In the age of privacy nightmares, many employees are wondering why their organizations needs user activity monitoring in the first place.
Many organizations wonder why you need to monitor users when you have controlled what they have access to do. The answer is that privileges always allow room for abuse and very few systems provide granular enough control to come close to solving this issue.
User activity monitoring can address the abuse of privileged access. Any monitoring initiative must start with clear objectives and a charter that has been approved by executive management with the approval of the legal team. The charter must be specific and take into account the governing law in every related jurisdiction. The initiative must also include supervision of the team that will perform the monitoring. Without this level of governance, it is far too easy for even well intentioned programs to violate legal and ethical standards.
- Mitigates the risk of inappropriate staff actions that can increase corporate risk to data theft, breach or downtime
- Reduces the cost of compliance by automating user monitoring (if not performed manually)
- Provides intelligence on how to refine processes and policies to improve security postures.
- Added expense and labor at a time when budgets are tight
- Without sufficient governance, monitoring programs could produce privacy violations.
Any monitoring investments should be matched to the level of risk and the risk tolerance of the organization. The organization should start by clarifying the objectives of the program. Next, a charter and governance plan would be provided based on those objectives. With this in place the team would initiate monitoring to address a specific risk, allowing for initial success. From there the organization would expand the program to the extent required to meet the organizational objectives.
Active Directory monitoring is a common initial monitoring initiative. It is also common to leverage Security Information Event Management (SIEM) systems for user monitoring. SIEM is either used as the primary tool leveraging event logs or to provide additional analysis across both event logs and information from platform specific monitoring technologies.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.