Table of contents

Privileged User Logging and Protective Monitoring Guide

Parent topic: Privileged User Guide

Related information

Logging and monitoring


This guide outlines the security procedures and advice that privileged users must consider when undertaking logging activities. Maintaining and monitoring system logs will help to ensure that any suspicious activity on the Ministry of Justice (MoJ)’s systems is detected early. This guide is a sub-page to the Privileged User Guide.

Maintenance of system logs and protective monitoring

Privileged users are responsible for maintaining system logs (syslogs) for the systems they administer. Privileged user log management responsibilities include the following:

  • Implementing logging and monitoring on the systems they manage.
  • Performing regular maintenance of the logs and logging to ensure that configurations are correct.
  • Reconfiguring system logging as needed based on the MoJ’s policy or guidance changes, technology changes, emerging threats or other business needs.
  • Implementing automated real-time log analysis where possible.
  • Reviewing results from automated real-time analysis quarterly to ensure its relevance.
  • Where real-time log analysis has not been implemented, then manual log analysis must be performed at least weekly.
  • Working closely with the Security Team to define requirements and ensure that when possible, automated log analysis and alerting is integrated with the MoJ’s Security Operations Centre (SOC) which provides the MoJ’s central monitoring function.
  • Establishing the baseline activities for systems they are responsible for. This is essential to ensure that monitoring systems are able to detect when there is unusual activity.
  • Ensuring that systems are synchronised to the centralised MoJ timing source, to enable effective malware detection.
  • Ensuring that audits and compliance checks of IT systems do not adversely affect business operations.
  • Documenting and reporting anomalies in log settings, configurations, and processes to the Security team (contact details).
  • Managing long-term storage of system log data, monitoring log rotation, and the archival and deletion of log data.
  • Any suspicious activity must be reported. Refer to the details in the IT Incident Management Policy.

Protection of log data

To ensure that there is an audit trail for log data, privileged users must:

  • Protect the information held within system audit logs in accordance with its Information Classification. Refer to the Information Classification Handling and Security Guide for further guidance on classifying information.
  • Establish log archival processes while filtering out entries that do not need to be archived to ensure log availability.
  • Ensure that systems are designed with access controls, to prevent privileged users from erasing or deactivating activity logs of their own activities, without the additional approval of the product or service manager.
  • Review the activity logs of other privileged users on a monthly basis, to ensure that privileged users remain impartial.

Incidents and contact details

Note: If you work for an agency or ALB, refer to your local incident reporting guidance.

For help with incidents, including theft and loss, contact one of the following:

Technology Service Desk - including DOM1/Quantum, and Digital & Technology Digital Service Desk. Use one of the following two methods for contacting service desk:

Note: The previous and email addresses, and the Digital & Technology Digital Service Desk Slack channel (#digitalservicedesk), are no longer being monitored.

HMPPS Information & security:

For non-technology incidents, contact the MoJ Group Security Team:

Contact the Data Protection Team for information on Data Protection Impact Assessments:

If you are not sure who to contact, ask the Security Team:

For any further questions relating to security, contact:


If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: