When security alerts go unnoticed, small problems grow into major breaches. An Indian export company ignored firewall alerts about unusual login attempts from abroad; within a week, an attacker stole customer payment data and the company faced ₹50 lakh in recovery costs, customer lawsuits, and lost business. Your bank or insurance partner may also audit you and find you ignored warnings—this can lead to compliance failures, rejected audit reports, and loss of contracts. Without alert review, you won't know if you've been attacked until it's far too late and much more expensive to fix.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no security tools sending alerts, or no one knows they exist. Even if warnings appear on screens, no one reads them or takes action on them.
Initial
Someone occasionally looks at security messages when they remember to, but there is no routine or documented process. Alerts pile up in email or logs with no follow-up.
Developing
You have assigned one person to check alerts once or twice a week, and simple issues get fixed. But there is no written procedure, no escalation path, and urgent alerts might still be missed.
Defined
Your IT person checks alerts daily and documents what they found and what they did about it. You have a simple written checklist for handling different types of alerts, and urgent ones get handled first.
Managed
Alerts are automatically collected in a central place; your IT team reviews them daily and escalates serious ones immediately. You have clear documented procedures, roles, and escalation paths. Most issues are fixed within hours.
Optimised
Alerts flow into a monitoring system that highlights urgent threats instantly. Your team responds in minutes, investigations are documented automatically, and alert trends are reviewed monthly to improve your defenses.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all security tools your business uses (antivirus, email filter, router, server software) and find where alerts go. Create a simple log file or notebook where you write down alerts you find. | IT staff member or business owner | 2-3 days |
| 1 → 2 | Create a one-page written checklist: what types of alerts exist, who checks them, when (daily/weekly), and what to do if you find one. Assign one person as the alert reviewer. | IT staff member and business owner | 1 week |
| 2 → 3 | Set up a simple central place to see all alerts (e.g., log file, shared spreadsheet, or free monitoring tool like Splunk Free). Add a step-by-step guide for handling high-risk vs. low-risk alerts. Train the IT person to use it daily. | IT staff member | 2-4 weeks |
| 3 → 4 | Implement an automated alert collector (SIEM or managed service) that gathers alerts from all tools, ranks them by severity, and sends urgent ones via SMS or instant message. Document escalation rules (e.g., if alert repeats 3 times, call the manager). | IT staff member or external IT consultant | 1-2 months |
| 4 → 5 | Review alert trends monthly, identify patterns, improve detection rules to reduce false alarms, and test how fast your team responds. Integrate with threat intelligence to catch known attacks faster. Document lessons learned. | IT staff member and senior management | Ongoing (2 hours per month) |
Documents and records that prove your maturity level.
- Alert log or record showing alerts received, who reviewed them, date, and what action was taken (even if action was 'no threat found')
- Written procedure document listing alert types, who reviews them, how often, and escalation steps
- Screenshots or reports showing where alerts are collected (e.g., antivirus dashboard, email security console, firewall logs)
- Example of a high-priority alert that was found and acted on within 24 hours, with documented follow-up
- Monthly or quarterly review summary showing alert trends and any improvements made to reduce false alerts
Prepare for these questions from customers or third-party reviewers.
- "Show me your alert log for the last 3 months. How many alerts did you receive and what percentage did you actually respond to?"
- "Walk me through what happens when a critical security alert comes in. Who gets notified, how fast, and what is the target response time?"
- "Can you give me an example of a real alert your team found and handled? What was the threat and how did you fix it?"
- "How do you prevent your team from missing alerts? Is there a backup person if your main alert reviewer is sick or on leave?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Collect and display security alerts from multiple tools in one central dashboard | Splunk Free (500 MB/day limit, good for small business); Wazuh (open-source SIEM, self-hosted) | Splunk Enterprise (₹15-25 lakh/year); Datadog (₹1-5 lakh/year depending on volume); Elastic Stack (₹5-15 lakh/year) |
| Monitor antivirus and endpoint threats across all computers | Windows Defender (built-in); Kaspersky Free; Avast Free | Kaspersky Small Office Security (₹3000-5000/year); Norton 360 (₹2000-4000/year); Bitdefender Total Security (₹3000-6000/year) |
| Log and alert on suspicious network activity and firewall events | pfSense (open-source firewall with logging); Zeek (network monitoring) | Fortinet FortiGate (₹1-3 lakh/year for SME license); Cisco Meraki (₹2-5 lakh/year); Palo Alto Networks (₹5-10 lakh/year) |
| Send instant notifications (SMS, email, Slack) when critical alerts occur | IFTTT; Zapier (free tier limited); native alerts from antivirus or firewall | Zapier Professional (₹2000/month); PagerDuty (₹8000-15000/month); Opsgenie (₹6000-12000/month) |
| Centralize email security alerts and suspicious message warnings | Built-in email server logs (Exchange, Gmail); Haraka (open-source mail server) | Microsoft Defender for Office 365 (₹500-1000 per user/year); Proofpoint (₹1-3 lakh/year); Mimecast (₹1.5-4 lakh/year) |
- Assuming antivirus alerts are always accurate—many are false alarms. Your team becomes blind to real threats after seeing dozens of false warnings. Solution: tune your tools to reduce noise so real alerts stand out.
- Alerts pile up but nobody has time to review them because the IT person is busy with other work. Solution: assign clear responsibility and block out alert-review time daily (30 minutes minimum).
- Ignoring alerts from 'non-critical' systems like file servers or printers, then finding those systems were compromised and used to attack your main network. Solution: review all alerts, but rank them by business impact.
- Alert logs deleted or overwritten too quickly, so you lose evidence for audit or legal investigation. Solution: keep at least 90 days of alert history.
- One person holds all alert knowledge; when that person quits or gets sick, nobody can respond to threats. Solution: train a backup and document all procedures clearly.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1)(h) - Organizations must implement reasonable safeguards including monitoring and detecting data breaches; Section 4 requires demonstrating accountability including detection and response |
| CERT-In 2022 | Direction 4 (Critical Infrastructure) and Direction 6 (Sectors) require organizations to detect, report and respond to security incidents; General Practices section mandates logging and monitoring of security events |
| ISO 27001:2022 | Annex A.8.16 (Monitoring activities) and A.8.15 (Access control) require logging, monitoring, and review of user activities; Clause 6.2 requires risk management including detection controls |
| NIST CSF 2.0 | Detect Function (DE.AE-1, DE.AE-2): Detect and alert on anomalies and events; Respond Function (RS.RP-1): Respond to detected cybersecurity incidents |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →