Security Monitoring & Logging Policy
Version: 1.2.0
This policy defines Thriveworks’ governance framework for identifying, classifying, and protecting the digital infrastructure and third-party services essential to business operations, cybersecurity, and regulatory compliance. By integrating tiered risk modeling, real-time monitoring, and resilience engineering, the policy ensures that mission-critical systems remain available, secure, and aligned with standards such as HIPAA, HITRUST, and the NIST Cybersecurity Framework (CSF) 2.0.
Created:
BB
by Ben Bone
Current Effective Approval:
05/03/2025
Logical Domain Strategy:
Logical Domain & Enterprise Compliance Tags: Logical Domain & Enterprise Compliance
Purpose
The Security Monitoring & Logging Policy establishes a standardized approach to monitor, detect, and respond to cybersecurity threats and system anomalies across the Thriveworks technology environment. This policy defines the technical controls, processes, and governance mechanisms needed to identify malicious activity, meet regulatory requirements (e.g., HIPAA, HITRUST, NIST CSF), and maintain operational resilience.
Security monitoring and centralized logging form the foundation of Thriveworks' cyber defense architecture. By collecting data from endpoints, networks, cloud infrastructure, and third-party services, we maintain complete visibility across critical systems. This oversight enables real-time threat detection, behavior analysis, forensic investigations, and audit reporting.
This policy demonstrates Thriveworks' commitment to a defense-in-depth strategy aligned with Zero Trust principles, risk-informed monitoring, and industry best practices. Through this policy, Thriveworks aims to:
Prevent, detect, and respond to internal and external cybersecurity threats.
Maintain accountability and traceability for privileged access, system changes, and data flows.
Facilitate incident response, forensic readiness, and threat intelligence integration.
Enable audit support for internal governance and external regulatory reviews.
Enforce consistent, high-confidence detection coverage across environments, including AWS, Heroku, Google Workspace, and endpoint fleets.
Security telemetry serves as more than a compliance measure—it's a strategic enabler of operational integrity, customer trust, and service continuity.
Security Monitoring & Logging
2
v1.2.0
Scope
This Security Monitoring & Logging Policy applies to all Thriveworks personnel, systems, and technology environments—across production, development, and staging—that support the confidentiality, integrity, and availability of company-managed data and services. The policy governs the collection, analysis, retention, and use of security data to ensure complete visibility across the enterprise.
The scope of this policy includes:
The policy covers cloud infrastructure (AWS, Heroku Shield), containerized applications and APIs, endpoints (Windows, macOS, mobile), network and identity services, and third-party SaaS platforms used in business operations. It applies to all users—employees, contractors, interns, and third-party support staff—who access, manage, or interact with systems that process sensitive data such as PHI, PII, or regulated business records.
Monitored systems include endpoint detection and response (EDR), security information and event management (SIEM), cloud security monitoring (CSPM), vulnerability scanners, and service monitoring tools like Datadog. Logging covers network gateways, authentication systems, SaaS integrations, administrative actions, access control, change management, and security settings. Critical systems, identified through infrastructure assessment, receive priority for real-time monitoring, alerts, and extended log storage.
This policy applies to all Thriveworks environments worldwide, covering internal systems, hosted services, remote access, and virtual systems. It requires standard data collection, enrichment, log access control, and compliance with legal and regulatory requirements.
Systems may be excluded if they fall outside regulatory reporting requirements or cannot connect to Thriveworks logging systems. These exclusions require documentation, risk assessment, and approval from IT Security and Compliance teams. Temporary exceptions for system changes, tool limits, or incident response must follow change management rules and include backup safety measures.
Overall, this scope ensures comprehensive security monitoring standards protect Thriveworks' operations, customer trust, and compliance status.
Security Monitoring & Logging
3
v1.2.0
Security Monitoring Strategy
Thriveworks employs a layered, risk-informed security monitoring strategy that integrates deep telemetry, behavioral analytics, and continuous threat detection to secure its hybrid cloud environment. This strategy is engineered to provide comprehensive, real-time visibility into operational risks, malicious behavior, misconfigurations, and system anomalies across Thriveworks' AWS workloads, Heroku Shield deployments, endpoint devices, remote access services, and identity platforms such as Google Workspace. It is closely aligned with the NIST Cybersecurity Framework (CSF) 2.0 Detect and Respond functions, HITRUST CSF logging mandates, and MITRE ATT&CK technique coverage models.
