Hop And Haul Policies

Appearance

NIST 800-53 Audit and Accountability Policy (AU)

Document ID: PLCY-NIST-AU-001
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team

CONFIDENTIAL

This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.

1. Purpose

This document defines Hop And Haul' implementation of the NIST 800-53 Audit and Accountability (AU) family for FedRAMP Moderate authorization. It establishes requirements for audit logging, log protection, retention, and analysis to ensure accountability and support security investigations.

2. Scope

This policy applies to:

  • All Hop And Haul system components generating audit events
  • All user activities requiring accountability
  • All security-relevant events
  • All administrative and privileged operations

3. Audit Policy and Procedures (AU-1)

3.1 Policy Statement

Hop And Haul implements comprehensive audit logging that:

  • Records all security-relevant events
  • Protects audit records from unauthorized modification
  • Retains logs for appropriate periods
  • Enables investigation and forensic analysis

3.2 Responsibilities

RoleResponsibilities
Security TeamDefine audit requirements, review logs, investigate incidents
System AdministratorsConfigure and maintain logging infrastructure
Development TeamImplement application-level logging
ComplianceEnsure retention compliance, support audits

3.3 Review Cadence

ActivityFrequencyOwner
Audit policy reviewAnnualSecurity
Log configuration reviewQuarterlyOperations
Audit log reviewWeeklySecurity
Privileged action reviewDailySecurity

4. Event Logging (AU-2)

4.1 Auditable Events

The following events are logged for all system components:

Event CategoryEvents LoggedPriority
AuthenticationLogin success/failure, logout, MFA challenge, session creationCritical
AuthorizationAccess granted/denied, permission changes, role changesCritical
Account ManagementCreate, modify, disable, delete accountsCritical
Data AccessRead, create, update, delete of sensitive dataHigh
Configuration ChangesSystem settings, security parametersCritical
Administrative ActionsBreak-glass access, privileged commandsCritical
Security EventsFailed attempts, anomalies, alerts triggeredCritical
Ride OperationsOffer, accept, start, complete, cancelHigh
Safety EventsSOS trigger, deviation alert, mismatch reportCritical

4.2 Audit Event Selection

CriteriaEvents Selected
Security impactHigh or critical impact events
AccountabilityUser-initiated actions
ComplianceRegulatory required events
ForensicsInvestigation support events

5. Content of Audit Records (AU-3)

5.1 Required Audit Fields

FieldDescriptionExample
Event IDUnique identifierevt_abc123
TimestampUTC ISO 86012025-12-30T14:30:00.000Z
Event TypeCategory and actionauth.login.success
Actor IDUser or system identifierusr_xyz789
Actor TypeUser, system, or serviceuser
Organization IDTenant contextorg_fleet123
Resource IDAffected resourceride_456
Resource TypeType of resourceride
Source IPRequest origin192.168.1.100
User AgentClient identifierHop And Haul-iOS/2.1.0
ResultSuccess or failuresuccess
DetailsAdditional context{...}

5.2 Additional Information (AU-3(1))

For security-critical events, additional fields are captured:

FieldWhen CapturedPurpose
Session IDAll authenticated requestsSession correlation
Device FingerprintMobile accessDevice identification
Geographic LocationLocation-sensitive operationsAnomaly detection
Previous ValueConfiguration changesChange tracking
New ValueConfiguration changesChange tracking
Approval IDApproved actionsApproval chain

6. Audit Log Storage Capacity (AU-4)

6.1 Storage Requirements

Log TypeVolume EstimateStorage Location
Application logs50 GB/monthCloudWatch Logs
Security logs20 GB/monthS3 (encrypted)
Access logs30 GB/monthCloudWatch Logs
Audit trail10 GB/monthDedicated audit DB

6.2 Capacity Management

MetricThresholdAction
Storage utilization70%Alert + capacity review
Storage utilization85%Urgent expansion
Storage utilization95%Emergency response

6.3 Storage Capacity Warning (AU-4(1))

Automated alerts trigger when:

  • Storage approaches 70% capacity
  • Log ingestion rate exceeds baseline by 200%
  • Storage costs exceed budget threshold

7. Response to Audit Logging Process Failures (AU-5)

7.1 Failure Response

Failure TypeImmediate ActionEscalation
Log service unavailableAlert security teamPage on-call
Storage fullEmergency rotationExpand storage
Log corruption detectedIsolate affected logsSecurity investigation
Audit agent failureRestart agentReplace agent

7.2 Failure Notifications (AU-5(1))

RecipientNotification MethodSLA
Security teamPagerDuty alertImmediate
Operations teamSlack notification5 minutes
ManagementEmail summary1 hour

8. Audit Record Review, Analysis, and Reporting (AU-6)

8.1 Review Process

Review TypeFrequencyScopeOwner
Automated analysisReal-timeAll security eventsSIEM
Daily reviewDailyPrivileged actions, failuresSecurity
Weekly reviewWeeklyTrends, anomaliesSecurity
Compliance reviewMonthlyRegulatory eventsCompliance

