Detect Cybersecurity Events

The organization shall ensure that clear persons are assigned to incident management responsibilities, e.g. handling the first response for incidents.

Incident management personnel need to be instructed and trained to understand the organization's priorities in dealing with security incidents.

The organization has defined a process and the team involved in responding promptly to security incidents and deciding on the appropriate actions.

The first level response process includes at least:

• effectively seeking to confirm the identified incident
• deciding on the need for immediate response

The organization shall determine what security events it monitors and in what ways.

Security events should be monitored from a variety of sources to identify important potential incidents that require a response. Information can be obtained e.g. directly from the management system, external partners, or logs generated by the organization’s equipment.

Examples of security incidents that can be monitored include:

1. Slow server performance
2. Recurring login errors
3. Unknown login attempts
4. Abnormal network traffic
5. Out of storage
6. Changes in code projects
7. Configuration changes in the firewall
8. Access changes to critical systems / servers / databases
9. Large database downloads
10. Unauthorized software installations on endpoint devices
11. Traffic from IP addresses known to be malicious