Tracking Data Access
Custodians of data have a responsibility to protect the data under a multitude of laws, regulations, and good operating principles. Knowing who accessed data, when, and under what conditions is important and sometimes required in a situation where a possible data breach is being investigated. In the case of a confirmed data breach, by law some of this information must be disclosed to the person whose data was breached. All the information that could be obtained about data access could be useful in investigating improper handling of data.
A System Detective rule may be configured to track the accesses to files. The rule specifies an identifier and may be qualified by a large selection of qualifiers to reduce false triggers. When the rule is violated a security event is recorded in the System Detective security database. The rule specifies the various actions to be taken when the rule is violated.
For example, a rule could be configured to take action based on opening the payroll files for write access by anyone outside of accounting and human resources personnel. The actions might include sending email to the security group and logging the user out of the system. A second rule could be configured to take action if an account which normally would access the files during business hours accesses the files after business hours. The actions for that rule might include sending an email and logging the user session. Both rules would, of course, create a security event in the System Detective security database.