Logging and Monitoring
Logging of system activity is necessary as it provides an audit trail to know who did what and when. Logging should be default on all critical systems and retention of logs should be based on a retention policy. Monitoring is necessary as it assists with timely response of an incident. Depending on the nature of the system and the number of users, monitoring can be done manually by generating system reports, these reports should be reviewed regularly and abnormal activities should be flagged and followed up with. For systems that may have a large number of users, a Security Information and Events Management (SIEM) solution should be implemented. (Note SIEM should be configured according to industry best practices).
- Collect system logs to determine who did what when and retain logs according to retention policy
- Correlate logs and monitor to identify and act on suspicious activity