Content library
Security systems and logging
Implement SIEM as part of the ICT system

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Collection of log data on the use of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
9
requirements

Examples of other requirements this task affects

17 §: Lokitietojen kerääminen
TiHL
HAL-07.1: Seuranta ja valvonta - tietojen käyttö ja luovutukset
Julkri
TEK-12: Turvallisuuteen liittyvien tapahtumien jäljitettävyys
Julkri
TEK-12.1: Turvallisuuteen liittyvien tapahtumien jäljitettävyys - tietojen luovutukset
Julkri
49: Tietojärjestelmien lokitietojen keräys
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Collection of log data on the use of data systems
1. Task description

Viranomaisen on huolehdittava, että sen tietojärjestelmien käytöstä ja niistä tehtävistä tietojen luovutuksista kerätään tarpeelliset lokitiedot, jos tietojärjestelmän käyttö edellyttää tunnistautumista tai muuta kirjautumista. Lokitietojen käyttötarkoituksena on tietojärjestelmissä olevien tietojen käytön ja luovutuksen seuranta sekä tietojärjestelmän teknisten virheiden selvittäminen.

Digiturvamallissa tietojärjestelmän omistaja voi vastata tietojärjestelmän lokitietojen keräämisen tarkastamisesta. Organisaatio dokumentoi lokien sisällön tarkemmin niissä tietojärjestelmissä, joiden teknisestä ylläpidosta se vastaa itse. Muissa tietojärjestelmissä omistaja tarkistaa yhteistyössä järjestelmätoimittajan kanssa, että tarvittavat lokit kertyvät.

Documentation of system logs for self-maintained data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
28
requirements

Examples of other requirements this task affects

12.4.1: Event logging
ISO 27001
12.4.2: Protection of log information
ISO 27001
I10: Turvallisuuteen liittyvien tapahtumien jäljitettävyys
Katakri
6.6.1: Tietoturvan ja tietosuojan seuranta ja valvonta
Omavalvontasuunnitelma
PR.PT-1: Audit/log records
NIST
See all related requirements and other information from tasks own page.
Go to >
Documentation of system logs for self-maintained data systems
1. Task description

The development of system logs must keep pace with the development of the system and enable, for example, the necessary resolution of incidents. In connection with the data system list, we describe for which systems we are responsible for the implementation of the logging. For these systems, we document:

  • which data is saved on the log
  • how long log data is retained
Determining the baseline for network and data system usage for monitoring purposes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
9
requirements

Examples of other requirements this task affects

8.16: Monitoring activities
ISO 27001
I-11: MONITASOINEN SUOJAAMINEN – POIKKEAMIEN HAVAINNOINTIKYKY JA TOIPUMINEN
Katakri 2020
Article 10: Detection
DORA
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed.
CyberFundamentals
3.3.1: Create a plan for analysing data from security monitoring
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Determining the baseline for network and data system usage for monitoring purposes
1. Task description

Organization must describe the baseline of normal behaviour for the use of network and data systems, which is used as a starting point for identifying anomalies.

When defining the baseline, the following must be taken into account:

  • monitoring the use of data systems during both normal and peak times
  • usual times of use, places of use and frequency of use for each user and user group

Monitoring systems must be configured against the baseline to identify anomalous behavior such as:

  • unplanned termination of systems or processes
  • traffic related to malware or malicious IP addresses or domains
  • known attack characteristics (e.g. denial of service or buffer overflow)
  • unusual system use (e.g. keystroke logging)
  • bottlenecks and overloads (e.g. network queues, latency levels)
  • unauthorized access (actual or attempted) to systems or data
  • unauthorized scanning of data systems and networks
  • successful and failed attempts to access protected resources (e.g. DNS servers, web portals and file systems)
  • unusual user and system behavior
Tietojenkäsittely-ympäristön käyttäjien tehostettu seuranta (TL I)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

TEK-13.3: Poikkeamien havainnointikyky ja toipuminen - TL I
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietojenkäsittely-ympäristön käyttäjien tehostettu seuranta (TL I)
1. Task description

Käyttäjien ja ylläpitäjien toimintaa seurataan poikkeuksellisen toiminnan havaitsemiseksi. Turvallisuusluokan I tietojen käsittelyssä suositellaan tehostettua poikkeamien havainnointikykyä, painottaen muun muassa tietojenkäsittely-ympäristön käyttäjien ja ylläpitäjien toiminnan seurantaa.

