MONITASOINEN SUOJAAMINEN – POIKKEAMIEN HAVAINNOINTIKYKY JA TOIPUMINEN

Organization must describe the baseline of normal behaviour for the use of network and data systems, which is used as a starting point for identifying anomalies.

When defining the baseline, the following must be taken into account:

• monitoring the use of data systems during both normal and peak times
• usual times of use, places of use and frequency of use for each user and user group

Monitoring systems must be configured against the baseline to identify anomalous behavior such as:

• unplanned termination of systems or processes
• traffic related to malware or malicious IP addresses or domains
• known attack characteristics (e.g. denial of service or buffer overflow)
• unusual system use (e.g. keystroke logging)
• bottlenecks and overloads (e.g. network queues, latency levels)
• unauthorized access (actual or attempted) to systems or data
• unauthorized scanning of data systems and networks
• successful and failed attempts to access protected resources (e.g. DNS servers, web portals and file systems)
• unusual user and system behavior

• On olemassa menettely, jolla kerätyistä tallenteista ja tilannetiedosta (esimerkiksi muutokset lokikertymissä) pyritään havaitsemaan poikkeamia (erityisesti tietojärjestelmän luvaton käyttöyritys on kyettävä havaitsemaan).
• On olemassa menettely, jolla tietojenkäsittely-ympäristön kohteista (hosts, esimerkiksi työasemat ja palvelimet) voidaan havainnoida poikkeamia.
• On olemassa menettely havaituista poikkeamista toipumiseen.

The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:

• The purpose of the information system and the precautions to be taken in the event of its disruption
• Recovery plans, targets, and priorities for the order of recovery of assets
• The role of implementing the response plans and the contact details of the persons assigned to the roles
•  Continuation of normal operations regardless of the state of the information systems.
• Distribution, approval and review of response plans

In addition, the plan should at least:

• Establish a roadmap for developing disruption management capacity
• Describe the structure and organization of incident management capability
• Provides metrics to measure incident management capability

From the point of view of the information security management system, non-conformities are situations in which:

• the organisation's security requirements are not matched by the management system
• the procedures, tasks or guidelines defined in the management system are not complied with in the organisation's day-to-day operations

In systematic security work, all detected non-conformities must be documented. To treat the non-conformity, the organization must identify and implement improvements that correct it.

The organization has defined a process and the team involved in responding promptly to security incidents and deciding on the appropriate actions.

The first level response process includes at least:

• effectively seeking to confirm the identified incident
• deciding on the need for immediate response

An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.

The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

• outbound and inbound network and data system traffic

  li>

• access to critical data systems, servers, network devices and the monitoring system itself
• critical system and network configuration files
• logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.