EXPERT RESPONSE
The answer to this question is both. The reality is some personal information and email will be logged. Whether it's a server configuration error, a user mistake or a design "feature." If an agency is going to aggressively log network and system activity, this kind of thing is going to happen.
So first, I'd question whether the "policy mandate" is realistic. If that's one of those "non-negotiable" types of policies, then the best bet is to work on configuring the organization's applications, servers and networks to prevent these kinds of issues. At first, it will be necessary to comb through the logs to figure out how and when sensitive data is captured, and then either fix the offending server, or stop pulling those log files. That sounds like a pretty simple answer, but I'm not a fan of making things more complicated than they need to be. I don't believe that tearing through log files ad infinitum is the right answer.
The last suggestion I'd make is to roll the logs frequently. Combing through log files is manual, non-leverageable and not the best use of time. If logs are only kept for a certain period of time, then the possibility of a violation actually happening -- meaning you get caught -- is relatively small. Of course, the window has to be long enough so in the event of an incident there's enough data to appropriately contain and remediate the issue.
For more information:
In this SearchSecurity.com Q&A, security expert Joel Dubin discusses the problems associated with storing void user IDs in an audit history.
Learn how to build a corporate culture of policy compliance.
|
