Create a dedicated log sink for each project that is in scope.

Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks.

Deploy alerts based on log metrics in every project.

Grant the role "Monitoring Viewer" to the security operations team in each project.

Create one log sink at the organization level that includes all the child resources.

Use as destination a Pub/Sub topic to ingest the logs into the security information and event. management (SIEM) on-premises, and ensure that the right team can access the SIEM.

Grant the Viewer role at organization level to the security operations team.

Enable network logs and data access logs for all resources in the "Production" folder.

Do not create log sinks to avoid unnecessary costs and latency.

Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team.

Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources.

As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team.

Grant the security operations team the role of Security Reviewer at organization level.