Monitor API traffic for unusual spikes, abuse, or security violations.

• Log Collection: Application logs must be collected, retained, and aggregated for searchability and analysis.

• Performance Metrics:

  • Response time

  • Throughput

  • Latency

  • Resource utilization

• Secure Logging Practices: No logging of sensitive data such as passwords or cryptographic secrets.

3.3 Network Monitoring

Objective: Detect unauthorized access, data exfiltration, and denial-of-service (DoS) threats.

• Traffic Analysis: Monitor ingress/egress traffic patterns for anomalies or potential data leaks.

• Firewall and ACL Logs: Logs from firewalls and access control lists must be reviewed for unexpected changes or blocked attempts.

• Intrusion Detection/Prevention Systems (IDS/IPS): Implement and maintain IDS/IPS in cloud or hybrid environments.

• DNS Monitoring: Monitor DNS traffic for suspicious domain queries or command-and-control (C2) beaconing.

• Bandwidth Utilization: Track usage spikes and long-lived sessions to identify abuse or compromise.

3.4 Malware and Threat Monitoring

Objective: Detect, contain, and respond to malicious software and advanced threats.

• Endpoint Detection and Response (EDR): All user and server endpoints must have EDR agents installed and actively reporting.

• Malware Scanning:

  • Periodic scans of file storage and file servers.

  • Real-time scanning of incoming email attachments and downloads.

• Threat Intelligence Feeds: Integrate industry-standard threat feeds into SIEM for proactive detection.

• Automated Quarantine: Automatically isolate affected systems upon confirmed malware detection.

• IOC Monitoring: Continuously monitor for indicators of compromise (e.g., hashes, domains, IPs) across environments.

4. Logging and Alerting Standards

• Log Aggregation: Centralize all logs into a SIEM platform for correlation and analysis.

• Retention: Logs must be retained for a minimum of 12 months, and 90 days must be readily accessible.

• Real-Time Alerting: Configure thresholds for critical events and generate immediate alerts via established communication channels.

• Incident Escalation: Integrate alerts with the organization’s incident management platform for triage and escalation.

5. Review and Testing

• Continuous Review: Monitoring rules and alert thresholds must be reviewed quarterly.

• Audit Logs: All logs must be immutable and auditable.

• Testing: Simulate incidents biannually to validate the effectiveness of monitoring controls and escalation paths.

6. Roles and Responsibilities

7. Exceptions

Exceptions must be documented and approved by the CISO or delegated authority. All exceptions must include justification, risk assessment, and an expiration date.