SECURITY
Effective February 20, 2026
·
Review February 20, 2027
·
Security Lead
Logging and Monitoring Standard
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
1. Purpose
This standard defines what events must be logged across Aina Design Corp platforms, how long logs are retained, who can access them, and how they are monitored for security and compliance purposes — including the ability to reconstruct data access events for FERPA disclosure audits.
2. Scope
This standard applies to all production systems, services, and APIs operated by Aina Design Corp that process, store, or transmit district or student data.
3. Required Log Events
The following categories of events must be logged on all production systems:
3.1 Authentication Events
Successful and failed login attempts (with user identity and source IP)
MFA challenges and outcomes
Password changes and account lockouts
Session creation and termination
3.2 Data Access Events
Access to student records or personally identifiable information (PII)
Bulk data exports or downloads
Cross-school or cross-district data access
API calls that return student data
3.3 Administrative Events
User account creation, modification, and deletion
Role or permission changes
Configuration changes to security controls
Access policy modifications
3.4 System Events
Application errors and exceptions
Service start/stop events
Dependency failures (database, external APIs)
Security control failures or bypasses
4. Log Content Requirements
Each log entry must contain at minimum:
Field
Description
Timestamp
UTC, millisecond precision
User identity
Account ID or system identity
Event type
Standardized event category and action
Resource
System, object, or data accessed
Source IP
Network origin of the request
Outcome
Success or failure
Correlation ID
Request ID for tracing across services
5. Log Retention
Log Category
Minimum Retention
Authentication logs
12 months
Data access logs (FERPA-relevant)
3 years
Administrative change logs
3 years
System error logs
90 days
Security incident logs
5 years
Logs associated with an active security investigation or legal hold are retained until released.
6. Log Protection
Logs are stored in a centralized, tamper-evident system separate from the systems they monitor.
Write access to logs is restricted to automated system processes only.
Read access is restricted to the Security Lead, Compliance Officer, and auditors.
Logs are not modified or deleted except through a documented retention expiry process.
7. Monitoring and Alerting
The Security Lead is responsible for configuring automated alerts for:
Multiple consecutive authentication failures
After-hours administrative access
Bulk data access or export events
Changes to security configurations
System anomalies that may indicate compromise
Automated alerts are reviewed on a daily basis. Monthly log reviews assess overall trends and identify gaps.
8. FERPA Disclosure Logging
All disclosures of student education records — whether to district staff, third parties, or via API — must be logged with:
The identity of the requesting party
The data categories disclosed
The stated purpose of the disclosure
The timestamp and authorization reference
This log supports parent and student rights to request disclosure records under FERPA.
9. Review Cadence
Monthly: Review of alert volume, false positives, and missed detections
Quarterly: Access review of log system permissions
Annually: Full review of this standard and log coverage assessment
10. Sign-Off
Security Lead: _________________________
Compliance Officer: _________________________
Date Approved: _________________________