Poikkeamien havainnoinnin ja toipumisen lisävaatimukset (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
3
requirements

Examples of other requirements this task affects

TEK-13.2: Poikkeamien havainnointikyky ja toipuminen
Julkri
I-10: MONITASOINEN SUOJAAMINEN – TURVALLISUUTEEN LIITTYVIEN TAPAHTUMIEN JÄLJITETTÄVYYS
Katakri 2020
I-11: MONITASOINEN SUOJAAMINEN – POIKKEAMIEN HAVAINNOINTIKYKY JA TOIPUMINEN
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Poikkeamien havainnoinnin ja toipumisen lisävaatimukset (TL IV)
1. Task description
  • On olemassa menettely, jolla kerätyistä tallenteista ja tilannetiedosta (esimerkiksi muutokset lokikertymissä) pyritään havaitsemaan poikkeamia (erityisesti tietojärjestelmän luvaton käyttöyritys on kyettävä havaitsemaan).
  • On olemassa menettely, jolla tietojenkäsittely-ympäristön kohteista (hosts, esimerkiksi työasemat ja palvelimet) voidaan havainnoida poikkeamia.
  • On olemassa menettely havaituista poikkeamista toipumiseen.
Turvallisuusluokitellun tiedon käsittelyn lokitus ja lokitietojen säilytys (TL I)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

TEK-12.3: Turvallisuuteen liittyvien tapahtumien jäljitettävyys - TL I
Julkri
I-10: MONITASOINEN SUOJAAMINEN – TURVALLISUUTEEN LIITTYVIEN TAPAHTUMIEN JÄLJITETTÄVYYS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Turvallisuusluokitellun tiedon käsittelyn lokitus ja lokitietojen säilytys (TL I)
1. Task description

Turvallisuusluokan I tietojen käsittelyssä suositellaan riskiperustaisesti turvallisuusluokkaa II pidempiä säilytysaikoja lokitiedoille (esimerkiksi vähintään 10 vuotta).

Turvallisuusluokan I tietojenkäsittely-ympäristöt ovat tyypillisesti suppeita, koostuen esimerkiksi kaikista verkoista pysyvästi irtikytketyistä päätelaitteista. Toisaalta esimerkiksi 10 vuoden lokikertymän säilyvyys on haastava toteuttaa uskottavasti vain päätelaitteilla, joten tällaisten päätelaitteiden lokienkeräys sekä kerättyjen lokitietojen varmistukset edellyttävätkin yleensä suunniteltua säännöllistä prosessia. Käytännön toteutustapana voi olla esimerkiksi lokitietojen säännöllinen kerääminen irtomedialle, jota käsitellään ja säilytetään sen elinkaaren ajan kuin turvallisuusluokan I tietoa. Lisäksi huomioitava, että mikäli tietojärjestelmän pääsynhallinta tai esimerkiksi toimien jäljitettävyys nojautuu fyysisen turvallisuuden menettelyihin, myös näistä syntyviä tallenteita saattaa olla perusteltua säilyttää ja hallinnoida turvallisuusluokan I mukaisilla menettelyillä.

Turvallisuusluokitellun tiedon käsittelyn lokitus ja lokitietojen säilytys (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

TEK-12.2: Turvallisuuteen liittyvien tapahtumien jäljitettävyys - TL III
Julkri
I-10: MONITASOINEN SUOJAAMINEN – TURVALLISUUTEEN LIITTYVIEN TAPAHTUMIEN JÄLJITETTÄVYYS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Turvallisuusluokitellun tiedon käsittelyn lokitus ja lokitietojen säilytys (TL III)
1. Task description

Turvallisuusluokan II–III tiedon käsittely on rekisteröitävä sähköiseen lokiin, tietojärjestelmään, asiarekisteriin tai tietoon (esimerkiksi dokumentin osaksi). Teemasta on olemassa suositus VM 2021:5: Suositus turvallisuusluokiteltavien asiakirjojen käsittelystä.

