• Logging and monitoring
  • Metadata
  • Log events automatically on all operational systems
  • Protect the logs
  • Retain logs until whichever comes first
  • Log service activity on all systems that handle PHI
  • Synchronize the clocks of servers
  • Enforcement
  • References

Logging and monitoring

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-05-15
  • reviewed: 2018-06-20
• Applicability: standard

Log events automatically on all operational systems

• admin activity
• user activity
• exceptions
• faults
• information security events
• remote access, logins and logouts
• privilege escalation (such as sudo and su)
• actions that require administrator access
• changes to accounts (such as passwords)
• changes to system settings

  Code	Section	Title	Text
  ISO	A.12.4.1	Event logging	Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
  ISO	A.12.4.3	Administrator and operator logs	System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
  HIPAA	164.308(a)(5)(ii)©	Log-in monitoring	© Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

Protect the logs

• Store on a central log server.
• Require administrator access to view logs at a customer level.
• Require superadmin access to view all logs.
• Do not permit services that ship logs to modify or delete logs.
• Back up the logs.

  Code	Section	Title	Text
  ISO	A.12.4.2	Protection of log information	Logging facilities and log information shall be protected against tampering and unauthorized access.

Retain logs until whichever comes first

• For information security logs
  • for at least six months
  • longer if they are needed for an active investigation
• For non-information security logs
  • An appropriate time
  • until the affected customer is no longer under contract

    Code	Section	Title	Text
    NIST	Special Publication 800-92	Guide to Computer Security Log Management

Log service activity on all systems that handle PHI

• Examples of activity to log
  • HTTP activity
  • Database activity

Synchronize the clocks of servers

• using ntp

  Code	Section	Title	Text
  ISO	A.12.4.4	Clock synchronisation	The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.12.4	Logging and monitoring	To record events and generate evidence.
HIPAA	164.308(a)(1)(ii)(D)	Information system activity review	(1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
HIPAA	164.308(a)(5)(ii)(C)	Log-in monitoring	(i)Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii)Implementation specifications. Implement: (A) Security reminders (Addressable). Periodic security updates. (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
HIPAA	164.312(b)	Audit controls	Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
OWASP		Logging Cheat Sheet
NIST	Special Publication 800-92	Guide to Computer Security Log Management

November 13, 2019

Powered by