Monitoring personnel activity and technology usage

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

• unauthorized access to data / premises
• action against security guidelines
• suspected security issue (e.g. phishing, malware infection)
• data system outage
• accidental or intentional destruction / alteration of data
• lost or stolen device
• compromised password
• lost physical identifier (e.g. keychain, smart card, smart sticker)
• suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

Security systems (e.g. firewall, malware protection) often have the ability to record a log of events. At regular intervals, make sure that a comprehensive log is accumulated and try to identify suspicious activity. The log is also useful in investigating disturbances or violations.

The organization shall determine what security events it monitors and in what ways.

Security events should be monitored from a variety of sources to identify important potential incidents that require a response. Information can be obtained e.g. directly from the management system, external partners, or logs generated by the organization’s equipment.

Examples of security incidents that can be monitored include:

1. Slow server performance
2. Recurring login errors
3. Unknown login attempts
4. Abnormal network traffic
5. Out of storage
6. Changes in code projects
7. Configuration changes in the firewall
8. Access changes to critical systems / servers / databases
9. Large database downloads
10. Unauthorized software installations on endpoint devices
11. Traffic from IP addresses known to be malicious

The DLP system aims to prevent the loss or leakage of sensitive data. The system can be used to prevent unwanted actions by monitoring, detecting and preventing the processing of sensitive data without meeting the desired conditions. Blocking can be done during use (in-use, terminal operations), in motion (in-transit, network traffic) or in storage locations (at-rest).

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.