Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Logging and monitoring
Log events automatically on all operational systems
- admin activity
- user activity
- exceptions
- faults
- information security events
- remote access, logins and logouts
- privilege escalation (such as
sudoandsu) - actions that require administrator access
- changes to accounts (such as passwords)
- changes to system settings
| Code | Section | Title |
|---|---|---|
| ISO | A.12.4.1 | Event logging |
| ISO | A.12.4.3 | Administrator and operator logs |
| HIPAA | 164.308(a)(5)(ii)(C) | Log-in monitoring |
| SOC2 | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
Log service activity on all systems that handle PHI
- Examples of activity to log
- HTTP activity
- Database activity
Protect the logs
- Store on a central log server.
- Require administrator access to view logs at a customer level.
- Require superadmin access to view all logs.
- Do not permit services that ship logs to modify or delete logs.
- Back up the logs.
| Code | Section | Title |
|---|---|---|
| ISO | A.12.4.2 | Protection of log information |
Retain logs until whichever comes first
- For information security logs
- for at least six months
- longer if they are needed for an active investigation
- For non-information security logs
- An appropriate time
- until the affected customer is no longer under contract
| Code | Section | Title |
|---|---|---|
| NIST | Special Publication 800-92 | Guide to Computer Security Log Management |
Synchronize the clocks of servers
- using ntp
| Code | Section | Title |
|---|---|---|
| ISO | A.12.4.4 | Clock synchronisation |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.12.4 | Logging and monitoring |
| HIPAA | 164.308(a)(1)(ii)(D) | Information system activity review |
| HIPAA | 164.308(a)(5)(ii)(C) | Log-in monitoring |
| HIPAA | 164.312(b) | Audit controls |
| OWASP | Logging Cheat Sheet | |
| NIST | Special Publication 800-92 | Guide to Computer Security Log Management |
Life Support Mental Health Inc. @ 2022
All Rights Reserved