1.
The organization has a clear definition of normal network operations & expected data flows for users & systems.
2.
The organization has the capability to collect & correlate events & logs from multiple sources, systems, devices, or applications.
3.
The network, physical environment & user activity is actively monitored to detect potential cybersecurity events.
4.
The organization always knows when a security control has been comprised.
