needs monitoring & auditing of events that affect integrity, confidentiality, availability
Users must be notified of rights & responsiblities thru acceptable use
users must be identified
events/processes must be monitored & recorded in logs that form an audit trail that can be analyzed and used as legal evidence
alarms: real-time evaluation of logging info. thresholds. alert admin.
consistent enforcement of security policy
Events to record:
Audit data must be secured to prevent attacker from covering tracks.