Monitoring & Incident Response Procedure

Version: 0.1.0

Parent Policy: BYOD Security Policy (ISMS-POL-BYOD-01)

Author: Lucas Shin — Security Director

Last Modified: February 18, 2026

1. Purpose

This procedure defines how BYOD-related security events are logged, monitored, and responded to — covering routine monitoring, threat detection, and incident response for device loss, theft, data breach, and malware scenarios.

2. Logging Scope

2.1 What Is Logged

Log Source	What It Captures	Default Retention
Entra ID Sign-in Logs	All authentication attempts (success/failure), CA policy evaluation results, MFA events, location/IP	30 days (exported quarterly to SharePoint)
Intune Compliance Logs	Device compliance status changes (Compliant ↔ Non-compliant), policy evaluation history	30 days (exported quarterly to SharePoint)
Intune Device Actions	Enrollment, selective wipe, retire, sync events	30 days (exported quarterly)
Defender for Endpoint	Malware detections, suspicious activity alerts, vulnerability assessments	180 days (Defender portal)
Entra ID Audit Logs	Admin activities — CA policy changes, user/group changes, app registrations	30 days (exported quarterly)

2.2 Long-term Retention

All logs are exported quarterly to SharePoint for a minimum 12-month retention period, meeting ISO 27001 evidence requirements.

3. Routine Monitoring

Frequency	Action	What to Look For	Owner
Daily	Review Entra ID sign-in logs	Failed sign-ins, sign-ins from unusual locations/IPs, CA policy blocks	Lucas
Daily	Check Defender for Endpoint alerts	Malware detections, high-severity vulnerability alerts	Lucas
Daily	Review Intune Non-compliant devices	Devices that have fallen out of compliance	Lucas
Weekly	Review sign-in risk summary	Trends in risky sign-ins, repeat offenders, geographic anomalies	Lucas
Quarterly	Export all logs to SharePoint archive	Ensure retention compliance	Lucas

4. Threat Detection and Response: Malware

4.1 Detection

Defender for Endpoint continuously monitors enrolled devices for malware and suspicious activity
Alerts are generated in the Defender portal and sent via email to Security Director

4.2 Response Procedure

Step	Action	Owner	Timeline
1	Defender alert received — assess severity (High / Medium / Low)	Lucas	Within 4 hours of alert
2	High severity: Immediately block device access via CA (mark as non-compliant) and notify user	Lucas	Immediate
3	Investigate: Determine scope of threat, affected data, root cause	Lucas	Within 24 hours
4	Remediation: Guide user to remove threat, update OS/apps, or perform selective wipe if needed	Lucas + End User	Within 48 hours
5	Verify device is clean and restore access (re-mark as compliant)	Lucas	After remediation confirmed
6	Document incident in Incident Register	Lucas	Within 72 hours
7	If high severity or data breach: Escalate to CISO	Lucas → Richard	Within 24 hours of confirmation

5. Incident Response: Device Loss or Theft

Step	Action	Owner	Timeline
1	User reports device loss/theft to Security Director via any available channel	End User	Within 24 hours of discovery
2	Security Director initiates selective wipe (work data only) via Intune	Lucas	Immediately upon report
3	Disable user's Entra ID sign-in (block all access) as precaution	Lucas	Immediately
4	Assess data exposure risk: What corporate data was on the device? Was the device encrypted?	Lucas	Within 24 hours
5	If data breach is suspected: Escalate to CISO for breach notification assessment	Lucas → Richard	Within 24 hours
6	If device recovered: Re-evaluate compliance before restoring access	Lucas	As applicable
7	If device not recovered: Remove from Intune, user enrolls replacement device	Lucas + End User	Per Device Lifecycle Procedure
8	Document incident in Incident Register	Lucas	Within 72 hours

Important: Only selective wipe is performed — company cannot and should not perform a full device wipe on BYOD. The user is responsible for their own device recovery/insurance.

6. Incident Response: Data Breach (Suspected)

Step	Action	Owner	Timeline
1	Incident detected or reported (e.g., corporate data found in unauthorized location, user admits to policy violation)	Anyone	Immediately
2	Security Director assesses scope: What data? How much? How sensitive?	Lucas	Within 24 hours
3	Contain: Block affected user/device access, selective wipe if needed	Lucas	Immediately upon assessment
4	Escalate to CISO with incident summary and recommended actions	Lucas → Richard	Within 24 hours
5	CISO determines: External notification required? Legal/regulatory obligations?	Richard	Within 48 hours
6	Root cause analysis and remediation actions	Lucas	Within 7 days
7	Document in Incident Register, update procedures if needed	Lucas	Within 14 days

7. Incident Register

All security incidents must be recorded in the Incident Register with:

Incident date and time
Reporter
Category (malware, device loss, data breach, policy violation, other)
Severity (High / Medium / Low)
Description and affected assets
Actions taken and timeline
Escalation details (if applicable)
Root cause and lessons learned
Status (Open / Resolved / Closed)

The Incident Register is maintained in SharePoint and reviewed quarterly as part of management review.

8. Evidence Retention

Evidence Type	Retention Period	Storage Location
Entra ID sign-in logs	12 months (exported quarterly)	SharePoint
Intune compliance/device action logs	12 months (exported quarterly)	SharePoint
Defender for Endpoint alerts	180 days (portal) + exported quarterly	Defender portal + SharePoint
Incident Register	Minimum 3 years	SharePoint

9. Periodic Review

Quarterly: Review incident register, monitoring effectiveness, log export completeness
Annually: Formal review of incident response procedures, lessons learned, management review input
Post-incident: Ad-hoc review after any High severity incident

[End of Procedure]