C1.a The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.
C1.b You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.
C1.c Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.
C2.a You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
C2.b You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.