TL III ja TL II käsittely-ympäristöissä vaatimus voidaan siten, että toteutetaan alla mainitut toimenpiteet:

  • Relevantille henkilöstölle on laadittu selkeät ohjeet lokitietojen keräämiseen, luovuttamiseen sekä seurantaan liittyen.
  • Keskeiset tallenteet säilytetään vähintään 5 vuotta, ellei lainsäädäntö, suositukset tai sopimukset edellytä pitempää säilytysaikaa. Tallenteita, joilla on esimerkiksi poikkeamatilanteiden selvittelyn tai viranomaistoiminnan rikosoikeudelliselta kannalta hyvin vähäistä merkitystä, voidaan säilyttää lyhyemmän ajan, esimerkiksi 2-5 vuotta.
  • Lokitiedot varmuuskopioidaan säännöllisesti.
  • Samalla turvallisuusalueella olevien olennaisten tietojenkäsittelyjärjestelmien kellot on synkronoitu sovitun ajanlähteen kanssa.
  • On olemassa menetelmä lokien eheyden (muuttumattomuuden) varmistamiseen.
  • Syntyneiden lokitietojen käytöstä ja käsittelystä muodostuu merkinnät.
Turvalliset toimintatavat tiedon sisääntuontiin ja ulosvientiin järjestelmistä (TL II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

TEK-11.3: Haittaohjelmilta suojautuminen - TL II
Julkri
See all related requirements and other information from tasks own page.
Go to >
Turvalliset toimintatavat tiedon sisääntuontiin ja ulosvientiin järjestelmistä (TL II)
1. Task description

Tilanteissa, joissa on tarve tuoda tietoa ei-luotetuista järjestelmistä jotain muistivälinettä käyttäen, huomioidaan lisäksi yleensä turvallisuusluokasta II lähtien myös muistivälineen kontrolleritason räätälöinnin uhat.

Turvalliset toimintatavat tiedon sisääntuontiin ja ulosvientiin järjestelmistä (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

TEK-11.2: Haittaohjelmilta suojautuminen - TL III
Julkri
See all related requirements and other information from tasks own page.
Go to >
Turvalliset toimintatavat tiedon sisääntuontiin ja ulosvientiin järjestelmistä (TL III)
1. Task description

Kaikki tiedon sisääntuonnin ja ulosviennin käyttötapaukset on tunnistettu. Turvalliset toimintatavat on määritetty, ohjeistettu ja valvonnan piirissä. Turvallisten toimintatapojen piiriin sisältyy tarvearviointi järjestelmien USB-porttien ja vastaavien liityntöjen käytölle.

USB-porttien ja vastaavien liityntöjen käytön tapauskohtaisiin ehtoihin voi sisältyä esimerkiksi, että järjestelmään voi kytkeä vain erikseen määritettyjä luotettavaksi todennettuja muistitikkuja (ja vastaavia), joita ei kytketä mihinkään muuhun järjestelmään. Tapauskohtaisiin ehtoihin voi sisältyä esimerkiksi järjestely, jossa vain organisaation tietohallinnon jakamia muistivälineitä voidaan kytkeä organisaation järjestelmiin, ja että kaikkien muiden muistivälineiden kytkeminen on kielletty ja/tai teknisesti estetty.

Tilanteissa, joissa on tarve tuoda tietoa ei-luotetuista järjestelmistä jotain muistivälinettä käyttäen, tapauskohtaisiin ehtoihin sisältyy usein myös määrittelyt siitä, millä menetelmillä pienennetään tämän aiheuttamaa riskiä. Menetelmänä voi esimerkiksi olla ei-luotetusta lähteestä tulevan muistivälineen kytkeminen eristettyyn tarkastusjärjestelmään, jonne siirrettävä tieto siirretään, ja josta siirrettävä tieto viedään edelleen luotettuun järjestelmään erillistä muistivälinettä käyttäen.

Lokitietojen keräämiseen liittyvien vaatimusten tunnistaminen ja lokitietojen riittävyys
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

HAL-07.1: Seuranta ja valvonta - tietojen käyttö ja luovutukset
Julkri
4.6: Lokitietojen kerääminen
TiHL tietoturvavaatimukset
See all related requirements and other information from tasks own page.
Go to >
Lokitietojen keräämiseen liittyvien vaatimusten tunnistaminen ja lokitietojen riittävyys
1. Task description

Organisaatio on tunnistanut lokitietojen keräämiseen liittyvät vaatimukset ja varmistanut niiden perusteella lokitietojen keräämisen ja seurannan riittävyyden.

