Security Logging Policy Template¶
Document Type: Policy Classification: Internal Version: 1.0 (Template — replace all [PLACEHOLDERS] before use)
1. Purpose¶
This policy establishes the requirements for security event logging across [ORGANIZATION NAME]'s information systems, networks, and applications. Consistent, complete, and protected logging is foundational to the organization's ability to detect, investigate, and respond to security incidents.
This policy supports [ORGANIZATION NAME]'s compliance obligations under [list applicable regulations: GDPR, PCI DSS, HIPAA, SOX, etc.] and aligns with Nexus SecOps benchmark controls TEL-001 through TEL-015.
2. Scope¶
This policy applies to:
- All information systems owned or operated by [ORGANIZATION NAME]
- All cloud services procured or managed by [ORGANIZATION NAME]
- All third-party systems that process [ORGANIZATION NAME] data or connect to [ORGANIZATION NAME] networks
- All employees, contractors, and service providers who manage information systems
Exceptions: Systems explicitly excluded from scope must be documented in the Exception Register with risk acceptance from [CISO / Security Director].
3. Policy Statements¶
3.1 Log Source Requirements¶
3.1.1 All systems processing data classified as Internal or higher MUST generate security event logs.
3.1.2 The following log sources are REQUIRED for all environments: - Authentication events (successful and failed logins) - Privilege use (administrative actions, elevated sessions) - Account management (creation, deletion, modification, lockout) - System events (startup, shutdown, configuration changes) - Network activity (connection logs for servers and network devices)
3.1.3 The following additional log sources are REQUIRED for production environments: - Endpoint process execution logs (including command-line parameters) - DNS query and response logs - Email gateway security events - Cloud service API activity logs - Application security events (authentication, authorization failures, input validation errors)
3.2 Log Transmission¶
3.2.1 All log data MUST be transmitted to the centralized log management platform using encrypted transport (TLS 1.2 or higher).
3.2.2 Log transmission MUST be monitored for interruptions. Gaps in log delivery exceeding [15 / 30] minutes for critical systems MUST trigger an alert to the SOC.
3.2.3 Cleartext transmission of security log data is PROHIBITED.
3.3 Log Retention¶
3.3.1 Security logs MUST be retained for the following minimum periods:
| Log Type | Hot Retention (searchable) | Cold Retention (archived) |
|---|---|---|
| Authentication logs | 90 days | 12 months |
| System events | 90 days | 12 months |
| Network flow / DNS | 30 days | 6 months |
| Security incident logs | 2 years | 7 years |
| Regulatory-relevant logs | [Per regulation] | [Per regulation] |
3.3.2 Retention periods SHALL be extended if logs are subject to a legal hold or regulatory investigation.
3.3.3 Log deletion MUST be performed through automated, documented processes. Manual deletion of security logs is PROHIBITED without written authorization from [CISO / Legal].
3.4 Log Integrity and Protection¶
3.4.1 Security logs MUST be protected against unauthorized modification. Acceptable methods include: - Cryptographic hashing (SHA-256 or stronger) at time of ingestion - Write-once / WORM storage for archived logs - Access controls limiting write/delete permissions to the log collection service only
3.4.2 Log management infrastructure MUST be segregated from the systems being monitored.
3.4.3 Access to raw security logs MUST be restricted to authorized security operations and audit personnel. Access MUST be logged and reviewed quarterly.
3.5 Log Content Requirements¶
3.5.1 Security events MUST include, at minimum: - Event timestamp in UTC - Source system identifier - User identity (where applicable) - Event type and outcome (success/failure) - Source IP address and destination (where applicable)
3.5.2 Logs MUST NOT contain cleartext passwords, encryption keys, or full payment card numbers.
3.5.3 All log timestamps MUST be synchronized via NTP to a trusted time source.
3.6 Privacy Considerations¶
3.6.1 Security logging MUST comply with [GDPR / applicable privacy regulation]. The legal basis for processing employee personal data in security logs is [legitimate interest / other basis — specify].
3.6.2 Security log data MUST be used only for security monitoring, incident investigation, and compliance purposes. Use of security logs for performance management or HR purposes is PROHIBITED without new legal basis.
3.6.3 Data minimization: Only fields necessary for the stated security purpose SHALL be collected. Logging SHALL be reviewed annually to eliminate unnecessary personal data collection.
4. Roles and Responsibilities¶
| Role | Responsibility |
|---|---|
| CISO | Policy ownership; annual review and approval |
| Security Architecture | Technical standards for log collection; log source onboarding |
| SOC Manager | Operational compliance; log health monitoring |
| SOC Analysts | Alerting on log gaps; escalation of log failures |
| System Owners | Enabling logging on owned systems; responding to log gap notifications |
| IT Operations | Maintaining log collection infrastructure |
| Compliance | Mapping retention periods to regulatory requirements |
5. Exceptions¶
Requests for exceptions to this policy MUST be submitted to [CISO] with: - System name and description - Reason logging cannot be implemented - Compensating controls in place - Risk acceptance sign-off from system owner and CISO - Review date (maximum 12 months)
Exceptions are maintained in the [EXCEPTION REGISTER LOCATION].
6. Compliance and Enforcement¶
Non-compliance with this policy may result in disciplinary action up to and including termination. Systems found non-compliant may be subject to restricted network access pending remediation.
Compliance is monitored through: - CSPM / SIEM log source health monitoring (automated) - Quarterly log coverage audit by Security Architecture - Annual policy compliance review
7. Related Documents¶
- [ORGANIZATION NAME] Information Security Policy
- [ORGANIZATION NAME] Incident Response Plan
- Nexus SecOps Benchmark Controls: Nexus SecOps-001 through Nexus SecOps-015
- Log Retention Standard [reference]
- Privacy Impact Assessment for Security Logging [reference]
8. Document Control¶
| Field | Value |
|---|---|
| Policy Owner | CISO |
| Approved By | [Name, Title] |
| Approval Date | [Date] |
| Next Review | [Date + 12 months] |
| Version | 1.0 |
Review this policy annually or after significant changes to logging infrastructure or applicable regulations.