Logging & Monitoring Policy
Document ID: DPWAT-ISMS-POL-010
Version: 1.0
Owner: Administrator + CISO — Anna Boros; Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)
1. Policy
DP WAT logs and monitors security-relevant activity in key systems to detect unauthorized access and support incident investigations.
2. Minimum logging expectations
- Enable admin/audit logs where available (e.g., Google Workspace admin audit logs, GitHub audit log).
- Retain logs according to provider capabilities and contractual needs.
- Rely on alert-based monitoring rather than periodic log review (proportionate to company size and cloud-first model).
3. Alerting requirements
For DP WAT-managed systems and user accounts, configure alerts for:
| Event | Alert threshold | Rationale |
|---|---|---|
| Multiple failed authentication attempts | 3+ failures within 15 minutes | Single failure is likely a typo; multiple failures suggest attack or compromised credential |
| Successful login from new location/device | Immediate (where supported) | Detect account compromise |
| Permission/role changes | Immediate | Detect privilege escalation |
| Bulk data access or export | Per system capability | Detect data exfiltration |
Alerts are sent to both Administrators (CISO and ADM) via email. This ensures coverage and provides the primary mechanism for detecting security events; periodic manual log review is not performed.