Lokitiedot tulee kerätä tietojärjestelmän käytöstä ja tietojen luovutuksista, mutta tietojen kerääminen on sidottu tarpeellisuuteen. Jos tietojärjestelmästä luovutetaan rajapintojen tai katseluyhteyden avulla salassa pidettäviä tietoja tai henkilötietoja, tulee luovuttavassa järjestelmässä kerätä luovutuslokitiedot sen varmistamiseksi, että tietojen luovuttamiselle on ollut laillinen perusteensa. Lisäksi käyttölokitiedot tulee kerätä ainakin tietojärjestelmistä, joissa käsitellään henkilötietoja tai salassa pidettäviä tietoja.

Monitoring of cloud-based data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

CLD 12.4: Logging and monitoring
ISO 27017
CLD 12.4.5: Monitoring of Cloud Services
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Monitoring of cloud-based data systems
1. Task description

When utilizing cloud-based data systems, the organisation should request information from the service provider to find out monitoring capabilities of each system.

When offering cloud services as a service provider, the organisation should provide monitoring capabilities and related documentation proactively to the customer. This includes e.g. capability to monitor if the service is being used as a platform or a vector to attack others or capability to monitor for data leaks in the service.

Identifying and reacting to logging errors in protection systems logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Identifying and reacting to logging errors in protection systems logs
1. Task description

The organization shall have pre-planned, clear policies for each of the different security systems for situations where logging or other access controls are suspected of failing. These situations must be reported to the appropriate and responsible party without delay.

The process must take into account at least the security systems relevant to the organisation's digital security (e.g firewalls, IDS / IPS, anti-malware, access control).

Clock synchronization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
7
requirements

Examples of other requirements this task affects

12.4.4: Clock synchronisation
ISO 27001
8.17: Clock synchronization
ISO 27001
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
CyberFundamentals
2.3.9: Synchronize time across devices and use trusted time sources
NSM ICT-SP
3.2.6: Prevent manipulation of monitoring-data
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Clock synchronization
1. Task description

Synchronizing clocks between different systems allows for good interoperability, as well as easier tracking of problem situations and perception of event flows.

An organization must use a reliable source to adjust and synchronize time, at least for systems that are critical to its operations. When suitable organization should use two sources.

Management process for preventing log editing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Management process for preventing log editing
1. Task description

The organization has to technically make sure that logs are in read-only state for all users who have write-privileges - including admin rights.

Removing logging or editing them can only be possible through carefully considered policies, which ensure segregation of duties, and when needed, break glass style emergency measures.

When implementing a management process, the organization should consider a centralized log management system and SIEM-integration for real time monitoring.

Lokitietojen suojaaminen (ST III-II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
0
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Lokitietojen suojaaminen (ST III-II)
1. Task description

Lokeja suojataan luvattomilta muutoksilta ja häiriöiltä (esim. tietojen muokkaaminen tai säilytyskapasiteetin ylittyminen) mm. seuraavin toimintatavoin:

  • Keskeiset tallenteet säilytetään vähintään 2-5 vuotta, ellei lainsäädäntö tai sopimukset edellytä pitempää säilytysaikaa.
  • Lokitiedot varmuuskopioidaan säännöllisesti.
  • Samalla turvallisuusalueella olevien olennaisten tietojenkäsittelyjärjestelmien kellot on synkronoitu sovitun ajanlähteen kanssa.
  • Syntyneiden lokitietojen käytöstä ja käsittelystä muodostuu merkinnät.
Protecting log information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
13
requirements

Examples of other requirements this task affects

12.4.2: Protection of log information
ISO 27001
6.6.1: Tietoturvan ja tietosuojan seuranta ja valvonta
Omavalvontasuunnitelma
TEK-12: Turvallisuuteen liittyvien tapahtumien jäljitettävyys
Julkri
8.15: Logging
ISO 27001
3.2.1: Determine a strategy and guidelines for security monitoring
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Protecting log information
1. Task description

The logs are protected from unauthorized changes to the data and from malfunctions, which are e.g.:

  • changes to the message types that can be saved
  • editing or deleting log information
  • exceeding log storage capacity, which can result in transactions being overwritten or not logged
Data system log review
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
30
requirements

Examples of other requirements this task affects

12.4.1: Event logging
ISO 27001
12.4.3: Administrator and operator logs
ISO 27001
I10: Turvallisuuteen liittyvien tapahtumien jäljitettävyys
Katakri
PR.PT-1: Audit/log records
NIST
DE.CM-7: Monitoring for unauthorized activity
NIST
See all related requirements and other information from tasks own page.
Go to >
Data system log review
1. Task description

The organization must be aware of the logs that accrue from the use of different data systems, whether generating the logs is the responsibility of the organization or the system provider. Logs record user actions as well as anomalies, errors, and security incidents.

