HomeGuidesMonitoring & Detection › MD-08
MD-08 Monitoring & Detection 6% of OML score

Is there someone responsible for reviewing security or system alerts?

This question asks: Does your company have a specific person whose job includes checking security warning messages (alerts) from your computers, servers, and software? Without someone assigned to look at these warnings, security problems get missed and hackers can steal your data without you noticing.

Why This Matters to Your Business

When security alerts go unreviewed, attackers have time to steal customer data, intellectual property, or financial information before you detect them. A manufacturing company in Gujarat had their production data encrypted by ransomware, but ignored alerts for 3 days—losing ₹15 lakhs in downtime and customer trust. Compliance audits (CERT-In, banks, e-commerce platforms) now mandate alert ownership; failure means audit failure and potential business suspension. Without alert ownership, you cannot prove to customers or regulators that you were monitoring your systems, which damages contracts and reputation.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no monitoring system in place, or alerts pile up in email inboxes with no one assigned to read them. When a security incident occurs, you discover it by accident—a customer complains, your bank flags suspicious activity, or your system stops working.

Level 1
Initial

Your IT person receives alerts on their personal phone or email, but there is no formal job duty, no log of what they checked, and no escalation process. Alerts are sometimes missed because they are buried in spam or the IT person is on leave.

Level 2
Developing

You have documented that one person (usually IT manager or owner) is responsible for reviewing alerts daily, and they keep a basic log or email folder showing which alerts were seen. Alerts go to a dedicated email or dashboard, but there is no formal escalation or follow-up system.

Level 3
Defined

You have a written alert review procedure naming the responsible person and backup, with a documented daily or shift-based check-in schedule. You maintain a log showing what was reviewed, when, what action was taken, and who approved it.

Level 4
Managed

You have a formal on-call roster with named primary and backup alert reviewers, a documented escalation process, and alerts are tracked in a ticket system or SIEM with automatic assignments. Alerts are categorized by severity and response time targets (e.g., critical within 1 hour).

