3.3.14 Cyber Security Event Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The Member Organization should define, approve and implement a security event management process to analyze operational and security loggings and respond to security events. The effectiveness of this process should be measured and periodically evaluated.
Objective
To ensure timely identification and response to anomalies or suspicious events within regard to information assets.
Control considerations
| 1. | The security event management process should be defined, approved and implemented. | |
| 2. | The effectiveness of the cyber security controls within the security event management process should be measured and periodically evaluated. | |
| 3. | To support this process a security event monitoring standard should be defined, approved and implemented. | |
| a. | the standard should address for all information assets the mandatory events which should be monitored, based on the classification or risk profile of the information asset. | |
| 4. | The security event management process should include requirements for: | |
| a. | the establishment of a designated team responsible for security monitoring (i.e., Security Operations Center (SOC)); | |
| b. | skilled and (continuously) trained staff; | |
| c. | a restricted area to facilitate SOC activities and workspaces; | |
| d. | resources required continuous security event monitoring activities (24x7); | |
| e. | detection and handling of malicious code and software; | |
| f. | detection and handling of security or suspicious events and anomalies; | |
| g. | deployment of security network packet analysis solution; | |
| h. | adequately protected logs; | |
| i. | periodic compliance monitoring of applications and infrastructure cyber security standards | |
| j. | automated and centralized analysis of security loggings and correlation of event or patterns (i.e., Security Information and Event Management (SIEM)); | |
| k. | reporting of cyber security incidents; | |
| l. | independent periodic testing of the effectiveness of the security operations center (e.g., red- teaming). | |