This policy can be used to employ system-monitoring tools that will automatically email or page IT department personnel in the event of an incident or anomaly.
In this sample, when a security incident has occurred, the affected system must be isolated. This may require shutting down the server or system affected, or it may require shutting down the connections between the affected server or system and other systems. The current system log must then be copied and stored for future reference, and the IT staff must next resolve the problems created by the incident. Before being reconnected to other systems or to the network, IT staff must ensure that access controls are functioning properly.