The adequacy of log should be reviewed regularly. If necessary, log should be usable to determine the root causes for system incidents.

Definition and monitoring of alarm policies
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
25
requirements

Examples of other requirements this task affects

12.4.1: Event logging
ISO 27001
16.1.7: Collection of evidence
ISO 27001
PR.DS-4: Availability
NIST
DE.AE-5: Incident alert thresholds
NIST
RS.AN-1: Notifications from detection systems
NIST
See all related requirements and other information from tasks own page.
Go to >
Definition and monitoring of alarm policies
1. Task description

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

Deployment and regular analysis of security system logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
26
requirements

Examples of other requirements this task affects

9.1.2: Access to networks and network services
ISO 27001
12.4.1: Event logging
ISO 27001
PR.PT-1: Audit/log records
NIST
RS.AN-1: Notifications from detection systems
NIST
8.15: Logging
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Deployment and regular analysis of security system logs
1. Task description

Security systems (e.g. firewall, malware protection) often have the ability to record a log of events. At regular intervals, make sure that a comprehensive log is accumulated and try to identify suspicious activity. The log is also useful in investigating disturbances or violations.

Review process for event logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

5.2.4: Log management and analysis
TISAX
See all related requirements and other information from tasks own page.
Go to >
Review process for event logs
1. Task description

The organization must have a procedure for reviewing event logs for rule violations and other noticeable problems with in compliance with legal and organizational provisions.

The organization should also protect the integrity of the event logs (e.g. by separate environment).

Implement SIEM as part of the ICT system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Implement SIEM as part of the ICT system
1. Task description

Organization should use tools that support both manual and automated searches, including criteria-based searches. The tool should be able to automatically collate data from different sources to more easily determine whether an incident is genuine, as well as its scope and nature.


These operations and processes can be implemented with SIEM (Security information and event management). SIEM solutions use analytics tools, technology and algorithms (e.g., newer SIEM solutions employ applied machine learning) to help detect unknown threats and abnormalities in the security-relevant data. Also SIEM solutions allow organizations to modify already existing (which usually come pre-configured) and add criteria-based alerts to match known threats. These things will help detect threats earlier.

Implement standardized log format
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

3.2.5: Verify that the monitoring is working as intended
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Implement standardized log format
1. Task description

Use a standardized log format. This simplifies integration between logs and third-party log analysis tools, making it easier and, in some cases, even possible.

Logging and review of admin and security logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

3.2.4: Decide which data is security-relevant and should be collected
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Logging and review of admin and security logs
1. Task description

The organization must log admin and security logs from used devices and services.

These logs record actions taken by system administrators and privileged users. They help monitor changes to system configurations, user access rights, and other critical settings. By keeping these logs, an organization can audit administrative activities and ensure accountability.

Security logs capture events related to the security of systems and data. This includes login attempts, firewall activities, intrusion detection system alerts, and antivirus actions. Monitoring these logs helps identify suspicious activities that could indicate a security breach or an internal threat.

Ensuring collected data relevance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Ensuring collected data relevance
1. Task description

Continually assess whether the collected data, both security-relevant monitoring data and obtained threat information from relevant sources, is sufficiently relevant and detailed.

Only relevant monitoring data should be collected and preserved, and if necessary, reconfigure the monitoring in line with the strategy. All collected data which no longer has operational or security relevance should be removed.

Determine a strategy and guidelines for security monitoring
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

3.2.1: Determine a strategy and guidelines for security monitoring
NSM ICT-SP
3.2.2: Comply with laws, regulations and the organisation’s guidelines on security monitoring
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Determine a strategy and guidelines for security monitoring
1. Task description

Organisation must identify which laws and regulations it needs comply with. Based on these laws and regulations, the organisation determines a strategy and guidelines for data logging and analysis.


The following things should be described in the strategy and guidelines:

  • Purpose and usage of collected data
  • Which data to collect
  • How the data is stored
  • Retention period for collected data
  • Informing relevant stakeholders data-related requirements mandated by laws and regulations.
Determine a strategy and guidelines for security monitoring
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Determine a strategy and guidelines for security monitoring
1. Task description

Organisation must identify which laws and regulations it needs comply with. Based on these laws and regulations, the organisation determines a strategy and guidelines for data logging and analysis.


