Define Procedures for Handling Violations › Elements of Procedure

Elements of Procedure

If you wish to effectively discourage attempts at unauthorized access by employees and emphasize your organization’s position on security, you can establish a procedure to handle excessive attempts at unauthorized access to your computer resources.

Consider the following procedure for handling excessive violations:

• Carefully monitor your regular violation reports to determine patterns of excessive violations by specific users or groups of users.
• If you identify suspicious users or groups of users, you might consider doing further research on access patterns by auditing the suspected ACIDs.
• Use TSSUTIL to produce regular reports on these users showing violations and all audited activity.
• If the attempts are made against a specific set of resources, you might consult with the owner of the resources to determine the sensitivity of this information.
• If you feel that these patterns must be formally reviewed, you might set up a review panel comprised of representatives from the security administration staff, the suspected user’s management, and possibly the auditing staff. This review panel can meet with the user to determine the cause of the access activity.
• If the panel decides that the cause of the activity is malicious or destructive in nature, a formal warning must be issued to the user. If your organization supports a probation program, you might also consider putting the user on probation.

  The review panel must have management backing and proper authority to enforce any agreed upon action.

Note: At this point, you can continue to monitor the user’s activity. If the excessive violation pattern continues, you are prepared to take action against the user, possibly dismissal. Management must, of course, support this type of action.