Auditing and Monitoring Regularly?
”What was that thing you said about how you could get in trouble if you said you were going to audit/monitor routinely but then didn’t?”
What I suggested was that you have to have procedures for routine—daily—internal review of all audit trails. This can, and should, be automated to the greatest extent possible. But logs which are not read routinely, all the time, are worse than a waste of CPU and disk. They can be a positive liability.
For example, say you have a policy of routine monitoring of activity and review of logs. The login banner on your systems states as much as a warning to all users. But say you don't actually do routine monitoring or review, and instead just do so when you think someone is misbehaving (not at all routine). And then suppose you find something you consider "evidence of inappropriate action" and decide to take administrative action against a user, perhaps including a termination. Then suppose that user sues for wrongful dismissal, claiming that they were "singled out" for doing something other people were doing, people who were not dismissed.
I am not a lawyer, but in my experience, the plaintiff's attorney is likely to be able to demonstrate that you essentially had no policy of routine monitoring, because you didn't actually follow it. Consequently, your actions of monitoring and review in this instance are likely to get you in very hot water.
Could be ouch.
/jonathan
Weblog Entry
Tuesday, June 26, 2007
Entry Notes
Category: Stuff you gotta just do
Event: Typical student request.
Weather: Ahh... summer in MT!
Other Details:
It’s always best to do what you say, and say what you do. Good karma that way.
