Effective Security Policy Management – Part 6

Part 6. A Verified Audit Trail

Security policy documents will not be effective unless they are read and understood by all members of the target audience intended for each document. For some documents, such as Internet Acceptable Use or Code of Conduct, the target audience is likely the entire organization. Each policy document should have a corresponding “audit trail” that shows which users have read and acknowledged the document, including the date of acknowledgment. This audit trail should reference the specific version of the policy, to record which policies were being enforced during which time periods.

For smaller organizations, this audit trail can be a simple manila folder with signature pages. For large organizations, automated policy management tools allow for audit logs to be built automatically as users interact with the policy documents via a secure intranet site. In any case, your goal is to be able to verify that each and every person handling information within your organization has read and understood the security policies that apply to them.

Pay special attention to privacy laws when compiling audit logs of any user actions within your organization. Be careful not to collect and save unnecessary sensitive personal information about the user. In some EU countries, such as Germany, even collecting basic log data on user activities is considered a violation of privacy.