Security monitoring is embedded throughout the entire technology stack—endpoint, network, identity, application, infrastructure, and SaaS layers—and is executed using a unified, policy-driven approach. Telemetry is captured from multiple sources including SentinelOne (EDR), Tanium (posture, endpoint protection), AWS CloudTrail, GuardDuty, VPC Flow Logs, and SumoLogic integrations with infrastructure logs. Application-level monitoring is achieved using Datadog APM and distributed tracing across containerized services, ensuring that all service-to-service communication is observable and auditable. Datadog WAF is deployed to add a comprehensive intrusion program capability for Thriveworks highly instrumented application running inside Heroku Private Shield.
Centralized aggregation is handled via Cribl and SumoLogic, where logs are parsed, enriched, and indexed in real time. Enrichment includes tagging with user ID, device fingerprint, IP geolocation, role-based access metadata, authentication method, encryption status, session posture, and MITRE tactic mapping. Metadata normalization pipelines ensure all logs conform to a structured format, which enables rule-based correlation, cross-tenant analytics, and intelligent prioritization of security events. These logs are tagged with severity, threat type, asset class, and audit relevance to streamline triage and alert routing.
Detection capabilities span from static thresholds and time-series baselines to advanced behavior-based detections and threat intelligence matching. Detection rules are continuously mapped to the MITRE ATT&CK matrix, with specific coverage for credential access attempts (T1003), persistence via registry modification (T1112), lateral movement via RDP (T1021.001), data exfiltration (T1041), and command execution through scripting interfaces (T1059). Custom rules are constructed to detect chained attack behaviors, alert fatigue anomalies, and internal misuse scenarios. Data correlation is performed across endpoint, cloud, and identity activity to surface otherwise undetectable blended threats.
All Tier 1 and Tier 2 systems, as classified through the infrastructure dependency framework and Business Impact Analysis (BIA) process, are required to emit telemetry to the centralized monitoring fabric. Deployment pipelines enforce tagging policies, agent enrollment, and telemetry readiness as gating criteria. CI/CD workflows verify the presence of audit logs and monitoring baselines before promotion to production. Additionally, runtime checks alert security engineering when telemetry sources become stale, disabled, or disconnected.
Monitoring data is retained in compliance with HIPAA and internal governance requirements, using a three-tier storage model: Hot storage (SumoLogic, 0–30 days) for active alerting and search; warm storage (S3/Glacier Instant, 30–180 days) for investigation and regulatory queries; and cold archival (Glacier Deep Archive) for 7-year forensic retention. All logs are signed, access-controlled, and encrypted in transit and at rest. Future state will send a compliance copy of all logs and events to Cribl Security Lake for long-term, cold storage.
Thriveworks partners with eSentire as its Managed Detection and Response (MDR) provider. eSentire receives a full telemetry stream via API and direct pipeline integrations, enabling real-time analysis, alert classification, and incident triage. SOC analysts use enrichment from shared threat intelligence feeds, behavioral baselines, and Thriveworks’ own detection rules to identify high-confidence events. Alerts are triaged in eSentire’s Insight Portal and escalated to Thriveworks Security Engineers via Freshservice with SLA-backed response paths.
Detection configurations are maintained in Git-backed repositories, with rules version-controlled and subjected to point-in-time peer review cycles. Change management for any suppression, modification, or addition of a monitoring rule requires documented risk analysis, testing evidence, and approval from the Cloud Security Lead. CI/CD integration ensures rollback capability and cross-environment propagation of validated rule sets.
The monitoring program is stress-tested on a quarterly basis through purple team exercises, simulated breach attempts, alert efficacy audits, and log pipeline resilience tests. Tabletop exercises assess cross-functional readiness to respond to telemetry-driven alerts, while post-incident reviews validate the completeness of log data and accuracy of detections. All insights from these exercises feed back into rule tuning, architecture improvements, and SOC tuning.
Security Monitoring & Logging
4
v1.2.0
Monitoring Objectives
Thriveworks' monitoring objectives are grounded in continuous visibility, risk-aligned prioritization, contextual analysis, and operational resilience. These objectives transform enterprise-wide security telemetry into high-value intelligence supporting rapid threat detection, proactive incident response, compliance validation, and strategic decision-making. The monitoring program is holistic, scalable, and aligned with regulatory frameworks including NIST CSF 2.0 (Detect and Respond functions), HIPAA technical safeguard provisions, and HITRUST CSF logging control requirements.
