All security incidents are addressed in a consistent manner to improve security based on what has happened.
In the incident treatment process:
A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.
Things to report as an incident include e.g.:
The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).
Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. Detection activities must comply with all relevant requirements.
The organization shall determine what security events it monitors and in what ways.
Security events should be monitored from a variety of sources to identify important potential incidents that require a response. Information can be obtained e.g. directly from the management system, external partners, or logs generated by the organization’s equipment.
Examples of security incidents that can be monitored include:
An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.
The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).