UCL Research Data Information Security Management System Logging and Monitoring Policy #

Document Name: RISM17-Logging_and_Monitoring_Policy.md

Author: Tim Machin

Classification: Public

Version: 1.1

Created: 07/02/2025

Last Review date: 07/04/2025

Last Reviewed by: Victor Olago

Approved by: OMG

Approved date: 12/03/2025

Review Period: 3 Years

1. Document Overview #

This policy establishes the minimum standard for logging and monitoring activities to record security events and monitor for anomalous activity in compliance with ISO 27001 requirements.

2. Scope #

This policy applies to all in scope Environments.

3. Conventions used in this Document #

4. Logging #

4.1 Event Logging #

All critical systems, applications, and network devices shall generate logs. Logs shall include information on user access, authentication attempts, administrative actions and other security-related events.

3.2 Log Contents #

Logs should contain at least:

• Timestamp
• Source and destination network address (if applicable)
• User ID (if applicable)
• Event type and description

3.3 Log Storage & Retention #

Logs shall be stored securely and protected from unauthorised access or modification. Access to logs shall be restricted to authorised personnel and protected from tampering. Logs should be stored outside of the environment generating the log.

Logs shall be retained in compliance with the UCL Data Retention Schedule. Archived logs must be stored with adequate security controls.

4. Monitoring #

Automated tools shall be used to monitor systems and logs for security incidents and anomalies. A Security Information and Event Management (SIEM) system should be implemented where feasible. Alerts shall be configured for critical security events such as unauthorised access attempts, privilege escalations malware infections or service interruptions.

Anomalies shall be investigated and documented in line with the Incident Management Procedure.