MedStack Technology Compliance Policies

Logging and monitoring

Log events automatically on all operational systems

  • admin activity
  • user activity
  • exceptions
  • faults
  • information security events
  • remote access, logins and logouts
  • privilege escalation (such as sudo and su)
  • actions that require administrator access
  • changes to accounts (such as passwords)
  • changes to system settings
ISOA.12.4.1Event logging
ISOA.12.4.3Administrator and operator logs
HIPAA164.308(a)(5)(ii)(C)Log-in monitoring
SOC2CC7.2The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

Log service activity on all systems that handle PHI

  • Examples of activity to log
    • HTTP activity
    • Database activity

Protect the logs

  • Store on a central log server.
  • Require administrator access to view logs at a customer level.
  • Require superadmin access to view all logs.
  • Do not permit services that ship logs to modify or delete logs.
  • Back up the logs.
ISOA.12.4.2Protection of log information

Retain logs until whichever comes first

  • For information security logs
    • for at least six months
    • longer if they are needed for an active investigation
  • For non-information security logs
    • An appropriate time
    • until the affected customer is no longer under contract
NISTSpecial Publication 800-92Guide to Computer Security Log Management

Synchronize the clocks of servers

  • using ntp
ISOA.12.4.4Clock synchronisation


  • Responsible party: All managers and supervisors
  • sanctions: standard


ISOA.12.4Logging and monitoring
HIPAA164.308(a)(1)(ii)(D)Information system activity review
HIPAA164.308(a)(5)(ii)(C)Log-in monitoring
HIPAA164.312(b)Audit controls
OWASPLogging Cheat Sheet
NISTSpecial Publication 800-92Guide to Computer Security Log Management