Level 5
Optimised

Your alert management is automated with intelligent filtering and routing: critical alerts trigger immediate notifications to on-call staff, medium alerts are reviewed within 4 hours, and all responses are logged in an auditable system with metrics tracked monthly. Alert ownership is reviewed in management meetings and improved based on metrics.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Identify one person (IT manager, IT staff, or owner) and tell them verbally that they are now responsible for checking security alerts from your systems (email, antivirus, firewall, servers) at least once per day. Business owner or IT manager 1 day
1 → 2 Create a simple written document (1 page) naming the alert owner, listing where alerts come from (email server, antivirus console, firewall, cloud platforms), and state they will review every morning at 9 AM. Set up a dedicated email folder or shared folder to keep alerts organized. IT manager 3 days
2 → 3 Create a simple daily log (spreadsheet or notebook) where the alert reviewer records: date, time, alert type, what it was about, action taken (ignored, fixed, escalated), and their initials. Define which alerts require escalation to the owner or manager. IT manager and business owner 1 week
3 → 4 Set up a free or low-cost ticketing system (Zoho Desk, Jira Free, or Google Forms) to automatically log alerts and track responses. Define response times: critical=2 hours, high=4 hours, medium=1 day. Name a backup reviewer for when the primary is absent. IT manager with owner approval 2-4 weeks
4 → 5 Implement alert filtering and scoring in your monitoring tools (e.g., SIEM, antivirus console, cloud security tools) to reduce false positives. Review alert metrics monthly (total alerts, response time, false positive rate) in a management meeting and update procedures based on findings. IT manager with external consultant or managed service provider 1-2 months
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written role description or job responsibility document clearly stating one person's name and role as 'Alert Reviewer' or 'Security Monitor'
  • Daily or weekly alert review log (spreadsheet, notebook, or ticketing system entries) showing dates, times, alert descriptions, actions taken, and reviewer's name or initials
  • List of alert sources with contact details (e.g., antivirus console URLs, email addresses where alerts arrive, server monitoring dashboard, cloud platform security portals)
  • Escalation procedure document describing who alerts go to if critical/high-severity (e.g., alert reviewer → IT manager → business owner) and response time targets
  • Backup reviewer assignment document or on-call roster showing coverage when the primary alert owner is on leave or unavailable
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Who in your organization is responsible for reviewing security and system alerts? Can you show me their job description or role assignment?"
  • "How often does this person review alerts, and how do you verify they actually reviewed them? Can you show me your alert review log for the last 30 days?"
  • "What happens when a critical alert is detected? Who do they report it to, and how long is the expected response time?"
  • "What is your procedure if the alert reviewer is sick or on leave? Who is the backup, and how do they know they are on-call?"
  • "Show me examples of alerts you received in the last month and what action was taken on each one. Where do these records exist?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Collect and log alerts from antivirus, firewalls, and servers in one place Windows Event Viewer (built-in), Splunk Free tier (limited), ELK Stack (Elasticsearch, Logstash, Kibana—open source) Zoho ManageEngine EventLog Analyzer (₹40,000–80,000/year), Splunk Enterprise (₹4–6 lakhs/year), SolarWinds Papertrail (₹30,000–60,000/year)
Track and assign alerts to specific people with response time targets Zoho Desk Free (up to 3 users), Jira Free tier (limited projects), Google Forms + Sheets (manual) Zoho Desk Professional (₹40 per user/month), Freshdesk (₹20–40 per agent/month), ServiceNow (₹2–4 lakhs/month for small org)
Centralized monitoring dashboard to view alerts from servers, cloud platforms, and applications in real-time Grafana + Prometheus (open source), Nagios Core (open source), Zabbix (open source) Datadog (₹80,000–2,00,000/month), New Relic (₹50,000–1,50,000/month), AWS CloudWatch (pay-per-use, typically ₹10,000–30,000/month for SME)
🛡
How This Makes You More Resilient
When someone is formally responsible for reviewing alerts daily, you catch security incidents 10–100 times faster, reducing the damage from data theft, ransomware, or system compromise. You avoid costly downtime and reputation damage because you detect and fix problems before customers are affected. You also pass audits and customer security assessments because you have proof of monitoring and can show decision trails.
⚠️
Common Pitfalls in India
  • Assuming the IT person 'naturally knows' to check alerts without a written job duty—when they leave or get busy, alerts stop being reviewed and no one else knows they should be checking them. Write it down explicitly.
  • Sending all alerts to a shared inbox or group email with no single owner—alerts disappear into the group and everyone assumes 'someone else' will handle it (common in organizations with 5–20 staff). Assign one named person and a backup.
  • Not distinguishing between alert severity—treating a spam email alert the same as a failed login attempt from a foreign IP wastes time and causes alert fatigue. Define critical, high, medium, low and set response times accordingly.
  • Keeping alert logs in an individual's email or notebook that is not accessible if they leave the company—audit trails are lost and you cannot prove monitoring happened. Use a centralized, backed-up system (cloud, shared drive, or ticketing tool).
  • Ignoring alerts because they seem like 'false alarms'—attackers exploit this; they send many low-level probing alerts before launching a real attack. Every alert should be logged and investigated, even if the conclusion is 'benign.'
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Accountability principle): Data Fiduciary must implement and maintain appropriate measures for security of personal data, including monitoring systems for unauthorized access or processing
CERT-In 2022 Direction 5: Organizations must implement an intrusion detection system (IDS) or equivalent monitoring, and assign responsibility for alert review and incident response
ISO 27001:2022 Annex A, A.8.16 (Monitoring activities): Organization shall define and implement monitoring, measurement, analysis, and evaluation processes; A.12.4.1 (Event logging): Log user activities, exceptions, and security events; A.16.1.5 (Response to information security incidents): Assign roles and responsibilities for incident management
NIST CSF 2.0 Detect (DE) function, category DE.AE-1: A baseline of network operations and expected data flows is established and managed; DE.AE-2: Detect events are collected and correlated from multiple sources and venues; DE.CM-1: The organization monitors systems and assets connected to internal and external networks

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →