Logging and Monitoring Policy

Breakout Learning Inc.

Purpose

The purpose of this policy is to outline the requirements for audit logging and monitoring of system activity at Breakout Learning Inc. Frequent monitoring and maintenance of audit trails are in place to effectively assess information system controls, operations, and general security.

Scope

This policy applies to all Breakout Learning Inc system components, including applications, infrastructure (including cloud infrastructure), network, security tools and utilities, or any other components that impact the security of Breakout Learning Inc and the data it manages and processes.

Roles & Responsibilities

• Chief Information Security Officer (CISO):
  Oversees the overall implementation and management of the Logging and Monitoring Policy and ensures all logging activities align with security objectives and compliance requirements.
• CTO:
  Ensures that logging mechanisms are integrated into the system architecture and that logging tools are functioning as required for all system components.
• IT Security Team:
  Implements and maintains logging and monitoring systems, reviews logs regularly for any suspicious or malicious activities, and ensures the protection of logs from tampering or unauthorized access.
• System Administrators:
  Ensure logs are generated and stored according to the policy and verify that their own activities are logged appropriately and cannot be erased or deactivated by unauthorized users.
• Audit Team:
  Conducts routine audits of the logs, ensures that logs are protected and backed up appropriately, and reviews logs for evidence of any policy violations or system misconfigurations.

Event Logs

All Breakout Learning Inc systems that access or handle sensitive information, accept network connections, manage access control (authentication and authorization), or affect the security of the environment (e.g., anti-malware utilities, firewalls, etc.) record and retain audit-logging information. This information is sufficient to answer the following:

• What activity was performed?
• Who performed it?
• Where, when, and how (with what tools) was it performed?
• What was the status, outcome, or result of the activity?

Logged Activities

Log records are created for the following activities:

• Attempts to create, read, update, or delete sensitive information or authentication information.
• Attempts to create, update, or delete other information.
• Initiating and accepting network connections.
• User authentication and authorization activities, including login and logout.
• Invalid logical access attempts.
• Actions taken by individuals with administrative access, including changes to firewall rules, user permissions, and database object permissions.
• Access to audit logs.
• Creation and deletion of system-level objects.
• System, network, or services configuration changes.
• Application process startups, shutdowns, or restarts.
• Abnormal process failures or resource exhaustion.
• Detection of suspicious or malicious activity, such as from IDS/IPS systems, web application firewalls, or anti-malware systems.

Log Elements

Each log contains the following elements:

• Type of action (e.g., authorize, create, update, delete, accept network connection).
• Subsystem performing the action (e.g., process name, transaction identifier).
• Identifiers for the subject requesting the action (e.g., username, IP address).
• Identifiers for the object the action was performed on (e.g., file names, database records).
• Date and time the action was performed.
• Whether the action was allowed or denied by access control mechanisms.
• Reason codes for denied actions, if applicable.

Clock Synchronization

System clocks and time are synchronized using time-synchronization technology to ensure the accuracy of system logs. Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC). A network time protocol (NTP) keeps all servers synchronized with a central time server.

Access to time synchronization settings is restricted, and changes to time settings on critical systems are logged, monitored, and reviewed.

Protection of Audit Logs

Audit logs are safeguarded and protected from unauthorized access and tampering through the following controls:

• Read access to audit logs is restricted to individuals with a job-related need.
• Audit logs are protected from unauthorized modifications or deletions.
• System administrators cannot erase or deactivate logs of their own activities.
• Audit logs are backed up to a secure internal log server outside of the control of system administrators.
• An intrusion detection system monitors system and network administration activities.
• File integrity monitoring ensures that existing log data cannot be changed without generating alerts.
• Logs are reviewed regularly to maintain accountability of privileged users.

Monitoring

Failures of critical security control systems are detected and addressed promptly through the monitoring of logs and alerting mechanisms. Critical security control systems include:

• Network security controls.
• IDS/IPS.
• Anti-malware solutions.
• Logical access controls.
• Audit logging mechanisms.
• Automated security testing tools.

Failures identified through log monitoring trigger an immediate response, including:

• Restoring security functions.
• Documenting the duration and cause of the failure.
• Implementing controls to prevent recurrence.
• Resuming monitoring after resolution.

Revision History