The following things should be described in the strategy and guidelines:

  • Purpose and usage of collected data
  • Which data to collect
  • How the data is stored
  • Retention period for collected data
  • Informing relevant stakeholders data-related requirements mandated by laws and regulations.
Implement SIEM as part of the ICT system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Implement SIEM as part of the ICT system
1. Task description

Organization should use tools that support both manual and automated searches, including criteria-based searches. The tool should be able to automatically collate data from different sources to more easily determine whether an incident is genuine, as well as its scope and nature.


These operations and processes can be implemented with SIEM (Security information and event management). SIEM solutions use analytics tools, technology and algorithms (e.g., newer SIEM solutions employ applied machine learning) to help detect unknown threats and abnormalities in the security-relevant data. Also SIEM solutions allow organizations to modify already existing (which usually come pre-configured) and add criteria-based alerts to match known threats. These things will help detect threats earlier.

Implement SIEM as part of the ICT system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
7
requirements

Examples of other requirements this task affects

3.3.1: Create a plan for analysing data from security monitoring
NSM ICT-SP
3.3.3: Select tools that support manual and automated searches including criteria based alerts
NSM ICT-SP
3.3.7: Use analytics tools, technology and algorithms
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Implement SIEM as part of the ICT system
1. Task description

Organization should use tools that support both manual and automated searches, including criteria-based searches. The tool should be able to automatically collate data from different sources to more easily determine whether an incident is genuine, as well as its scope and nature.


These operations and processes can be implemented with SIEM (Security information and event management). SIEM solutions use analytics tools, technology and algorithms (e.g., newer SIEM solutions employ applied machine learning) to help detect unknown threats and abnormalities in the security-relevant data. Also SIEM solutions allow organizations to modify already existing (which usually come pre-configured) and add criteria-based alerts to match known threats. These things will help detect threats earlier.

Ensuring collected data relevance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

3.2.7: Review the security relevant monitoring-data regularly and, if necessary, reconfigure the monitoring
NSM ICT-SP
3.3.5: Continually assess whether the collected data is sufficiently relevant and detailed
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Ensuring collected data relevance
1. Task description

Continually assess whether the collected data, both security-relevant monitoring data and obtained threat information from relevant sources, is sufficiently relevant and detailed.

Only relevant monitoring data should be collected and preserved, and if necessary, reconfigure the monitoring in line with the strategy. All collected data which no longer has operational or security relevance should be removed.

Process for addressing unauthorized assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for addressing unauthorized assets
1. Task description

The organization employs process for addressing unauthorized assets, utilizes automated tools for asset discovery, conducts weekly reviews to identify discrepancies, implements access denial measures for unauthorized assets, and maintains clear protocols for asset removal, with all actions being logged and documented.

Process for using a dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for using a dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
1. Task description

The organization shall use DHCP logging:

  • to update its enterprise asset inventory by enabling logging on all DHCP servers
  • integrating logs with the asset inventory system
  • conducting weekly reviews to identify new devices
  • setting up automated alerts for unrecognized devices
  • retain and analyze historical logs for trends
  • perform compliance checks to detect anomalies
Make use of automated software inventory tools
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Make use of automated software inventory tools
1. Task description

The organization utilizes automated software inventory tools that are deployed across the enterprise to continuously monitor and document installed software.

The organization generates regular reports and alerts enforcing compliance through automated checks to ensure only authorized software is installed.

Process for automating session locking on enterprise assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for automating session locking on enterprise assets
1. Task description

The organization automates session locking on enterprise assets by configuring general-purpose operating systems to lock after 15 minutes of inactivity and mobile devices after 2 minutes.

Organization utilizes centralized policy management tools to enforce these settings and educates users on the importance of locking sessions.

Process for securing enterprise assets and software
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for securing enterprise assets and software
1. Task description

The organization secures enterprise assets and software by utilizing Infrastructure-as-Code (IaC) for consistent configuration management

Organization employs secure network protocols like SSH and HTTPS for administrative access, and avoids insecure management protocols and augmenting them with additional security when necessary

Establishing and maintaining a service account inventory
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining a service account inventory
1. Task description

The organization adapts asset inventory documentation practices to include pertinent details such as the department owner, review date, and account purpose.

The organization conducts regular reviews of data system access rights and validates that all active service accounts are authorized. An owner is assigned for each service account, drawing from the practice of listing data system owners, who are tasked with completing the necessary documentation and security actions.

