C1.a The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.
C1.c Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.
C1.d You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
C1.e Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect.
C2.a You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
C2.b You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.