Logging and detection

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

The development of system logs must keep pace with the development of the system and enable, for example, the necessary resolution of incidents. In connection with the data system list, we describe for which systems we are responsible for the implementation of the logging. For these systems, we document:

• which data is saved on the log
• how long log data is retained

Malware protection systems automatically check for and install updates at desired intervals and also run the desired scans at the selected frequency without needed user actions.

The organization must be aware of the logs that accrue from the use of different data systems, whether generating the logs is the responsibility of the organization or the system provider. Logs record user actions as well as anomalies, errors, and security incidents.

The adequacy of log should be reviewed regularly. If necessary, log should be usable to determine the root causes for system incidents.

The data systems (and their content) that support critical business processes are regularly reviewed to locate malware. All unauthorized files and changes will be formally investigated.

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

The organization regularly trains staff on the use of utilized malware protection, reporting malware attacks, and recovering from malware attacks.

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.