8.2 Analysis Capabilities

CapabilityToolPurpose
Real-time alertingCloudWatch AlarmsImmediate threat detection
Pattern analysisSIEM rulesAnomaly detection
CorrelationLog aggregationMulti-event analysis
Forensic searchElasticsearchInvestigation support

8.3 Automated Integration (AU-6(1))

IntegrationPurposeStatus
SIEM correlationCross-system analysisImplemented
Alert automationIncident triggeringImplemented
Report generationCompliance reportingImplemented
Ticket creationIncident trackingImplemented

9. Audit Record Reduction and Report Generation (AU-7)

9.1 Query Capabilities

CapabilityDescription
Time range filteringSelect events within date range
User filteringEvents by specific user/role
Event type filteringEvents by category
Resource filteringEvents affecting specific resource
Full-text searchSearch event details
AggregationCount, group, summarize events

9.2 Report Templates

ReportContentFrequency
Security summaryFailed logins, alerts, incidentsDaily
Access reportUser access patterns, anomaliesWeekly
Compliance reportRegulatory event summaryMonthly
Executive summaryKey metrics, trendsMonthly

10. Time Stamps (AU-8)

10.1 Time Synchronization

RequirementImplementation
Time sourceAWS NTP, synchronized to stratum 1
AccuracyWithin 1 second of authoritative source
FormatISO 8601 UTC
SynchronizationAll servers sync to same source

10.2 Timestamp Protection

ControlImplementation
Server-side onlyTimestamps generated server-side
No client overrideClient timestamps logged but not trusted
Audit of time changesSystem time changes are logged

11. Protection of Audit Information (AU-9)

11.1 Log Protection Controls

ControlImplementation
ImmutabilityAppend-only storage (S3 Object Lock)
Encryption at restAES-256 encryption
Encryption in transitTLS 1.3
Access restrictionSecurity team only
Integrity verificationCryptographic checksums

11.2 Access Restrictions (AU-9(4))

Access LevelWhoCapabilities
ReadSecurity analystsQuery, report generation
ReadAuditorsTime-limited read access
WriteSystem onlyNo human write access
DeleteNo oneImmutable (lifecycle only)
AdminSecurity leadConfiguration only

11.3 Integrity Protection

MechanismPurpose
SHA-256 checksumsDetect modification
Log signingProve authenticity
Chain verificationDetect deletion
Cross-region replicationDisaster recovery

12. Audit Record Retention (AU-11)

12.1 Retention Schedule

Log TypeRetention PeriodStorage TierRationale
Security events24 monthsHot → WarmFedRAMP requirement
Authentication logs24 monthsHot → WarmCompliance
Application logs12 monthsHot → ColdOperational
Safety incident logs7 yearsWarm → ColdLegal/regulatory
Ride operational logs36 monthsWarm → ColdPLCY-RET-001

12.2 Lifecycle Management

AgeStorage TierCostAccess Speed
0-30 daysHot (CloudWatch)HighInstant
31-180 daysWarm (S3 Standard)MediumFast
181+ daysCold (S3 Glacier)LowHours

12.3 Deletion Process

  • Automated lifecycle policies delete expired logs
  • Deletion events are logged
  • Legal hold prevents deletion when active
  • Cryptographic erasure for sensitive data

13. Audit Record Generation (AU-12)

13.1 Generation Points

ComponentLogging MechanismEvents Generated
API GatewayAccess logsAll API requests
ApplicationStructured loggingBusiness events
DatabaseAudit triggersData changes
InfrastructureCloudTrailAWS operations
Security toolsNative loggingSecurity events

13.2 Generation Assurance

ControlImplementation
Mandatory loggingCannot disable without approval
Startup verificationLogging confirmed on component start
Health monitoringLog agent health checks
Failure alertingImmediate alert on logging failure

14. Hop And Haul-Specific Audit Requirements

14.1 Ride Lifecycle Events

EventFieldsRetention
Ride offeredoffer_id, driver_id, rider_id (hashed), timestamp36 months
Ride acceptedride_id, acceptance_time, verification_method36 months
Ride startedride_id, start_location (fuzzed), verification_result36 months
Ride completedride_id, end_time, fare_amount36 months
Ride cancelledride_id, cancel_reason, cancelled_by36 months

14.2 Safety Event Logging

EventAdditional DataRetention
SOS triggeredGPS snapshot, device state7 years
Route deviationplanned vs actual route7 years
Driver mismatchreported details, photo evidence7 years
Duress code enteredsilent alert recipients7 years

14.3 Admin Activity Logging

ActivityLogged Details
User data accessQuery parameters, results count, justification
Break-glass accessReason, approver, time-box
Configuration changeBefore/after values, approver
Report generationParameters, record count

15. Related Documents

DocumentRelationship
PLCY-AUD-001Audit trail specifications
PLCY-RET-001Retention requirements
PLCY-SEC-001Security logging requirements
PLCY-FED-005NIST control mapping

16. Document Control

VersionDateAuthorChanges
1.0December 30, 2025Hop And Haul TeamInitial release

CONFIDENTIAL - Internal Use Only - Hop And Haul Policy Documentation

Hop And Haul Team - Do Not Distribute