A key objective is maintaining full-spectrum observability across critical infrastructure layers and service boundaries—from infrastructure-as-code deployments to container orchestration, distributed APIs, IAM systems, remote endpoints, SaaS integrations, and partner-facing platforms. This monitoring covers both technical performance and security posture, tracking uptime metrics, authentication attempts, access deviations, configuration changes, and exploitation indicators. Systems are prioritized by infrastructure tier, data classification (PHI, PII, Restricted, Confidential), regulatory scope, and operational importance. Each system's telemetry is tagged, baselined, and audited.
The program focuses on swift, accurate identification of high-confidence compromise indicators and security anomalies. This includes monitoring MITRE ATT&CK tactics—like privilege escalation and lateral movement—and behavioral anomalies such as repeated login failures or unusual authentication locations. Detection rules correlate user identity, device fingerprints, network metadata, and access patterns to enhance accuracy and reduce false positives. Threats are prioritized by impact, business context, system sensitivity, and attacker intent.
Forensic readiness is another cornerstone. All critical logs—from network flows to administrative changes—are collected in tamper-proof formats with integrity checks and synchronized timestamps. These logs include essential context: user IDs, session data, endpoint scores, location data, and system details. This comprehensive dataset enables swift incident investigation and attack path reconstruction. The platform's forensic completeness is measured quarterly through practical exercises.
The alerting system delivers precise, actionable notifications without overwhelming response teams. Alerts carry criticality ratings and include rich context for triage. These flow through Freshservice for ticketing, with defined escalation paths to MDR (eSentire) analysts and the Security Engineering team. Alert thresholds adapt to changing baselines and emerging threats, while modifications require formal approval through the Freshservice CAB process.
Monitoring and logging directly support regulatory compliance and audits. Security data maps to specific controls in HIPAA §164.312(b), HITRUST (SI-01 through SI-09), and NIST 800-53. Real-time dashboards track log collection, policy compliance, and detection coverage across all environments. Quarterly reviews confirm that log sources remain properly integrated and compliant with retention policies.
The monitoring ecosystem's resilience is paramount. Log ingestion pipelines undergo thorough testing and continuous monitoring for performance and accuracy. Health dashboards track data gaps and parsing issues. Detection rules follow version control practices with peer review and staged validation. All monitoring tools must meet high availability and scalability requirements.
Regular testing validates the monitoring strategy through simulated attacks, tabletop exercises, and control validation. Purple team engagements and synthetic scenarios test detection capabilities, response times, and escalation procedures. These exercises help refine detection rules, identify gaps, and strengthen threat detection capabilities.
Collectively, these monitoring objectives form a mature, intelligence-driven, and standards-aligned framework that enables Thriveworks to identify, investigate, and respond to cyber threats effectively, while simultaneously fulfilling its obligations for regulatory compliance, incident readiness, and operational transparency.
Security Monitoring & Logging
5
v1.2.0
Insider Threat and Privileged Access Monitoring
Thriveworks implements a focused monitoring strategy to detect, investigate, and respond to potential insider threats and privileged access misuse. This approach is essential for safeguarding sensitive data, maintaining regulatory compliance, and upholding customer trust across our distributed and hybrid infrastructure.
Risk Context
Insider threats can come from current or former employees, contractors, or third-party partners who have authorized access. These threats arise from malicious intent, negligence, or compromised credentials. Privileged users—administrators, engineers, and IT support personnel—present heightened risk due to their broad access rights and control over sensitive systems.
Monitoring Strategy
Thriveworks uses a multi-layered detection approach for insider threats and privileged access activities:
Behavioral Baselines
User activity is monitored and compared to historical behavior patterns using SumoLogic and SentinelOne. Unusual activities—like access during odd hours, unauthorized production system changes, or excessive data downloads—trigger automated alerts triaged and escalated by eSentire SOC analyst.
Privileged Access Telemetry
Activities by privileged users are logged in detail across authentication systems (e.g., Google Workspace), endpoints, and cloud infrastructure. SumoLogic serves as the central repository for audit logs, enriched with session metadata (IP, device ID, method of authentication) to enable context-aware investigations.
Session Recording and Integrity Monitoring
Administrative sessions on Tier 1 systems are logged and periodically reviewed. SentinelOne and Heroku Shield enforce policies that restrict unauthorized code execution and maintain traceability for high-risk actions.
