Page 1246 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1246
daily routine, he sees many highly sensitive documents that
include the kind of valuable information that can earn a heavy tip
or bribe from interested parties. He also corrects the kind of
mistakes that could cause serious backlash from his company’s
clientele because sometimes a minor clerical error can cause
serious issues for a client’s entire project.
Whenever Duane touches or transfers such information on his
workstation, his actions leave an electronic trail of evidence that
his supervisor, Nicole, can examine in the event that Duane’s
actions should come under scrutiny. She can observe where he
obtained or placed pieces of sensitive information, when he
accessed and modified such information, and just about anything
else related to the handling and processing of the data as it flows in
from the source and out to the client.
This accountability provides protection to the company should
Duane misuse this information. It also provides Duane with
protection against anyone falsely accusing him of misusing the
data he handles.
Monitoring and Investigations
Audit trails give investigators the ability to reconstruct events long
after they have occurred. They can record access abuses, privilege
violations, attempted intrusions, and many different types of attacks.
After detecting a security violation, security professionals can
reconstruct the conditions and system state leading up to the event,
during the event, and after the event through a close examination of
the audit trail.
One important consideration is ensuring that logs have accurate time
stamps and that these time stamps remain consistent throughout the
environment. A common method is to set up an internal Network
Time Protocol (NTP) server that is synchronized to a trusted time
source such as a public NTP server. Other systems can then
synchronize with this internal NTP server.
NIST operates several time servers that support authentication. Once
