Log Monitoring Procedure
Document ID: DPWAT-ISMS-PROC-007 Version: 1.1 Owner: Administrator + CISO — Anna Boros; Timo Andreas Bejan Approved by: Administrator (ADM) — Anna Boros Effective date: 2025-11-10 Next review: 2027-02-01 (or on major change)
1. Purpose
Define how DP WAT monitors security-relevant logs and responds to alerts.
2. Monitoring approach
DP WAT uses alert-based monitoring rather than periodic manual log review. This is proportionate to company size and the cloud-first operating model.
2.1 Alert configuration
The following systems are configured to send security alerts to both Administrators (Timo Andreas Bejan and Anna Boros) via email:
| System | Alert types | Recipients |
|---|---|---|
| Google Workspace | Suspicious login, permission changes, security events | timo@devplant.ro, anna@devplant.ro |
| GitHub | Security alerts, access changes, audit events | timo@devplant.ro, anna@devplant.ro |
| Cloudflare | Security events, attack alerts | timo@devplant.ro, anna@devplant.ro |
2.2 Why no periodic review
- Cloud providers offer robust built-in alerting that is more timely than periodic review
- Small team size makes real-time alerts more practical than scheduled review sessions
- Logs are retained by providers and available for incident investigation when needed
3. Responding to alerts
When an alert is received:
- Assess whether it indicates a genuine security event or false positive
- If genuine, follow incident response procedure (04.05-incident-response)
- If false positive or informational, no further action required
4. On-demand log review
Logs are reviewed manually only when:
- Investigating an incident
- Responding to a specific concern or request
- Supporting an audit or compliance inquiry
Slack workspace devplant is not evidence-critical; logs reviewed only for incident investigation if needed.