Just-in-Time (JIT) Access Enforcement
Access to sensitive systems requires case-based justification and is time-bound, enforced through Freshservice ITSM platform integration. Temporary privileges are automatically revoked, and all escalation events are logged.
High-Sensitivity Alerting
Privileged actions involving security configuration changes, audit log manipulation, or PHI database access receive elevated severity status. These alerts route directly to eSentire for real-time triage and follow SLA-backed escalation workflows.
Governance and Review
The Cloud Security Lead and Compliance team review all privileged access logs quarterly. Anomalies, policy violations, and unapproved access attempts are documented and trigger corrective action.
Additionally, Thriveworks runs tabletop simulations and insider threat scenarios in its purple team exercises. These tests verify the effectiveness of detection pipelines, escalation paths, and forensic capabilities against insider risk vectors.
Security Monitoring & Logging
6
v1.2.0
Systems & tools
Thriveworks uses an integrated suite of tools for security monitoring, data collection, threat detection, and compliance across its distributed environment. These systems cover endpoint, network, application, identity, and cloud infrastructure—chosen for their compatibility, scalability, and alignment with security standards like NIST CSF, MITRE ATT&CK, HIPAA, and HITRUST CSF.
Datadog
At the core of Thriveworks' monitoring architecture is Datadog, which serves as the central platform for performance and security oversight. It collects system metrics, traces, logs, and audit events across the infrastructure. The platform establishes behavioral baselines, tracks performance, creates anomaly dashboards, and manages real-time alerts. Its security modules (Cloud Security Management, Cloud SIEM, and Sensitive Data Scanner) detect misconfigurations, privilege abuse, exposed secrets, and cloud threats.
SumoLogic
SumoLogic acts as the main Security Information and Event Management (SIEM) platform, handling log processing, enrichment, storage, and analysis. Critical system data flows through Cribl's observability pipeline from various sources: AWS CloudTrail, GuardDuty, VPC Flow Logs, EKS control planes, Heroku audits, Google Workspace, and applications. Cribl manages filtering, tagging, routing, redaction, and standardization before data storage or forwarding.
eSentire
eSentire delivers Managed Detection and Response (MDR) services by monitoring data from Datadog, SumoLogic, and SentinelOne. Their analysts provide 24/7 threat analysis, escalation handling, and response guidance. Their security platform processes enhanced logs, threat detections, and behavior patterns for targeted incident response.
SentinelOne
SentinelOne monitors endpoint data, providing real-time behavioral detection for macOS and Windows devices. It tracks processes, scripts, file access, and memory execution. The platform integrates with Datadog and SumoLogic, feeding detection data into alert and response workflows. All Tier 1 and Tier 2 endpoints must run SentinelOne agents, with health checks every 20 minutes through Harmony SASE.
AWS Security Hub
Thriveworks uses AWS-native tools for comprehensive cloud infrastructure monitoring and security. Amazon GuardDuty monitors AWS accounts and workloads for suspicious activities and potential security threats. AWS CloudTrail records API and governance events across AWS services, sending audit logs to the observability pipeline for analysis. Amazon CloudWatch tracks system and application metrics, enabling anomaly detection and alerts through Datadog and SumoLogic. Together, these services detect threats, enforce compliance, and provide detailed data for security investigations.
Harmony SASE
Harmony SASE, Thriveworks' Zero Trust and Secure Access Service Edge (SASE) provider, handles access control and session monitoring. It tracks gateway activity, DNS queries, device health checks, and session data—including tunnel ID, IP address, location, device details, and login times. Regional gateways filter traffic using policy rules and data loss prevention before granting network access. These records are sent to both SumoLogic and eSentire.
Heroku Shield
Thriveworks utilizes Heroku Shield Private Spaces to host sensitive, regulated workloads in a fully isolated runtime environment that meets the stringent requirements of HIPAA and other compliance frameworks. Shield Spaces provide dedicated network infrastructure with strict ingress and egress controls, private routing, and VPN/privatelink support for secure connectivity. Security auditing and log forwarding are integrated via Heroku Shield Log Drains, which export application logs—including system events, access attempts, and platform activity—into our centralized SIEM pipeline. Combined with runtime encryption, restricted buildpacks, and enforced two-factor authentication (2FA) for access, Shield Private Spaces enable Thriveworks to deploy applications with high assurance, traceability, and minimal attack surface.
