Security Monitoring: Policy and Process

Created:  13 Nov 2015
Updated:  08 Aug 2016
CESG Archive

Archive content originally produced by CESG that has not yet been absorbed into the new NCSC web pages.

Guidance on how security monitoring processes should be formalised into organisational policy.

Security monitoring policy

The information gathered during security monitoring must be used for its intended purpose. Any monitoring of user activities is subject to legal requirements that need to be observed, and the information generated, especially in raw form, will include personal data that needs to be correctly protected and handled.

For these reasons the security monitoring capabilities, their configuration, their use, the supporting business processes, management roles, responsibilities and procedures should be formalised into a security monitoring policy. Depending on the complexity of the organisation, the policy can apply to the entire organisation, or to specific business aspects within it.

The policy should establish:

  • what is being monitored and audited, in terms of user scenarios covering:
    • actions that need to be accounted for
    • actions that would constitute suspicious activity
  • what information will be collected to support the user scenarios
  • how the information gathered will be used (and not used), to include both permitted and prohibited purposes
  • who will access the information, and their responsibilities
  • how the information will be protected, stored, retained and disposed of
  • how notification of monitoring is achieved, and how user consent is obtained


Security monitoring processes

Security monitoring comprises two fundamental processes, collection and analysis. These feed directly into two follow-on processes that deal with incident management and reporting. The final process in the chain deals with information retention and archive.



Collection is defined as the process of collecting and recording security monitoring data that is triggered by events that have been identified as requiring security monitoring. Alerts are specific events where the analysis has been done in advance. This means their occurrence indicates the likelihood of an information security incident requiring investigation is high. There are two significant concepts associated with alerts:

  • false positive - where an alert is raised and then found not to indicate an information security incident
  • false negative - where an information security incident occurs that has failed to raise an expected alert

Too many false positives or false negatives can significantly affect the viability of the security monitoring service. Where this is the case, further analysis (see below) is required to minimise their occurrence.



Analysis is defined as the process of analysing the recorded security monitoring data and applying policy, compliance and business rules to highlight security incidents. The analysis can also provide input into a long-term reporting cycle over which trends are analysed and overall policy direction reviewed.


Incident management

Incident management is defined as the process aimed at minimising the immediate and long-term business impact of incidents and to prevent re-occurrences. Due to the complexity of this process, it is covered separately under Security incident management.



Reporting is defined as the tangible output of the auditing and event data analysis. Although usually tailored for senior management roles, some reports can be generated for other roles and will contain specific information relevant to their job function.


Retention and archive

Retention concerns ensuring that security monitoring data is retained only for as long as it is required, and that it is disposed of securely after that time. Archive concerns the provision of long-term storage and protection of accounting information, either for retrospective analysis or for forensic purposes.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No