Audit Trails

The audit trail provides for detection of the actions to be recorded, the actual recording, and auditing support. It provides information for auditors to verify the validity of system controls and the results of processing. The audit trail must be complete, or at least must select what to record in a way that cannot be predicted and that covers all actions that may later have to be audited.

The audit trail has four important security goals:

1. It must allow the review of patterns of access to individual objects, access histories of specific processes and individuals, and the system use of various protection mechanisms.

2. It must allow discovery of repeated attempts to bypass the protection mechanisms.

3. It must allow discovery of any use of privileges that may occur when a user assumes a functionality with privileges greater than his or her own.

4. It must act as a deterrent against habitual attempts to bypass protection mechanisms.

The audit trail is a significant deterrent to fraud. The audit trail allows post-process auditing to reconstruct a sequence of actions: who initiated them, the time, and the results, be selectively and dynamically started and stopped.

Audit trails must also record information about significant security events occurring in the following areas:

1. Interactivity between users of the system and system support personnel.

2. Activity within the IS environment, such as changes to operational security.

3. Internal computer activity.

4. Unsuccessful log on attempts.

For networked (non-standalone) ISs operating in a dedicated mode, only the identity and time of access by each person on the system needs to be recorded. This is because the system administrator has network software which will record important user information. However, other information such as maintenance and repair records, initiation of pertinent security related events, and a description of the hardcopy output must be kept individually.