ProjectDiscovery
ProjectDiscovery Cloud enhances Thriveworks external threat surface management by continuously scanning for vulnerabilities across public-facing assets. The platform identifies misconfigurations, outdated services, exposed ports, and other indicators of risk in real time. Its detection engine integrates with CI/CD pipelines and monitoring workflows to ensure security assessments are part of the build and release process. Findings are routed to Datadog and eSentire for correlation with internal telemetry, enabling proactive remediation and visibility into externally exploitable threats.
Caido
Caido is used by Thriveworks' security engineering team as a modern application proxy for testing and validating public-facing API and web application traffic. It facilitates manual security assessments, allowing analysts to intercept, inspect, and manipulate HTTP requests and responses in real time. Caido plays a key role in active reconnaissance, vulnerability identification, and logic flaw detection during red team exercises and pre-production security reviews. Findings from Caido assessments are fed into the centralized SIEM (SumoLogic) and reviewed alongside automated scans for complete threat coverage.
UpGuard
Thriveworks relies on UpGuard to monitor its external attack surface and validate security controls from an attacker's perspective. UpGuard continuously scans public-facing assets—including domains, IP ranges, DNS records, and exposed services—to identify vulnerabilities like open ports, misconfigured SSL certificates, outdated software, and shadow IT. The platform generates a dynamic security rating that provides measurable insights into organizational risk and enables comparison with industry peers. Through automated discovery, UpGuard performs control validation by verifying SPF, DKIM, DMARC records, and TLS configurations against policy and best practices. The platform also enables third-party risk management, allowing Thriveworks to track vendor security and detect issues in real time. The security team reviews all findings to guide remediation efforts, vendor assessments, and executive reporting.
Security Monitoring & Logging
7
v1.2.0
Threat Intelligence
Thriveworks integrates threat intelligence as a core element of its cybersecurity strategy. This intelligence is embedded across all security monitoring layers to strengthen proactive defenses, inform strategic decisions, and enable rapid incident response. The approach enhances the organization's ability to anticipate, detect, and address cyber threats by improving visibility into adversary behavior and refining detection capabilities.
Strategic and Operational Roles
Threat intelligence serves two key roles within Thriveworks: supporting long-term strategic planning and real-time operational execution. At the strategic level, intelligence provides vital insights to executive leadership and the Risk Management Committee. These insights include analyses of emerging threat trends, updates on adversary tactics, techniques, and procedures (TTPs), and assessments of geopolitical and sector-specific risks. This information guides policy decisions, budget allocations, and investments in cybersecurity tools and staffing.
On the operational front, Thriveworks integrates threat intelligence into its core security infrastructure to enable responsive and adaptive monitoring. The following platforms are key components of this architecture:
SumoLogic (SIEM)
Aggregates and analyzes log data in real time.
eSentire (TRU Intelligence)
Aggregates threat intelligence from numerous sources making it available through all co-hosted services as well as remotely via API
SentinelOne (EDR)
Provides AI-driven endpoint detection and response.
AWS Security Hub
Offers centralized visibility and compliance checks for cloud workloads.
Datadog (CSPM)
Monitors cloud security posture and flags configuration risks.
Honeypot
Self-hosted honeypot mesh collecting relevant attack intelligence feeding into Datadog ASM.
These platforms are configured to ingest intelligence from trusted external feeds. Thriveworks also leverages eSentire’s TRU Threat Intelligence platform, which works directly with both SumoLogic and SentinelOne to deliver enriched, actionable threat insights.
In parallel, Thriveworks gathers internal threat intelligence through deployed honeypots in the DMZ. These honeypots are designed to attract, log, and analyze attack attempts, providing unique visibility into tactics and payloads targeting Thriveworks infrastructure.
By combining external and internal sources, the organization ensures robust correlation of threat indicators with internal telemetry, enabling the detection of unauthorized access, anomalous behavior, and emerging threats. Alerts are triaged based on threat context, severity, and alignment with Thriveworks’ risk tolerance.
Intelligence-Driven Response and Enrichment
Thriveworks enhances its analysis through automated enrichment pipelines that connect incoming events with threat intelligence data. These systems map security data to known attack patterns in the MITRE ATT&CK framework, helping analysts quickly identify potential threats and plan effective responses. By combining real-time intelligence with past incident data, the team continuously improves its detection methods and response procedures.
Information Sharing and Continuous Learning
Thriveworks actively participates in cyber threat intelligence sharing through peer networks and Information Sharing and Analysis Centers (ISACs) in the healthcare and technology sectors. This collaborative ecosystem strengthens situational awareness, enables threat exposure benchmarking, and provides context for defensive measures. The intelligence gathered informs threat modeling, updates to firewall and detection rules, and user education programs focused on preventing phishing and social engineering attacks.
