Previous Topic: Account AdministrationNext Topic: Miscellaneous Administration

Viewing Security Object Data in the InvestigatorSecurity EventsPolicy Administration

Policy Administration

The Investigator displays the following searchable policy administration event records to help ensure the integrity of your implemented policy. For CA ACF2, you configure rules to set policy, and for CA Top Secret, you configure permissions to set policy.

Successful Policy Administration

Includes a record for each time a policy is modified.

Event Code: 41

Policy Administration Violation

Includes a record for each time a user tries but is denied when modifying policy.

Event Code: 42

Note: For a comprehensive list of security events and the event triggers, see the security events chapter in your external security manager documentation.

Example: Identify violations to vital data sources

To protect your employees and comply with various government regulations, you monitor activity for vital data sources, such as the personnel file and payroll file. To do so, you review the violations in the Investigator and compare the count with historical data. Additionally, you drill further into some records to investigate questionable activity.

  1. Add the Investigator module to your dashboard, and click Start New Investigation.
  2. Select Security from the drop-down list.
  3. Select Events, Policy Administration from the folder list.
  4. Click the Filter icon, which resides above the table on the left.
  5. Filter the data by completing the following steps:
    1. Select Event Category Description from the first drop-down list from the center pane.
    2. Select = from the second drop-down, and type Policy Administration Violation.
    3. Specify a start and end date and time for the last week.
    4. Click Search.

      Your Policy Administration Violation events appear for the last week.

  6. Review the count based on the number in the lower-right corner of the center Investigator pane.
  7. Compare this count with historical trends to determine anomalies.
  8. Review individual events on an as needed basis. Use the actions to determine event ownership (system and user).