Log all activities, results and relevant decisions

Organization must create processes that identify, collect and store relevant evidence information related to information security incidents. The evidence may need to have been collected in a way that can be accepted in relevant courts or other similar disciplinary bodies.

Regarding the evidence material, it should be possible to demonstrate e.g.:

• the records are complete and not altered in any way
• copies of electronic evidence are likely to be identical to the originals
• the data system from which the evidence was collected was functioning properly at the time of collection

Certification or other assurances of the competency of related personnel and tools may additionally be considered to establish more evidentiary value.

The organization should establish clear processes for building a timeline whenever an incident occurs. This timeline should include both the organization's actions and the threat actor's activities. The timeline should encompass:

• When and how the initial breach occurred
• The threat actor's movements within the ICT system (e.g., possible privilege escalation)
• Key decisions made by the organization during the response phase
• Communication between relevant parties

This aids the organization in understanding the full scope of the incident and improving responses in future events.

The organization should have a clear process for enriching incident information to ensure an effective response. This process should include continuously updating event data, monitoring situational awareness, and collecting information from multiple sources. Enriching incident information should help the organization manage incidents more effectively.

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

• outbound and inbound network and data system traffic

  li>

• access to critical data systems, servers, network devices and the monitoring system itself
• critical system and network configuration files
• logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.