To maintain readiness, Thriveworks keeps an up-to-date repository of threat scenarios and use cases drawn from internal experience and external research. This repository, reviewed regularly, guides red team simulations, penetration tests, and tabletop exercises. The team incorporates lessons learned into monitoring strategies to address visibility gaps.
Security Monitoring & Logging
8
v1.2.0
Threat Intelligence Sources
Threat Intelligence Categories
Threat Intelligence Intents
Entity Types
AAP supports enriching and searching traces with threat intelligence indicators of compromise stored in Datadog reference tables. Reference Tables allow you to combine metadata with information already in Datadog.
CSV Structure
Security Monitoring & Logging
9
v1.2.0
Infrastructure Tiering Model
Tier 1: Mission-Critical Systems
Systems whose disruption would have an immediate and severe impact on business operations, patient care, or data protection. (e.g., EHR, identity providers, security infrastructure)
Tier 2: Essential Systems
Systems necessary for operations, but where short-term outages are tolerable. (e.g., CRM, IT ticketing, file sharing)
Tier 3: Support Systems
Internal tools or platforms that support productivity but do not directly impact patient care or compliance. (e.g., dashboards, documentation systems)
Tier 4: Non-Critical Systems
Tools or environments used for discretionary or low-priority tasks. (e.g., development sandboxes, testing environments)
This tiering framework is used to prioritize monitoring, incident response, business continuity planning, and vendor due diligence activities.
Infrastructure Resource - Tagging Strategy
REQUIRED Tags for HIPAA resources
Security Monitoring & Logging
10
v1.2.0
NIST CSF Control Mapping - Security Monitoring & Logging Policy
This section documents the formal mapping between Thriveworks’ Security Monitoring & Logging Policy and the NIST Cybersecurity Framework (CSF) version 2.0. It serves as a compliance reference that demonstrates how Thriveworks' infrastructure governance and dependency management practices align with NIST’s cybersecurity functions and subcategories.
Purpose of this matrix: The primary objective of this matrix is to support internal and external audits, enable regulatory readiness, and demonstrate that Thriveworks’ dependency management practices satisfy requirements outlined in HIPAA, HITRUST, and the NIST CSF. By linking operational, architectural, and security practices to specific CSF subcategories, Thriveworks reinforces its evidence base for compliance, risk mitigation, and continuity assurance.
Why this matters: As healthcare delivery increasingly depends on cloud infrastructure, third-party SaaS platforms, and interconnected digital services, robust dependency management becomes essential. Mapping this policy to NIST CSF 2.0 provides measurable assurance that Thriveworks' critical infrastructure is resilient, observable, and governed by policy-aligned controls. It also facilitates gap identification and continuous improvement across system monitoring, incident recovery, and risk oversight.
Security Monitoring & Logging
11
v1.2.0
Policy Review & Approval
This Security Monitoring & Logging Policy is a living document and shall be reviewed at least annually, or upon any significant change to Thriveworks technology stack, organizational structure, or applicable regulatory landscape. Additional reviews may also be initiated following disaster recovery tests, incident investigations, or business continuity planning updates.
All changes to this policy require executive leadership approval. The final, approved version will be distributed to all relevant personnel and made available through Thriveworks central documentation repository. Compliance with the latest version of this policy is mandatory for all affected teams.
Ben Bone
Vice President, Technology
Vice President, Technology
Policy Responsibilities:
Leads the configuration policy review cycle and cross-functional coordination. The VP is responsible for collecting input from Compliance, Security, IT Operations, and DevOps teams to ensure policy updates are technically accurate, operationally practical, and aligned with Thriveworks’ risk management and compliance objectives. Proposed changes are consolidated and prepared for executive review and final approval.
Marc Brooks
Chief Admin Officer & General Counsel
Chief Admin Officer & General Counsel
Policy Responsibilities:
Serves as the executive sponsor of the Security Monitoring & Logging Policy, providing final approval authority. The CAO is responsible for ensuring that the policy aligns with Thriveworks’ broader organizational objectives, regulatory commitments, and strategic risk tolerance. This includes reviewing proposed updates, validating that appropriate stakeholder collaboration has occurred, and formally endorsing the policy before publication or reissuance.
Security Monitoring & Logging
12
v1.2.0