Security monitoring policy
The information gathered during security monitoring must be used for its intended purpose. Any monitoring of user activities is subject to legal requirements that need to be observed, and the information generated, especially in raw form, will include personal data that needs to be correctly protected and handled.
For these reasons the security monitoring capabilities, their configuration, their use, the supporting business processes, management roles, responsibilities and procedures should be formalised into a security monitoring policy. Depending on the complexity of the organisation, the policy can apply to the entire organisation, or to specific business aspects within it.
The policy should establish:
- actions that need to be accounted for
- actions that would constitute suspicious activity
- what information will be collected to support the user scenarios
- how the information gathered will be used (and not used), to include both permitted and prohibited purposes
- who will access the information, and their responsibilities
- how the information will be protected, stored, retained and disposed of
- how notification of monitoring is achieved, and how user consent is obtained
Security monitoring processes
Security monitoring comprises two fundamental processes, collection and analysis. These feed directly into two follow-on processes that deal with incident management and reporting. The final process in the chain deals with information retention and archive.
Collection is defined as the process of collecting and recording security monitoring data that is triggered by events that have been identified as requiring security monitoring. Alerts are specific events where the analysis has been done in advance. This means their occurrence indicates the likelihood of an information security incident requiring investigation is high. There are two significant concepts associated with alerts:
- false positive - where an alert is raised and then found not to indicate an information security incident
- false negative - where an information security incident occurs that has failed to raise an expected alert
Too many false positives or false negatives can significantly affect the viability of the security monitoring service. Where this is the case, further analysis (see below) is required to minimise their occurrence.
Analysis is defined as the process of analysing the recorded security monitoring data and applying policy, compliance and business rules to highlight security incidents. The analysis can also provide input into a long-term reporting cycle over which trends are analysed and overall policy direction reviewed.
Incident management is defined as the process aimed at minimising the immediate and long-term business impact of incidents and to prevent re-occurrences. Due to the complexity of this process, it is covered separately under Security incident management.
Reporting is defined as the tangible output of the auditing and event data analysis. Although usually tailored for senior management roles, some reports can be generated for other roles and will contain specific information relevant to their job function.
Retention and archive
Retention concerns ensuring that security monitoring data is retained only for as long as it is required, and that it is disposed of securely after that time. Archive concerns the provision of long-term storage and protection of accounting information, either for retrospective analysis or for forensic purposes.