Sample Local Data Audit Policy
Sample Local Data Audit Policy
This sample illustrates the general considerations an organisation needs to undertake in respect of creating the comprehensive archive to which the Codel Audit Trail Protection protocols will add their "assurance layer". Many organisations will already have comprehensive archiving in place and robust security around the storage. They will have least to do to implement the protocols.
The policy should begin by stating the formalities...
(Name of Organisation) agrees to implement a Digital Data Audit Policy with effect from (implementation date).
Data Requiring Audit (DRA)
- All Financial Data
- All External Contract Data
- All other documents and emails which are subject to any security classification above "Unrestricted"
- Digital logs of incoming and outgoing voice traffic (Call Logging)
- Digital Activity Logs for all Network transactions (Local or External)
- All digital records of non digital alarms or security related incidents.
- All requests for any of the above which do not originate from the authors of the data or their recognised departments.
Individuals Responsible for items 1 - 4 above
- Financial Data
eg List of names in "Accounts" or reference to Departmental lists - Contracts
eg List of names in "Legal" or ref to Departmental lists - Classified Documents
eg List of names or Grades/Job titles or ref to Departmental lists - Call Logging
eg List of names in "Telesales", "Support" etc or ref to Departmental lists - Digital Logs
eg IT staff names, Grades/Job titles or ref to Departmental lists - Non Digital Incidents
eg List (managers etc) responsible for creating digital records of such incidents
Relevant Software Applications
- Financial Data
eg Accounting Software (name, version etc); Spreadsheet Software; Other - Contracts
eg Word Processors; Email Clients; Other - Classified Documents
eg Word Processors; Email Clients; Other - Call Logging
eg Call Logging Software; other - Digital Logs
eg Network Operating System; Firewall software; Antivirus software; Other - Non Digital Incidents
eg Word Processors; Other
The Audit Period
Is defined as each working day. Snapshots will be stored by the day and the Audit Hierarchy will be used to create a Master Document Hash for each day as described in the Codel documentation. This MDH will be submitted to the Codel database either last thing each working day or first thing the following day (for the period just completed).
Snapshot Storage
Will take place in a dedicated area on the Company Network to which all relevant individuals will be given Read and Create access, but not Edit access.
Accountability
(The Management hierarchy of responsibility for the implementation and operation of this policy.)
Manual Procedures and Automation
- List of Software customised to automate production of snapshot data
- List of data and applications where customisation not possible but external software fulfils the snapshot task automatically
- List of data and applications where customisation not possible but external software can fulfil the snapshot task manually
- List of data and applications where only manual procedures can create the snapshot data.
Exceptions
- List any internal workstations where DRA is produced but there is no connection to the corporate network or the Internet
- List any individuals who are authorised to produce DRA material from outside corporate premises (eg directors or managers working on Laptops at home or on the road)
- Other
- Specify procedures designed to deal with these exceptions:
eg Automation or semi-automation on the individual's laptop or home station;
Scheduled secure VPN connections to upload snapshot data across the internet
Scheduled visits - either
By individual bringing Laptop into IT staff for upload of snapshot data or
By IT staff visiting individual home to retrieve snapshot data manually (if, for example, VPN connection not possible or bandwidth inadequate for upload)
Previous page: Local Document Table content
Next page: Storing Local Master Document Hashes