Platform Documentation
Platform Documentation
Breadcrumbs

Logging Controls Summary

Overview

The organization maintains comprehensive logging across all production and non-production environments, leveraging Google Cloud Audit Logs for centralized, immutable, compliance-scoped activity logging, and a separate log management process for short-term application troubleshooting logs.

Centralized Logging (Google Cloud Audit Logs)

  • Scope: Captures all administrative actions, API calls, configuration changes, and other governance-relevant activity across Google Cloud environments.

  • Retention: 1 year, in alignment with policy and industry standards (PCI DSS 4.0, NIST).

  • Controls:

    • Immutable and access-controlled storage.

    • Role-based access controls (RBAC) for log access.

    • Integration with security monitoring and alerting tools for real-time anomaly detection.

    • Periodic review of logs based on information classification and associated risk.

  • Risk Response: Detected anomalies are escalated via the organization’s incident response plan.

Application-Level Logs (Outside Google Cloud Audit Logs)

  • Scope: Certain application-level logs that do not contain regulated data (e.g., cardholder data, authentication secrets, or PCI-scoped information).

  • Retention: 1 week, supporting short-term operational troubleshooting only.

  • Controls:

    • Automatic rotation and destruction after retention period via lifecycle management policies.

    • Restricted access via RBAC.

    • No storage of compliance-scoped or regulated data.

  • Risk Justification: Short retention reduces exposure risk while maintaining operational capability.

Logging Process Alignment with Requirements

  • Administrative Activity Logging: Captured in centralized Google Cloud Audit Logs.

  • Application & Transaction-Level Logging: Captured where appropriate; security-relevant events logged to Google Cloud Audit Logs, operational events logged separately with short retention.

  • Detail & Governance Support: Level of logging supports both business operations and governance processes.

  • Review & Response: Logs reviewed periodically based on risk and classification; anomalies addressed according to the incident response plan.

Diagram: Logging Flow 

          ┌──────────────────┐
          │     GitOps        │
          │(Version Control + │
          │  Approved Changes)│
          └─────────┬────────┘
                    │
                    ▼
         ┌─────────────────────┐
         │  GCP Deployment API │
         └─────────┬───────────┘
                   │
         ┌─────────▼─────────┐
         │ Google Cloud Audit │
         │       Logs         │
         └─────────┬─────────┘
                   │
     ┌─────────────▼─────────────────┐
     │ Security Monitoring & Alerts  │
     │  (SIEM / SOC review process)   │
     └───────────────────────────────┘

Separately:
 Application Logs (non-sensitive) → Local/short-term log store → Auto-delete after 1 week