Create a dedicated log sink for each project that is in scope.

Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks.

Deploy alerts based on log metrics in every project.

Grant the role "Monitoring Viewer" to the security operations team in each project.

Enable network logs and data access logs for all resources in the "Production" folder.

Do not create log sinks to avoid unnecessary costs and latency.

Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team.

Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources.

As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team.

Grant the security operations team the role of Security Reviewer at organization level.