needs monitoring & auditing of events that affect integrity, confidentiality, availability
Users must be notified of rights & responsiblities thru acceptable use
document
users must be identified
events/processes must be monitored & recorded in logs that form an
audit trail that can be analyzed and used as legal evidence
alarms: real-time evaluation of logging info. thresholds. alert
admin.
consistent enforcement of security policy
Events to record:
info access
admin activity
failed events
Audit data must be secured to prevent attacker from covering tracks.