BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key
Home/Compliance/Monitoring Activities
ISO 27001

Monitoring Activities Policy

ISO 27001 Control A.8.16 — Effective: March 8, 2026

Document ID: H33-MON-001

Classification: Internal / Auditor-Accessible

Owner: Eric Beans, CEO / CISO

Approved: March 8, 2026

Next Review: June 2026 (quarterly threshold review)

1. Purpose

This policy establishes the monitoring activities performed by H33 to detect anomalous behavior, security events, and operational issues across all production systems, in accordance with ISO 27001:2022 control A.8.16 (Monitoring activities). Effective monitoring is essential for the timely detection and response to security incidents and for maintaining the integrity of H33's cryptographic services.

2. Scope

This policy applies to all H33 production systems, networks, and applications, including:

  • AWS infrastructure (EC2, RDS, ElastiCache, S3, CloudFront, Elastic Beanstalk)
  • H33 cryptographic engine (Rust FHE/PQ processing)
  • Auth1 authentication microservice (Node.js)
  • H33-Vault document validation platform
  • H33-Share fraud intelligence network
  • Web properties (h33.ai) and developer portal
  • CI/CD pipeline (GitLab)

3. Monitoring Infrastructure

3.1 AWS CloudTrail

CloudTrail provides a comprehensive audit trail of all API activity across H33's AWS account.

  • Coverage: Enabled in all AWS regions (not limited to us-east-1)
  • Management events: All read and write API calls logged
  • S3 data events: Read and write operations on sensitive buckets (logs, backups, configuration)
  • Log integrity validation: Enabled to detect log tampering via SHA-256 digest files
  • Delivery: Logs delivered to dedicated S3 bucket with versioning, MFA-delete, and server-side encryption
  • Integration: CloudTrail events feed into CloudWatch Logs for alerting and Drata for compliance evidence

3.2 AWS CloudWatch

CloudWatch provides real-time metrics, alarms, and dashboards for operational monitoring.

  • Infrastructure metrics: CPU utilization, memory usage, disk I/O, network throughput for all EC2 instances
  • Application metrics: Request latency (p50, p95, p99), error rates (4xx, 5xx), request volume
  • Database metrics: RDS connections, read/write IOPS, replication lag, free storage
  • Cache metrics: ElastiCache hit rate, evictions, memory usage, connection count
  • Custom metrics: Authentication success/failure rates, FHE batch processing times, API key usage
  • Dashboards: Real-time operational dashboard accessible to engineering and security teams

3.3 Drata Continuous Monitoring

Drata provides automated, continuous compliance monitoring across H33's infrastructure and processes.

  • Control monitoring: 100+ automated checks covering SOC 2 Trust Service Criteria and ISO 27001 Annex A controls
  • Evidence collection: Automated collection of compliance evidence (screenshots, API responses, configuration snapshots)
  • Drift detection: Real-time alerts when controls deviate from expected state
  • Integrations: AWS, GitLab, identity providers, endpoint management
  • Reporting: Continuous readiness assessment for SOC 2 Type II and ISO 27001 audits

3.4 Application Logging

H33 applications produce structured logs for security analysis and operational troubleshooting.

  • Format: Structured JSON with consistent fields (timestamp, level, service, request_id, user_id, action)
  • PHI tagging: Log entries that may reference sensitive data are tagged with "phi": true for retention and access control purposes
  • Redaction: Secrets, passwords, tokens, and cryptographic key material are never logged
  • Correlation: Request IDs propagated across services for distributed tracing

4. What is Monitored

4.1 Authentication Events

Event Type Source Alert Condition
Successful login Auth1 application logs Logged for audit; no alert
Failed login Auth1 application logs > 10 failures/min from single IP
MFA challenge Auth1 application logs > 5 MFA failures from single user
Session creation/destruction Auth1 application logs Logged for audit; no alert
API key usage Application logs Anomalous volume (> 3x baseline)
AWS console login CloudTrail Any login without MFA, root account usage

4.2 API Access Patterns

  • Request volume by endpoint, API key, and source IP
  • Rate limiting enforcement events (429 responses)
  • Unusual geographic access patterns (login from new country)
  • API key creation, rotation, and revocation events

4.3 Database Activity

  • Slow query log (queries exceeding 1 second threshold)
  • Connection count and connection pool utilization
  • Failed connection attempts
  • Schema changes (DDL statements)
  • Backup success/failure status

