Logging and Monitoring Standard
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
This standard defines what events must be logged across Aina Design Corp platforms, how long logs are retained, who can access them, and how they are monitored for security and compliance purposes — including the ability to reconstruct data access events for FERPA disclosure audits.
This standard applies to all production systems, services, and APIs operated by Aina Design Corp that process, store, or transmit district or student data.
The following categories of events must be logged on all production systems:
3.1 Authentication Events
•
Successful and failed login attempts (with user identity and source IP)
•
MFA challenges and outcomes
•
Password changes and account lockouts
•
Session creation and termination
•
Access to student records or personally identifiable information (PII)
•
Bulk data exports or downloads
•
Cross-school or cross-district data access
•
API calls that return student data
3.3 Administrative Events
•
User account creation, modification, and deletion
•
Role or permission changes
•
Configuration changes to security controls
•
Access policy modifications
•
Application errors and exceptions
•
Service start/stop events
•
Dependency failures (database, external APIs)
•
Security control failures or bypasses
4. Log Content Requirements
Each log entry must contain at minimum:
UTC, millisecond precision
Account ID or system identity
Standardized event category and action
System, object, or data accessed
Network origin of the request
Request ID for tracing across services
Data access logs (FERPA-relevant)
Administrative change logs
Logs associated with an active security investigation or legal hold are retained until released.
•
Logs are stored in a centralized, tamper-evident system separate from the systems they monitor.
•
Write access to logs is restricted to automated system processes only.
•
Read access is restricted to the Security Lead, Compliance Officer, and auditors.
•
Logs are not modified or deleted except through a documented retention expiry process.
7. Monitoring and Alerting
The Security Lead is responsible for configuring automated alerts for:
•
Multiple consecutive authentication failures
•
After-hours administrative access
•
Bulk data access or export events
•
Changes to security configurations
•
System anomalies that may indicate compromise
Automated alerts are reviewed on a daily basis. Monthly log reviews assess overall trends and identify gaps.
8. FERPA Disclosure Logging
All disclosures of student education records — whether to district staff, third parties, or via API — must be logged with:
•
The identity of the requesting party
•
The data categories disclosed
•
The stated purpose of the disclosure
•
The timestamp and authorization reference
This log supports parent and student rights to request disclosure records under FERPA.
•
Monthly: Review of alert volume, false positives, and missed detections
•
Quarterly: Access review of log system permissions
•
Annually: Full review of this standard and log coverage assessment
Security Lead: _________________________
Compliance Officer: _________________________
Date Approved: _________________________