CODEL: The Key To Digital Certainty

• 2: Home
• 3: News
• 4: People
• 8: Verify Item
• 9: Compliance
• 10: Applications
  • 10.1: Financial Services
  • 10.2: Webform Authentication
  • 10.3: Government
    • 10.3.1: National Identity Cards
  • 10.4: Legal
    • 10.4.1: Legal Copyright
    • 10.4.2: Anti-Counterfeiting Legal Action
  • 10.5: Software
  • 10.6: Music
  • 10.7: Pharmaceutical
  • 10.8: Supply Chain Visibility
    • 10.8.1: Validation Reference Length
  • 10.9: Anti-Counterfeiting
    • 10.9.1: Ticket Copying
    • 10.9.2: Retail Voucher
    • 10.9.3: VR Tests
  • 10.10: Digital Imaging
• 11: Products
  • 11.1: Codel Bible
  • 11.3: Codel Email
  • 11.4: Codel E-Wills
  • 11.5: Anti-Counterfeit Software
• 12: Partners
  • 12.1: List
  • 12.2: Partner Programme
  • 12.3: Marketing Materials
• 13: Technical
  • 13.1: Security
  • 13.2: Data Storage
  • 13.3: Glossary
  • 13.4: Hash & Hashing
    • 13.4.1: Hash Change
    • 13.4.2: Hash Table
    • 13.4.3: Master Document Hash
    • 13.4.4: Hash Publication in the Financial Times
    • 13.4.5: SHA 256 Hashing Algorithm
  • 13.5: Audit Trail Protection
    • 13.5.1: Local Data Audit Policy
• 15: Contact
• 17: White Papers

Local Data Audit Policy

Local Data Audit Policy

The purpose of the policy is for the organisation to make conscious choices about what data needs to be captured to an audit trail and then agree the mechanisms by which this is done and who is accountable for ensuring that it is done. The main questions which need consideration are:

Data Requiring Audit (DRA)

Here the organisation defines the data which will be subject to the Audit Trail Protection protocol. Typical examples include Financial Data, External Contact Data, Call logs, Network access logs etc

Individuals Responsible for DRA

Those who create the data on a day to day basis and those technically responsible for the archiving system are identified here. In small organisations, this will typically be named individuals. In larger organisations, it will tend to consist of departments and only relevant line management will be named.

Relevant Software Applications

An itemised list of the software which will need plugins or other interface software to capture the DRA automatically

The Audit Period

The period over which data will be archived (typically 24 hours)

Local Storage

This refers to formal designation of both Transient Secure Audit Locations(TSAL) and Permanent Secure Audit Locations(PSAL). The Transient area is where data is stored during the Audit period. The Permanent area is where that data is moved to at the end of the Audit period so that the Transient area is cleared ready for the next Audit period. Appropriate security protocols for protecting the Audit Locations are also defined at this point.

While the file exists in the TSAL, authors (and, optionally, others) can amend it or delete it. Once the file is moved to the PSAL, however, the file can only be read rather than amended or deleted. As some documents take many days to draft, this implies the need for an "editing" area and a "draft" status to deal with documents which will only require audit capture once complete.

Accountability

Specify the hierarchy of responsibility for the implementation and operation of this policy.

Manual Procedures and Automation

Itemised list of what can and cannot be automated and the manual procedures and checks which will deal with collection of data that cannot be automated.

Exceptions

Those people or workstations producing DRA but which, for some reason, cannot be dealt with using the standard procedures. What procedures will be implemented to capture the relevant DRA.

A more detailed sample outline LDAP can be found here:
Outline Sample Local Data Audit Policy [link required]

This sample illustrates the general considerations an organisation needs to undertake in respect of creating the comprehensive archive to which the Codel Audit Trail Protection protocols will add their "assurance layer". Many organisations will already have comprehensive archiving in place and robust security around the storage. They will have least to do to implement the protocols.

The policy should begin by stating the formalities...

(Name of Organisation) agrees to implement a Digital Data Audit Policy with effect from (implementation date).

Data Requiring Audit (DRA)

   1. All Financial Data
   2. All External Contract Data
   3. All other documents and emails which are subject to any security classification above "Unrestricted"
   4. Digital logs of incoming and outgoing voice traffic (Call Logging)
   5. Digital Activity Logs for all Network transactions (Local or External)
   6. All digital records of non digital alarms or security related incidents.
   7. All requests for any of the above which do not originate from the authors of the data or their recognised departments.

Individuals Responsible for items 1 - 4 above

   1. Financial Data
      eg List of names in "Accounts" or reference to Departmental lists
   2. Contracts
      eg List of names in "Legal" or ref to Departmental lists
   3. Classified Documents
      eg List of names or Grades/Job titles or ref to Departmental lists
   4. Call Logging
      eg List of names in "Telesales", "Support" etc or ref to Departmental lists
   5. Digital Logs
      eg IT staff names, Grades/Job titles or ref to Departmental lists
   6. Non Digital Incidents
      eg List (managers etc) responsible for creating digital records of such incidents

Relevant Software Applications

   1. Financial Data
      eg Accounting Software (name, version etc); Spreadsheet Software; Other
   2. Contracts
      eg Word Processors; Email Clients; Other
   3. Classified Documents
      eg Word Processors; Email Clients; Other
   4. Call Logging
      eg Call Logging Software; other
   5. Digital Logs
      eg Network Operating System; Firewall software; Antivirus software; Other
   6. Non Digital Incidents
      eg Word Processors; Other

The Audit Period

Is defined as each working day. Snapshots will be stored by the day and the Audit Hierarchy will be used to create a Master Document Hash for each day as described in the Codel documentation. This MDH will be submitted to the Codel database either last thing each working day or first thing the following day (for the period just completed).

Snapshot Storage

Will take place in a dedicated area on the Company Network to which all relevant individuals will be given Read and Create access, but not Edit access.

Accountability

(The Management hierarchy of responsibility for the implementation and operation of this policy.)

Manual Procedures and Automation

   1. List of Software customised to automate production of snapshot data
   2. List of data and applications where customisation not possible but external software fulfils the snapshot task automatically
   3. List of data and applications where customisation not possible but external software can fulfil the snapshot task manually
   4. List of data and applications where only manual procedures can create the snapshot data.

Exceptions

   1. List any internal workstations where DRA is produced but there is no connection to the corporate network or the Internet
   2. List any individuals who are authorised to produce DRA material from outside corporate premises (eg directors or managers working on Laptops at home or on the road)
   3. Other

Specify procedures designed to deal with these exceptions:

e.g. Automation or semi-automation on the individual's laptop or home station;
Scheduled secure VPN connections to upload snapshot data across the internet
Scheduled visits - either
By individual bringing Laptop into IT staff for upload of snapshot data or
By IT staff visiting individual home to retrieve snapshot data manually (if, for example, VPN connection not possible or bandwidth inadequate for upload)