Does the business have basic visibility into what is happening on its systems and networks?

Can you see what's happening on your computers and network right now? Do you know who logged in, what files were accessed, or if someone tried to break in? This question asks whether you have basic tools and processes to watch over your IT systems so you catch problems early.

⚡

Why This Matters to Your Business

Without visibility, a hacker can steal customer data, financial records, or intellectual property for weeks before you notice. A manufacturing business in Bangalore lost ₹45 lakhs in a ransomware attack because no one noticed suspicious network traffic until systems stopped working. Auditors for government contracts or large customers will fail you if you cannot prove you monitor your systems. If a breach happens and you cannot show logs proving you tried to detect it, regulators will assume negligence and impose heavy fines under DPDP Act.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no logs, no monitoring tools, and no one regularly checks system activity. If something goes wrong, you find out only when business stops or a customer complains.

Level 1
Initial

You manually check Windows Event Viewer or router logs once a month, but there is no systematic process and logs are not kept long-term. You cannot explain what happened during a specific incident because history is lost.

Level 2
Developing

You have a basic log collection setup (like Syslog server or simple NAS backup) that stores logs for 3–6 months, and one IT person reviews alerts weekly. You can reconstruct what happened during an incident, but detection is slow and reactive.

Level 3
Defined

You use a low-cost SIEM tool or log aggregator (like Graylog or Splunk Free) that collects logs from all servers and networks, stores them for 1 year, and sends email alerts for suspicious patterns. You detect most incidents within hours and have documented response procedures.

Level 4
Managed

You have a proper SIEM platform with real-time alerting, threat intelligence integration, and automated response rules for critical threats. Logs are retained for 2+ years, reviewed regularly, and correlated across systems to catch sophisticated attacks.

Level 5
Optimised

You have a full security operations center (SOC) function—either in-house or outsourced—with 24/7 monitoring, advanced analytics, and continuous tuning of detection rules. You detect threats in minutes, respond automatically, and feed findings back into risk management.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Enable Windows Event Logging on all servers and PCs; set up a shared folder to manually copy logs weekly; create a simple Excel checklist of what to review each month (logins, failed access, new user accounts).	IT Administrator or Owner	2–3 days
1 → 2	Deploy a basic centralized log server (Linux box with rsyslog or Windows Server with Event Log Forwarding) to automatically collect logs from all machines; configure to keep logs for 90 days minimum; set up email alert for failed login attempts.	IT Administrator	1–2 weeks
2 → 3	Install a free or low-cost SIEM tool (Graylog, ELK Stack, or Splunk Free); map critical assets (file servers, payment systems, customer databases); configure dashboards showing login activity, file access, and network connections; set up 15–20 basic alert rules for common threats.	IT Administrator with vendor support	3–4 weeks
3 → 4	License a commercial SIEM (Splunk Enterprise, Microsoft Sentinel, or Fortinet FortiSIEM); integrate threat feeds; add endpoint detection and response (EDR) agent to all PCs; develop playbooks for top 5 threat scenarios; conduct quarterly log reviews with external auditor.	IT Manager with security consultant	6–8 weeks
4 → 5	Establish a formal SOC—hire/train dedicated security analyst or contract a managed SOC provider (MSSP); implement 24/7 alert monitoring; conduct monthly threat hunts; maintain incident runbooks; report metrics to board quarterly.	Security Manager or MSSP partner	Ongoing (3–6 months to operationalize)

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Log retention policy document stating how long logs are kept and where they are stored (e.g., 'All server and firewall logs retained for 12 months on dedicated log server in secure cabinet')
List of monitored systems and events (e.g., 'Server logs: Windows Event Viewer; Firewall: Palo Alto; Database: SQL Server audit log; Network: Router syslog')
Sample logs from the last 30 days showing user logins, failed access attempts, and file/system changes with timestamps
Alert configuration or SIEM dashboard showing rules in place (e.g., alert on 5+ failed logins in 10 minutes, alert on file deletion in restricted folder)
Incident response log or email chain showing that an alert was detected, investigated, and resolved (e.g., 'Unusual login from foreign IP on 2024-01-15, checked with user, confirmed VPN access, no action needed')