Establishing and maintaining an audit log management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining an audit log management process
1. Task description

The organization has developed a detailed process for audit log management, specifying logging requirements, collection, review, and retention procedures.

Organization ensures compliance with standards, conducts annual reviews and updates, and continuously monitors these processes for adherence and issue resolution.

Collecting command-line audit logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Collecting command-line audit logs
1. Task description

The organization implements a comprehensive system for collecting and securely storing command-line audit logs from interfaces like PowerShell® and BASHTM, and integrated remote terminal logging, and established regular reviews to monitor user activities and identify potential anomalies.

Collecting detailed audit logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Collecting detailed audit logs
1. Task description

The organization implements comprehensive audit logging for sensitive data assets, capturing detailed event information, configuring systems for log richness, regularly updating logging configurations, and ensuring secure storage of audit logs for robust security oversight and analysis.

Collecting DNS query audit logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Collecting DNS query audit logs
1. Task description

The organization enables detailed audit logging for sensitive data assets, capturing comprehensive forensic details, optimizing configurations for thoroughness, securely storing logs centrally, and regularly reviewing practices to align with evolving security and investigative needs.

Collecting URL request audit logs on enterprise assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Collecting URL request audit logs on enterprise assets
1. Task description

The organization equips systems with up-to-date logging software to capture URL requests, defines criteria for logging based on risk and regulations, routinely reviews logs for anomalies, enforces access controls and integrates logging with SIEM systems to boost threat detection and incident response.

Retaining audit logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Retaining audit logs
1. Task description

The organization implements a centralized log management system to

  • aggregate and retain logs for at least 90 days
  • establishes a formal log retention policy communicated across all departments
  • automate the archival of logs post-retention period
  • conduct regular compliance audits to ensure adherence to the policy
Collecting service provider logs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Collecting service provider logs
1. Task description

The organization establishes integrations with service provider platforms to automate the collection of logs related to key events like authentication and user management, uses automated processes to routinely gather these logs and configures filters to capture relevant data.

Ensuring use of fully supported browsers and email clients
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Ensuring use of fully supported browsers and email clients
1. Task description

The organization establishes a whitelist for approved browsers and email clients, utilizing automated version control and regular compliance checks to ensure up-to-date, authorized software use and implements centralized IT management to restrict installations.

Disabling autorun and autoplay for removable media
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Disabling autorun and autoplay for removable media
1. Task description

The organization configures group policies to disable autorun and autoplay across all systems, employs endpoint protection software for additional control, provides user training on safe media practices, and establishes a formal policy outlining media use rules.

Establishing and maintaining an isolated instance of recovery data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining an isolated instance of recovery data
1. Task description

The organization enhances backup security by implementing offline storage solutions, deploying cloud-based isolated backup environments, utilizing off-site facilities, and maintaining a version-controlled backup process. Regular audits ensure backup integrity, while a dedicated network for backup operations minimizes threats and secures data transmission and storage.

Secure remote access integration
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Secure remote access integration
1. Task description

The organization enforces a VPN authentication policy requiring all users to authenticate before accessing corporate resources, integrates multi-factor authentication (MFA), deploys client certificates for enhanced security and regularly updates VPN software.

Deploying a host-based intrusion detection solution
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Deploying a host-based intrusion detection solution
1. Task description

The organization fortifies security by choosing a compatible host-based intrusion detection system (HIDS), configured for comprehensive monitoring and alerting, with regularly updated signatures and rules. The HIDS is deployed on critical assets, periodically reviewed and tuned for accuracy, and integrated with centralized logging and management systems for efficient incident analysis and response.

Deploying a host-based intrusion prevention solution
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Deploying a host-based intrusion prevention solution
1. Task description

The organization enhances security by selecting and implementing a suitable host-based IPS or EDR solution, deploying it on critical assets, and ensuring regular updates for threat signatures and rules.

Application security components of leveraging vetted modules or services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Application security components of leveraging vetted modules or services
1. Task description

The organization adopts trusted security libraries, utilize platform-provided features, implement standardized encryption, leverage OS audit logging, integrate IAM services, regularly update security components, and train developers on best practices to ensure robust application security.

