Knowing normal activity levels will also assist in being able to
            detect any types of abnormal activity.

            Audit logs are important and should record all activity on a
            system or at least activities that are sensitive or critical, such as
            administrative changes or incidents where a person viewed
            protected data or tried to log in with the incorrect information.
            Synchronizing data between various logs requires the time on
            each device to be synchronized - otherwise, it can be very
            challenging to associate activity between the logs.
            Other detective devices are firewalls, host-based intrusion
            detection and prevention systems, and application logs. Each
            tool can assist the organization is tracking types and frequency
            of attacks, the misuse of the system by users or administrators,
            and frequent errors or misconfigurations. The organization
            should conduct vulnerability assessments and penetration tests
            regularly to help identify any weaknesses or gaps in their
            security.

            People are the best incident detection device for an organization.
            Everyone within the organization should understand their
            responsibility to watch for and report any suspicious activity.
            Outside people may also be a source of information about
            possible incidents. The organization should have a process for
            an outsider to report a problem if a potential problem is
            detected.



            Classification of an Incident
            Once an incident has been detected, the first step is learning the
            scope, size, and potential impact of the incident. An incident
            poses an immediate risk to the organization, but also may pose a