Definition and monitoring of alarm policies

Critical
High
Normal
Low

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

Connected other frameworks and requirements:
12.4.1: Event logging
ISO 27001
16.1.7: Collection of evidence
PR.DS-4: Availability
NIST CSF
DE.AE-5: Incident alert thresholds
NIST CSF
RS.AN-1: Notifications from detection systems
NIST CSF

Process for initiating data breach treatment

Critical
High
Normal
Low

Our organization has pre-defined procedures through which the detected security breach will be addressed. The process may include e.g. the following things:

  • who are part of a team that is ready to respond to breaches
  • how and along what channel the entire team is immediately notified of the breach
  • the team determines the severity (low, medium, high) of the breach based on predefined criteria
  • the breach management is continued with a larger group according to the severity level
Connected other frameworks and requirements:
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
16.1.5: Response to information security incidents
ISO 27001
16.1.7: Collection of evidence
5.26: Response to information security incidents
ISO 27001
No items found.