4.4 Network Traffic

  • VPC Flow Logs for all subnets (accepted and rejected traffic)
  • ALB access logs (source IP, request path, response code, latency)
  • CloudFront access logs (edge location, cache hit/miss, client IP)
  • Unexpected outbound connections from private subnets

4.5 Certificate and Key Monitoring

  • TLS certificate expiration (alert at 30 days, critical at 7 days)
  • Dilithium signing key rotation schedule compliance
  • ACM certificate renewal status
  • SSH key age and rotation compliance

5. File Integrity Monitoring

H33 implements file integrity monitoring (FIM) to detect unauthorized changes to critical system files, application binaries, and configuration.

5.1 FIM Architecture

  • Baseline computation: SHA-256 hashes computed for all critical files during each deployment
  • Baseline storage: Hash baselines stored in a dedicated, versioned S3 bucket with write-only access for the deployment pipeline
  • Scheduled checks: Lambda function compares current file hashes against baseline on a defined schedule
  • Alert mechanism: Hash mismatch triggers SNS notification to the Security Officer and #security-incidents Slack channel

5.2 Covered Files

File Category Examples Check Frequency
Application binaries Compiled Rust FHE engine, Node.js application bundles Every 4 hours
Configuration files Nginx configs, EB config, environment variable templates Every 4 hours
Security policies IAM policy documents, security group rules (via AWS Config) Continuous (AWS Config)
Cryptographic parameters FHE parameter files, NTT twiddle factor tables Every 4 hours
System files /etc/passwd, /etc/shadow, /etc/sudoers, sshd_config Every 4 hours

6. Alert Thresholds

The following alert thresholds are configured in CloudWatch. Thresholds are reviewed quarterly and adjusted based on operational experience.

Critical Alerts (Immediate Response)

CPU utilization> 95% sustained for 3 minutes
5xx error rate> 5% of requests over 5 minutes
Failed logins> 50/min from single IP (block + alert)
Database connections> 95% of pool capacity
Disk usage> 95% on any volume
FIM hash mismatchAny mismatch outside deployment window
Root account activityAny usage of AWS root account

Warning Alerts (Investigate Within 1 Hour)

CPU utilization> 80% sustained for 5 minutes
5xx error rate> 1% of requests over 5 minutes
Failed logins> 10/min from single IP
Database connections> 80% of pool capacity
Disk usage> 80% on any volume
Memory utilization> 85% sustained for 10 minutes
Response latency (p99)> 5 seconds for 5 minutes
Certificate expiration< 30 days to expiry

Informational Alerts (Review Daily)

API rate limiting> 100 rate-limited requests/hour
Slow queries> 10 queries exceeding 1s threshold/hour
Cache evictions> 1000 evictions/hour
Deployment eventsAny production deployment
IAM changesAny IAM policy, role, or user modification

7. Log Retention

Log Type Online (CloudWatch) Archived (S3) Audit Trail
Application logs 90 days 365 days N/A
CloudTrail management events 90 days 365 days 7 years
CloudTrail data events 90 days 365 days 7 years
VPC Flow Logs 90 days 365 days N/A
ALB access logs N/A (S3 direct) 365 days N/A
CloudFront access logs N/A (S3 direct) 365 days N/A
FIM baselines and reports N/A 365 days 7 years
Incident response records N/A N/A 7 years
Security event reports N/A N/A 7 years

Archived logs in S3 are stored with:

  • Server-side encryption (SSE-S3, AES-256)
  • Versioning enabled (prevents overwrite)
  • Lifecycle policy for transition to S3 Glacier after 365 days (audit trail logs)
  • Access restricted to Security Officer and authorized auditors

8. Monitoring Review

Monitoring effectiveness is reviewed on the following schedule:

  • Daily: Security Officer reviews informational alerts, dashboards, and Drata compliance status
  • Weekly: Review of all warning and critical alerts from the past week, trend analysis
  • Quarterly: Review of alert thresholds, false positive rates, and monitoring coverage. Thresholds adjusted based on operational data.
  • Annually: Full policy review, tool assessment, and alignment with updated ISO 27001/SOC 2 requirements

9. Review

Version Date Author Change Description
1.0 March 8, 2026 Eric Beans Initial monitoring activities policy

Next quarterly threshold review: June 2026

Next annual policy review: March 2027

Questions about this policy?

Contact our Security team at security@h33.ai