If you install new servers, cloud storage, or point-of-sale systems without updating monitoring, attackers can hide inside these blind spots stealing customer data or financial records. A Delhi manufacturing firm added a cloud accounting system but forgot to monitor it—fraudsters accessed invoices and changed bank details, costing ₹8 lakhs before discovery. Without monitoring new systems, you cannot detect breaches fast, fail compliance audits from customers or RBI, and lose trust from clients who rely on you to protect their data.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal list of your systems and no monitoring tools running at all. When IT staff add a new printer, laptop, or software, nobody documents it or checks what data flows through it.
Initial
You have some monitoring tools (maybe antivirus on a few machines or basic firewall logs), but when new systems arrive, you forget to include them in the monitoring scope. A new payment gateway sits unmonitored for months.
Developing
You have a basic IT inventory (a spreadsheet of servers and key software) and you manually update monitoring rules when something major changes, but this happens inconsistently and weeks after installation.
Defined
You maintain a documented list of all systems and whenever IT deploys something new, a checklist reminds you to update monitoring within a few days. Monitoring configuration changes are tracked in a logbook.
Managed
All system changes go through a formal change management process; monitoring tools are updated automatically or within 24 hours of deployment, and you have a quarterly audit to catch any gaps in coverage.
Optimised
System changes trigger automated monitoring setup via configuration management tools; monitoring is verified before systems go live; gaps are detected and corrected within hours; dashboards show 100% coverage of all business systems.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all your current systems (servers, laptops, cloud services, printers, payment terminals, CCTV, access card readers) on a single Google Sheet or spreadsheet and install one basic monitoring tool like Windows Defender (free) or Wazuh (free open-source agent) on at least your core servers | IT Administrator or owner | 3 days |
| 1 → 2 | Create a simple one-page 'New System Checklist' that includes: (1) add system to inventory, (2) enable monitoring agent/logs, (3) test alerts, (4) date completed. Require the IT person to sign and date it for each deployment | IT Administrator | 1 week |
| 2 → 3 | Expand the checklist into a formal Change Log document with columns: system name, installation date, monitoring tool used, date monitoring enabled, responsible person, sign-off. Review it monthly in a team meeting | IT Administrator and Business Owner | 2-3 weeks |
| 3 → 4 | Implement a change management request form (template in email or simple web form); require IT to test monitoring alerts on new systems before they go live; conduct quarterly audits to verify all systems in inventory are actively monitored | IT Administrator and designated Reviewer (could be owner or external consultant) | 4-6 weeks |
| 4 → 5 | Integrate system deployment with monitoring provisioning via infrastructure-as-code tools (Ansible, Terraform); set up automated alerts if a system is added to inventory but monitoring is not enabled within 24 hours; run continuous compliance checks monthly | IT Administrator and possibly Cloud/DevOps role | Ongoing—2-3 hours per month for tuning and review |
Documents and records that prove your maturity level.
- Documented inventory list of all IT systems (servers, workstations, cloud services, network devices, cameras, payment terminals) with installation dates
- Change management log or form showing each new system/service added, date monitoring was enabled, and who approved it
- Monitoring tool configuration documentation showing which systems are being monitored and what rules/alerts are active for each
- Monthly or quarterly monitoring coverage audit report confirming all systems in inventory are actually being monitored
- Records of monitoring tool updates or agent deployments tied to specific system change dates (e.g., logs from Wazuh, Datadog, or your firewall showing when rules were added)
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your process when a new server or cloud service is added—how do you ensure monitoring is turned on?"
- "Show me your system inventory. Now show me evidence that each system on this list is actually being monitored today."
- "When did you last add a new system to your network? When was monitoring enabled for it, and how did you verify it was working?"
- "If I scan your network right now, will I find any systems that exist but are not included in your monitoring setup?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Keep a live list of all systems so you know what should be monitored | Google Sheets or LibreOffice Calc (free, cloud-based, shareable) | Jira Service Management (₹20,000–50,000/year) or Microsoft Intune (₹3,000–5,000 per device/year) |
| Monitor servers and workstations for security events and suspicious activity | Wazuh (open-source agent, self-hosted), osquery (Facebook's tool, free) | Datadog (₹5,000–15,000/month), Splunk Enterprise (₹8,00,000+/year), Microsoft Defender for Endpoint (₹4,000–6,000/device/year) |
| Automate provisioning of monitoring when systems are deployed | Ansible (free, open-source automation), Terraform (free tier available) | HashiCorp Terraform Cloud (₹0–10,000/month), AWS Systems Manager (₹0 for basic, ₹5–10 per node for advanced) |
- Treating new systems as 'temporary' or 'low-risk' and delaying monitoring setup—a new cloud app for 'testing' often stays unmonitored for years and becomes a permanent shadow-IT risk
- Monitoring tools installed but not configured for new systems—the tool exists but no alerts are set up, so breaches go undetected (a common trap in India where budget is tight and setup is 'deferred')
- Ownership ambiguity—when IT staff leave or transition, nobody knows which systems are being monitored; a contractor sets up a VPN server that nobody in the permanent team tracks, creating a hidden entry point
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(3) – requirement to implement reasonable security practices to prevent personal data breach; monitoring systems helps detect and respond to unauthorized access quickly |
| CERT-In 2022 | Indian Computer Emergency Response Team Guidelines – organizations must implement continuous monitoring of IT infrastructure and detect anomalies; updated monitoring on new systems is explicitly required |
| ISO 27001:2022 | Annex A.8.16 (Monitoring activities) and A.8.6 (Capacity management) – monitoring must cover all information processing resources, and capacity planning must include monitoring updates for new systems |
| NIST CSF 2.0 | Detect (DE) Function – DE.AE-3 requires event data to be aggregated and analyzed; DE.CM-1 requires continuous monitoring of systems and networks, including new deployments |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →