The majority of modern companies encounter
information security challenges every day, ranging
from external targeted attacks to internal leaks,
despite using various information security approaches
and tools. IT is rapidly evolving, in keeping with the
threat landscape; but new approaches and tools mean
new vulnerabilities. Violators are becoming smarter
and faster. The classic confidentiality, integrity and
availability (CIA) triad has not been enough to address
these challenges, especially when information security
incidents occur (i.e., the CIA triad was violated fully
Global analytical reports find a growing number
of incidents annually and increasing incident
1 In other words, incidents have
happened, are happening and will be happening.
For timely incident detection and deep forensics, it
is necessary to expand information security abilities
and the CIA triad, ensuring accountability. However,
accountability creates millions of security events;
therefore, it is important to ensure effective security
information and event management (SIEM)
3 within an
information security management system (ISMS).
This article addresses an existing imbalance
between technical issues and process aspects
related to SIEM. This gap is the root cause of some
skepticism with and disappointment in SIEM.
Be aware that before implementing SIEM, it is
necessary to establish the basis of the ISMS, which
will include considering the global management
commitment, asset inventory and categorization
and risk assessment. The SIEM process can be
implemented when the needed enterprise security
tools are obtained and the process capability model
level is no lower than the managed process outlined
in COBIT® 5.
The SIEM process consists of following a five-step
cycle (see figure 1).
This SIEM approach is based on the plan-do-check-act (PDCA) cycle. This article focuses on the policy
establishment step of the SIEM cycle.
SIEM Policy Establishment
High-ranking management should demonstrate
a commitment to the ISMS, including SIEM, by
ensuring the SIEM policy is established and is
compatible with the business direction, context and
risk approach. Usually, the chief information security
officer (CISO) prepares this internal policy and
obtains the approval of all stakeholders. This policy
should be mapped with existing internal policies,
such as defining detailed event lists into standards
and baselines for servers and network tools.
The SIEM policy should contain these basic
• Purpose of the policy
• Scope of the SIEM infrastructure
• Responsibilities of involved individuals
Purpose describes the need for a policy and should
rely on and link to business tasks, objectives and
context. There are many reasons for developing a
SIEM policy. Some of the reasons include:
• Having a comprehensive IT security vision
• Developing incident detection
• Improving IT security forensics and analytics
• Establishing compliance
Scope is the biggest part of the SIEM policy due to
its description of the SIEM infrastructure. A SIEM
infrastructure is more than just the SIEM system.
It is a common misconception that a SIEM system
is the essential component for SIEM infrastructure.
The SIEM system is a technological solution and is
just a component of the SIEM infrastructure. A SIEM
infrastructure consists of different event sources,
event storage, analysis tools and a monitoring
console and also includes external information
providers, e.g., McAfee Global Threat Intelligence,
RSA First Watch and Kaspersky Security Intelligence
Services. Event sources are an essential component
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
article and click on
the Comments link to
share your thoughts.
ISACA JOURNAL VOL 3 37
Is head of the information
at the research and
at Vulkan LLP. In this
capacity, he leads the
and event management
team. He has 10 years of
experience in information
security and five years
of experience in SIEM.
He is an active author
and public speaker on
his areas of expertise.
He is also pursuing a
at Financial University
feature feature Going Beyond the
Technical in SIEM