KRIs, can alert management to trends or changes in risk that may
            be a sign of a potential breach. There are many ways to review
            controls, including log reviews, alarms, incident reports, and user
            feedback.

            Reports  that  show  comparable  results  and  can  indicate  trends
            inactivity  should  be  provided  to  management.  The  reports,
            however, should be based on metrics that are good indicators of
            system security. There may be many points at which a system is
            being monitored, but not all logs need to be reviewed.
            The reports should focus on areas of most importance. All logs
            should be protected and retained so that they are available for later
            review and investigation. Writing the logs onto a separate media
            that would prevent the deletion or modification of log entries may
            also be desirable. The length of time that logs should be retained
            is dependent on legal requirements, business needs, and the value
            of the information in the logs. Some logs may need to be retained
            for years to be compliant with laws and regulations; other logs
            may be deleted or overwritten in a matter of days.



            Change Control
            A time of change is a time of risk. A change may interrupt
            business processes, bypass controls, lead to project overruns,
            and scope creeps or render business continuity plans ineffective.
            Therefore, the organization should have a clearly defined and
            followed change management process. This will ensure that all
            changes are formally requested and documented, reviewed for
            their impact on the business and security, and tested and
            approved before implementation.
            Change control procedures should be used for all changes to
            projects, networks, applications, configurations, and user