Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.

The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:

• whether the information security management system complies with the organisation's cyber security requirements
• whether the information security management system complies with other operational security requirements or standards complied with
• whether the information security management system is implemented effectively

Documented information on the execution and results of audits must be kept.

The development of system logs must keep pace with the development of the system and enable, for example, the necessary resolution of incidents. In connection with the data system list, we describe for which systems we are responsible for the implementation of the logging. For these systems, we document:

• which data is saved on the log
• how long log data is retained

The Authority must ensure that the necessary logs are kept of the use of its information systems and of the disclosure of information from them, if the use of the information system requires identification or other log-in. The purpose of log data is to monitor the use and disclosure of data contained in information systems and to detect technical errors in the information system.

In Cyberday, the owner of the information system may be responsible for controlling the collection of log data from the information system. The organisation documents the content of the logs in more detail for those information systems for which it is responsible for technical maintenance. For other information systems, the owner, in cooperation with the system vendor, checks that the necessary logs are collected.

The organization has established a procedure for conducting internal audits. The procedure shall describe at least:

• how often audits are carried out
• who may carry out the audits (including audit criteria)
• how the actual audit is carried out
• how audit results are documented and to whom the results are reported
• results should be reported to a competent authority if it's law regulated

Security systems (e.g. firewall, malware protection) often have the ability to record a log of events. At regular intervals, make sure that a comprehensive log is accumulated and try to identify suspicious activity. The log is also useful in investigating disturbances or violations.

The organization must be aware of the logs that accrue from the use of different data systems, whether generating the logs is the responsibility of the organization or the system provider. Logs record user actions as well as anomalies, errors, and security incidents.

The adequacy of log should be reviewed regularly. If necessary, log should be usable to determine the root causes for system incidents.

Synchronizing clocks between different systems allows for good interoperability, as well as easier tracking of problem situations and perception of event flows.

An organization must use a reliable source to adjust and synchronize time, at least for systems that are critical to its operations. When suitable organization should use two sources.

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

• outbound and inbound network and data system traffic

  li>

• access to critical data systems, servers, network devices and the monitoring system itself
• critical system and network configuration files
• logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.