Determine a strategy and guidelines for security monitoring

The organization conducts internal audits in accordance with its internal audit procedure. The aim is to check:

• whether the information security management system complies with the organisation's cyber security requirements
• whether the information security management system complies with other operational security requirements or standards complied with
• whether the information security management system is implemented effectively

Documented information on the execution and results of audits must be kept.

Organisation must identify which laws and regulations it needs comply with. Based on these laws and regulations, the organisation determines a strategy and guidelines for data logging and analysis.

The following things should be described in the strategy and guidelines:

• Purpose and usage of collected data
• Which data to collect
• How the data is stored
• Retention period for collected data
• Informing relevant stakeholders data-related requirements mandated by laws and regulations.

The operation of information systems may depend on certain key resources, such as server capacity, file storage capacity, data processing capacity, monitoring capacity or certain key persons.

In particular, some of these resources may have long delivery times or high costs in certain situations, in which case special attention must be paid to future capacity problems with them.

We monitor the use of key system resources and identify trends, potential security bottlenecks and dependencies on important people.

The logs are protected from unauthorized changes to the data and from malfunctions, which are e.g.:

• changes to the message types that can be saved
• editing or deleting log information
• exceeding log storage capacity, which can result in transactions being overwritten or not logged

Organization must document the retention periods for data sets and their possible archiving process (including archiving method, location or destruction). At the end of the retention period, the data must be archived or destroyed without delay in a secure manner.

When destroying data contained in data systems, the following points should be taken into account:

• suitable method of destruction (e.g. overwriting, cryptographic erasure ) is chosen taking into account the functional and statutory requirements
• the need to preserve evidence of data destruction is discussed
• when using third parties for data destruction, the requirement of evidence and the inclusion of destruction requirements in supplier contracts are discussed

The process of archiving or destroying data is defined in connection with the documentation, and the owner of the data is responsible for its implementation.

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.