3.2 Monitoring and logging
3.2.1. The relevant entities shall lay down procedures and use tools to monitor and log activities on their network and information systems to detect events that could be considered as incidents and respond accordingly to mitigate the impact.
3.2.2. To the extent feasible, monitoring shall be automated and carried out either continuously or in periodic intervals, subject to business capabilities. The relevant entities shall implement their monitoring activities in a way which minimises false positives and false negatives.
3.2.3. The relevant entities shall maintain, document, and review logs. Logs shall include:
(a) outbound and inbound network traffic; (b) creation, modification or deletion of users of the relevant entities’ network and information systems and extension of the permissions;
(c) access to systems and applications;
(d) authentication-related events;
(e) all privileged access to systems and applications, and activities performed by administrative accounts;
(f) access or changes to critical configuration and backup files;
(g) event logs and logs from security tools, such as antivirus, intrusion detection systems or firewalls;
(h) use of system resources, as well as their performance;
(i) physical access to facilities, where appropriate;
(j) access to and use of their network equipment and devices;
(k) activation, stopping and pausing of the various logs;
(l) environmental events, such as flooding alarms, where appropriate.
3.2.4. The logs shall be reviewed for any unusual or unwanted trends. The relevant entities shall lay down appropriate values for alarm thresholds. If the laid down values for alarm threshold are exceeded, an alarm shall be triggered, where appropriate, automatically. The responsible employee shall ensure that, in case of an alarm, a qualified and appropriate response is initiated.
3.2.5. The relevant entities shall maintain and back up logs for a predefined period and shall store the logs at a central location and protect them from unauthorised access or changes.
3.2.6. The relevant entities shall ensure that all systems have synchronised time sources to be able to correlate logs between systems for event assessment. The relevant entities shall establish and keep a list of all assets that are being logged and ensure that monitoring and logging systems are redundant. The availability of the monitoring and logging systems shall be monitored independently.
3.2.7. The procedures as well as the list of assets that are being logged shall be reviewed and, where appropriate, updated at regular intervals and after significant incidents.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!