Monitoring Policy
Publication Summary¶
| Title | Monitoring Policy |
|---|---|
| Author(s) | Alessandro Cardinali |
| Issued by | CEO |
Version doc. Review freq. |
0.1 Yearly |
| Date of issue | December 11, 2023 |
| Owner | Alessandro Cardinali |
| Document status | Draft – Final Draft - Final |
| Approval Date | n/a |
| Classification | Internal |
Change Log
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | December 11, 2023 | First draft document | |
| 1.0 | December 20, 2023 | ||
Contents
1 Introduction [8](#introduction)
2 Monitoring policy [9](#monitoring-policy)
Introduction¶
[Organization Name] has a wide variety of networks, systems and applications which together make up the ICT environment that supports business operations. As part of normal working, a large number of activities take place every day such as user logons, application use, network traffic between servers, and database and file changes. However, hidden within this normal activity could be the actions of malicious individuals or groups who are trying to do the organization harm, perhaps by stealing data or by launching an attack using techniques such as ransomware.
The challenge for [Organization Name] is to be able to tell the difference between normal activities and those which need to be further investigated and, if necessary, prevented. Effective monitoring of the ICT environment is one way in which threats can be caught and dealt with before they become serious. The increasing use of artificial intelligence within monitoring software presents an opportunity for organizations to capitalise on this technology to achieve better monitoring at a reduced cost.
The purpose of this policy is to define the principles that must be used when setting up and performing monitoring activities, so that their effectiveness is maximised whilst continuing to meet our legal, regulatory and contractual obligations.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The following policies and procedures are relevant to this document:
-
Information Security Incident Response Procedure
-
Information Security Event Assessment Procedure
Monitoring policy¶
The scope and level of monitoring of the ICT environment must be defined and agreed by top management in appropriate terms prior to monitoring beginning, including the networks, systems and applications covered and the types of activities that will be recorded.
All monitoring activities must comply with [Organization Name] legal, regulatory and contractual obligations at all times. This will include compliance with relevant employment and privacy law within the countries involved.
Employees will be informed of the monitoring activities carried out by the organization, as part of initial induction training and in regular awareness briefings.
Where possible and appropriate, monitoring activities will be automated using one or more software applications which have the capability of detecting anomalous behaviour within the [Organization Name] ICT environment.
Monitoring should extend to cloud environments where used, and attention should be paid to the integration of information from multiple systems so that a clear picture is maintained of the status of the ICT environment.
Monitoring should, where possible, include the following:
-
Content, volume and metadata (for example source and destination) of network traffic within scope
-
Level and timing of accesses to systems resources, particularly at the admin level
-
Use of ICT environment resources such as processing and storage
-
Input from event logs recorded by applications and devices
In general, monitoring will be continuous unless there are justified business reasons for exceptions to this practice, which are approved by top management.
Alerts that are generated by the monitoring system must allow for immediate investigation by human resources where they are suspected to be of sufficient importance.
Where feasible, automated actions should be used to speed up the process of reacting to recognised threats, and to simplify decision-making.
Monitoring systems must be tuned to reduce false positives to a manageable level.
Available threat intelligence will be used to inform the monitoring activities, such as the recognition of indicators of compromise and current attack vectors.
Monitoring tools should be integrated with those used in other areas of the information security management system, such as data loss prevention and vulnerability management controls.