Detect Information Security Incidents

The Detect Function when deployed to government organizations will enable the proactive development and implementation of suitable activities to ensure the timely identification or the detection of occurrence of information or cyber security incidents. These incidents could cause significant financial losses, data losses, reputational damages and sometimes, can even pose threats to the lives of individuals.

Enable Logging of Events and Maintenance of Logs

It is essential that government organizations must enable logging of activities, and events, maintain and retain logs that include but is not limited to Access Logs, Error logs, Server Logs, Event Logs, Audit Logs, Firewall Logs, Virus guard logs for all changes made and activities carried out shall be produced, securely kept and regularly reviewed. It is the responsibility of the ISO to review the logs periodically. Logs can contain sensitive data and thus appropriate measures should be taken to safeguard the said logs against tampering and unauthorized access.

Detection of Incidents through event monitoring and log analysis

Organizations should develop their capacity to detect incidents through Log Analysis. Organizations shall analyze logs for malicious activities and detect attacks or anomalous activities. Monitoring the events of networks and systems should be ongoing and government organizations should implement IPS/IDS to detect attacks and mitigate them on networks and applications.

Alternatively, organizations shall use Security Information and Event Management (SIEM) for basic security monitoring, advanced threat detection, forensics and incident response, log collection, normalization, notifications and alerts, security incident detection. Implementation of Network and IT Infrastructure Monitoring Systems and configuring automated alerts on system failures.

Tool	Function
Network and host Intrusion Detection Systems (IDSs)	Monitor and analyze network and host activity, usually relying on a list of known attack signatures to recognize/detect malicious activity and potential information security incidents.
Intrusion Perversion Systems (IPS)	Monitors a network or systems for malicious activity or policy violations and counter detected attacks or anomalous activity (IDS/IPS).
Log Analysis	Involves collecting and analyzing event logs using pattern recognition to detect anomalous activities.
White Listing	Lists the authorized activities and applications and permits their usage.
Black Listing	Lists the non-authorized activities and applications and prevents their usage.
Data Loss Prevention (DLP)	Detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

Staff Should be Encouraged to Report Suspicious Activities

All users should be strictly instructed to immediately report any evidence or suspicious activity/breach of security to the Incident Response Team (IRT). Breaches could include but is not limited to unauthorized access, theft, viruses, vulnerability of an equipment, unauthorized access, presence of any information resource prohibited by guidelines, tampering with information and violation of guidelines or security policy by another user or contractor.

Adequate awareness and trainings should be given to staff on detecting incidents, reporting information security events detected and preserving evidence.
Maintenance of an Incident Register

In addition to the incidents reported by the staff, the organization shall invest in tools to detect such instances and the IRT shall develop an Incident register to log the same.

A record should include but is not restricted to;
- The date and time of Occurrence
- Name and Designation of Employee who reported the incident
- Description of the Incident
- Nature of Impact
- Classification
- Root Cause
- Action taken in Response
- Personnel Handling
- Remedial Measures taken to prevent future incidents
- Status of Incident
Detection of Malware

The government organization should install antimalware software on all existing devices or components that are connected to the organization’s network including servers, workstations and any other components. Virus and Malware detection infrastructure should remain active and updated, and configured for on-access scanning, including downloading or opening of files, folders on removable or remote storage, and web page scanning etc. It is the responsibility of the CIO to ensure that virus and malware detection infrastructure remain active and s not disabled at any potential entry point. The detection infrastructure is to be up to date with the latest product and virus signatures as soon as it is released.

If a device is identified as a threat to the government organization’s network due to a malware infection, the CIO reserves the right to disconnect the device from the network and isolate it with immediate effect.