Data and alerts from network and host monitoring infrastructure assets are periodically reviewed, at least in an ad hoc manner
Context and Guidance: Anomalous activity is activity that is inconsistent with or deviating from what is usual, normal, or expected. Monitoring should provide the information that the organisation needs to determine whether it is being subjected to a cybersecurity event that may require action to prevent organisational impact. This may include, for example, review of network log data to identify unauthorised connections to assets important to the delivery of the function. This may also include observations by control room personnel and other operations staff of unexpected system responses, sensor readings, or other unexplained activity exhibited by operational systems. Part of the intention of this practice is to include people as an element of an organisation's overall approach to monitoring its systems.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: SITUATION-2a, SITUATION-2b, SITUATION-2c, SITUATION-2f, SITUATION-2g.