Information sharing related to network and data systems usage anomalies
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

8.16: Monitoring activities
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Information sharing related to network and data systems usage anomalies
1. Task description

Anomalies must be reported to the relevant parties in order to develop the following activities:

  • auditing
  • security assessment
  • identification and monitoring of technical vulnerabilities
Monitoring the use of the network and information systems to identify anomalies
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
18
requirements

Examples of other requirements this task affects

8.16: Monitoring activities
ISO 27001
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
I-11: MONITASOINEN SUOJAAMINEN – POIKKEAMIEN HAVAINNOINTIKYKY JA TOIPUMINEN
Katakri 2020
5.2.3: Malware protection
TISAX
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Monitoring the use of the network and information systems to identify anomalies
1. Task description

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

  • outbound and inbound network and data system traffic

    li>

  • access to critical data systems, servers, network devices and the monitoring system itself
  • critical system and network configuration files
  • logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.

Vulnerability monitoring in used third-party or open source libraries
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
5
requirements

Examples of other requirements this task affects

8.28: Secure coding
ISO 27001
ID.RA-1: Asset vulnerabilities are identified and documented.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Vulnerability monitoring in used third-party or open source libraries
1. Task description

Vulnerabilities in third-party or open source libraries must be monitored, scanned, and reported in the same style as other vulnerabilities.

The organization must define policies to identify required updates in applications that use external libraries. Surveillance scans can be automated with specialized tools.

It also makes sense for an organization to monitor overall communication about vulnerabilities.

Process for identifying and responding to system log faults
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
2
requirements

Examples of other requirements this task affects

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Process for identifying and responding to system log faults
1. Task description

The organization must have pre-planned, clear policies for situations where logging or other access controls are suspected of failing. These situations should be reported to the appropriate authority without delay.

Different types of situations should have their own policies. Monitoring errors can be caused by software errors, log saving errors, log backup errors, or memory overflows.

Monitoring management of encryption and encryption keys
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
4
requirements

Examples of other requirements this task affects

10: Cryptography
ISO 27017
10.1: Cryptographic controls
ISO 27017
10.1.2: Key management
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Monitoring management of encryption and encryption keys
1. Task description

The organization must have the ability to monitor and report on actions related to encryption and encryption key management.

When abnormal activity is detected it must be handled in accordance with incident management processes.

Access management for files stored in the cloud
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
3
requirements

Examples of other requirements this task affects

9.4.1: Information access restriction
ISO 27001
12.4.1: Event logging
ISO 27001
8.3: Information access restriction
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Access management for files stored in the cloud
1. Task description

By monitoring the amount of information shared in cloud services, efforts can be made to identify risks that could lead to unauthorized disclosure of information. With respect to files one may e.g. monitor:

  • Which employees share the most files in the cloud services?
  • How often DLP policies have issued alerts?
  • How often the warnings issued by DLP policies are ignored?
  • How much important information is in other cloud services - beyond the reach of DLP control?
Automatic log data analyzation
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
29
requirements

Examples of other requirements this task affects

12.4.1: Event logging
ISO 27001
6.6.1: Tietoturvan ja tietosuojan seuranta ja valvonta
Omavalvontasuunnitelma
DE.CM-3: Personnel activity
NIST
TEK-13.1: Poikkeamien havainnointikyky ja toipuminen - poikkeamien havainnointi lokitiedoista
Julkri
8.15: Logging
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Automatic log data analyzation
1. Task description

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.

Evaluating the efficiency, viability and needs for security systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
4
requirements

Examples of other requirements this task affects

12.1.2: Change management
ISO 27001
CC6.8: Detection and prevention of unauthorized or malicious software
SOC 2
DE.DP-5: Detection processes are continuously improved.
CyberFundamentals
3.3.1: Create a plan for analysing data from security monitoring
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Evaluating the efficiency, viability and needs for security systems
1. Task description

Security systems are the data systems that are in place to protect the information we have, not so much to process it.

We regularly evaluate the operation of different security systems and the need for new systems.

Training own IT-personnel for security system usage
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

7.2.2: Information security awareness, education and training
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Training own IT-personnel for security system usage
1. Task description

The necessary personnel are regularly trained in the use of selected security systems.

Archiving and signing logs at regular intervals
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

3.2.6: Prevent manipulation of monitoring-data
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Archiving and signing logs at regular intervals
1. Task description

Archive and sign logs digitally at regular intervals to ensure log integrity.

Collection of logs from all assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Security systems and logging
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Collection of logs from all assets
1. Task description

The organization should collect logs from all of it's assets. The collection should be done according to organization's log management process.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.