Monitoring should follow business and security needs, and applicable legal requirements and regulations. Monitoring systems should involve networks, systems, application traffic, system access and critical applications, configuration files, security tool logs, event logs, and resource use. The organization should create a profile of expected behavior, configure the monitoring system to identify anomalies, and use software to automate any monitoring to create alerts based on certain standards. Relevant parties should know about abnormal events, and procedures should exist for positive indicators and false positives. Retention periods for monitoring records should be defined, and personnel should be trained to respond to alerts accurately.