Deciding whether to audit user activity
Just as it is important to protect assets and resources from unauthorized access, it is equally important to track what users who have permission to access those resources are doing or have done in the past. For users who have privileged access to computers and applications with sensitive information, auditing their actions helps ensure accountability and improve regulatory compliance.
There are many reasons for organizations to establish auditing policies and enable auditing of user activity. For example, you might want to audit activity for any of the following reasons:
- To prove certain computers or applications are secure in order to comply with government or industry regulatory requirements.
- To report on actions taken by users with elevated privileges.
- To prevent the use of shared passwords when more than one person needs administrative access to a computer or an application.
- To improve accountability when users with elevated permissions have access to privileged resources.
- To detect suspicious activity and mitigate the threat posed by malicious insiders or third parties who have access to sensitive systems.
- To pinpoint actions that may have caused failures and simplify troubleshooting procedures.
- To capture information, such as the steps that resolved an open case, that can be used to help your organization improve its helpdesk operations or security procedures.