Document ID: SOC2-MON-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: CISO / Security Operations
Purpose
This policy establishes requirements for monitoring production systems and collecting security logs to detect and respond to threats. It implements CC7.1 (monitor system components) and CC7.2 (evaluate and communicate about security events) of the SOC 2 Common Criteria.
1. Log Coverage Requirements
All of the following must generate logs that are centralised and retained:
| Log Source | Required Log Types | Minimum Retention |
|---|---|---|
| Cloud infrastructure (AWS/Azure) | API calls, IAM events, config changes | 12 months |
| Production application | Authentication events, authorisation decisions, data access | 12 months |
| Web application firewall | Blocked requests, rate limit events | 6 months |
| Production databases | Query logs (privileged), schema changes, access events | 12 months |
| Identity provider (SSO/LDAP) | Login success/failure, MFA events, account changes | 12 months |
| Network devices / VPN | Connection logs, failed auth, policy violations | 6 months |
| Endpoint security (EDR) | Detections, process executions, lateral movement indicators | 90 days |
| CI/CD pipeline | Deployment events, code signing, config changes | 12 months |
2. Log Integrity Requirements
- Logs must be written to a separate, write-once storage target that is not accessible from production systems
- Log delivery must be confirmed; gaps in log delivery trigger an alert within 1 hour
- Logs must not be modified or deleted before the retention period expires
- All log sources must use synchronised time (NTP) to ensure accurate event correlation
3. SIEM Alerting Requirements
The following event types must generate automated alerts reviewed by the security team:
| Event | Alert Severity | Response Time |
|---|---|---|
| Authentication failure spike (>10 in 5 min per user) | High | 30 minutes |
| Successful login from new country / IP | Medium | 4 hours |
| Privileged account used outside business hours | High | 1 hour |
| IAM policy change (especially permission escalation) | Critical | 15 minutes |
| Security group / firewall rule change | High | 1 hour |
| Production data export exceeding baseline volume | Critical | 15 minutes |
| New admin account created | High | 1 hour |
| Log source stopped sending data | High | 1 hour |
| Vulnerability scanner critical finding | High | 4 hours |
| Malware detection on endpoint | Critical | 15 minutes |
4. Anomaly Detection
Baseline normal behaviour must be established for:
- User authentication patterns (time, location, volume)
- API call volumes by user and endpoint
- Data egress volumes by user and service
- Infrastructure resource consumption
Deviations exceeding 3ร baseline or matching known attack patterns must trigger automated alerts.
5. Alert Review and Response
- All High and Critical alerts must be reviewed within the response time defined above
- Alert handling must be documented in the incident tracking system
- False positives are tuned to reduce alert fatigue; tuning changes are reviewed monthly
- Monthly metrics reported to CISO: total alerts, false positive rate, mean time to acknowledge
6. Review
This policy is reviewed annually. Log coverage and alerting effectiveness are tested during the annual SOC 2 audit.
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [Author] | Initial issue |