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Show me your logs for the last 90 days. Can you prove that you have continuous visibility into who accessed what and when?"
"A data breach happened on [specific date]. Pull the logs from that day and walk me through what you can see about the attacker's activity."
"What happens when someone fails to log in five times in a row, or when a file is deleted from your shared drive? Do you get an alert?"
"Who reviews your logs and how often? Can you show me documented evidence—like meeting notes, a report, or an email—that someone actually looked at them?"
"If a hacker was inside your network for 30 days without being caught, how would you detect them? What tools do you have?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Collect and store logs from all computers and network devices in one place	ELK Stack (Elasticsearch, Logstash, Kibana) – open-source, requires Linux server and technical setup	Splunk Enterprise (₹6,00,000–15,00,000/year depending on data volume); Microsoft Sentinel (₹15–25 per GB ingested/month); Fortinet FortiSIEM (₹5,00,000–10,00,000/year)
Monitor and alert on suspicious login attempts, file changes, and network activity	Graylog Community Edition – free open-source SIEM with web interface; requires setup	Splunk Free (500 MB/day limit, adequate for small business); Wazuh (free open-source with paid support); Suricata + Zeek (free network monitoring tools)
Collect Windows Event Log and syslog from servers automatically	Windows Event Log Forwarding (built-in); Rsyslog (Linux); Logstash shipper (open-source)	Rapid7 Logentries (₹2,00,000–5,00,000/year); Datadog (₹3,00,000+/year)
Monitor what files are accessed, created, or deleted on file servers	Windows File Auditing (built-in Group Policy); Sambalog for Linux file shares	Delinea (formerly Lieberman Software) (₹10,00,000+/year); Varonis Data Security Platform (₹15,00,000+/year); Netwrix Auditor (₹3,00,000–8,00,000/year)
Detect suspicious behavior on individual computers (malware, lateral movement, data theft)	Wazuh agent (open-source EDR); Osquery (endpoint visibility tool)	CrowdStrike Falcon (₹15,00,000–25,00,000/year for 50 endpoints); Microsoft Defender for Endpoint (₹8,000–12,000 per endpoint/year); SentinelOne (₹12,00,000–20,00,000/year)

🛡

How This Makes You More Resilient

With monitoring in place, you catch hackers within hours instead of months, limiting the damage and cost of a breach. You can prove to customers and auditors that you tried to detect attacks, which protects you from heavy fines and contract loss. When something breaks or goes wrong, you have evidence to understand what happened and fix it faster, reducing downtime and customer frustration.

⚠️

Common Pitfalls in India

Buying expensive monitoring tools but never actually using them—the SIEM sits there collecting logs that no one reviews. Assign one person as the 'log reviewer' and give them 2–3 hours per week to check dashboards and alerts.
Deleting old logs too quickly to save disk space, then having no evidence when an incident occurs. Keep logs for at least 90 days (better: 1 year); buy a cheap external NAS drive if space is the problem.
Monitoring only servers and forgetting employee computers (PCs and laptops). Attackers often start by stealing login credentials from a worker's computer, so monitor logins and file access on desktops too.
Setting up monitoring but configuring alerts so poorly that you get 100+ false alarms per day and ignore all of them. Start with 5–10 high-confidence alert rules (like 10 failed logins in 5 minutes) and tune them monthly.
Assuming that your vendor's firewall or antivirus logs are enough. These tools only see traffic entering/leaving; they miss insider threats and lateral movement. Collect logs from the actual systems being attacked (servers, databases, file shares).

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 8 (Purpose Limitation and Lawfulness) and Schedule 2 (reasonable security measures) – businesses must log and monitor access to personal data
CERT-In 2022	Critical Infrastructure Protection Rules – mandatory logging and audit trails for critical systems; log retention of 180 days minimum
ISO 27001:2022	A.8.3 (Access Control), A.12.4.1 (Event Logging), Annex A 8.3.3 and 12.4.1 – organizations must log and monitor access to information systems
NIST CSF 2.0	Detect (DE) function, specifically DE.AE-1 (audit and event logging), DE.AE-3 (event detection), DE.CM-1 (network monitoring)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →