Expert offers 12 key steps to implement an activity monitoring program
User activity monitoring tools capture and track end-user behavior affecting devices, networks and other information technology resources, according to Digital Guardian, an information security training firm. Healthcare providers can use the tools to detect and stop insider threats before they result in a data breach. Tracking is a form of surveillance to spot the misuse of access privileges and the organization’s data protection policies. Digital Guardian offers 12 tips to help healthcare stakeholders and other entities develop a monitoring program.
Understand the need for oversight
The purpose of user activity monitoring (UAM) is to protect information while ensuring availability and compliance with data privacy and security regulations. UAM goes beyond monitoring the network to include all system, data, application and network actions that users take, such as web browsing and accessing unauthorized files.
Know what to watch
User activity includes video recordings of sessions, log collect and analysis, network packet inspection, keystroke logging, file/screenshot capturing, and kernel monitoring to collect Linux performance data. What constitutes inappropriate user activity is up to the individual organization; it could include visiting personal sites or shopping during work hours, or theft of company data.
Capitalize on the benefits of monitoring
Any level of monitoring will create large amounts of data, according to Digital Guardian. The goal is to find and capture actionable information to support data protection efforts. With effective processes, an organization may immediately detect suspicious user behavior, find if a user is uploading sensitive data to a public cloud or using non-approved services and applications.
Implement the right tools
The best monitoring tools include real-time alerting systems to monitor user activity in the background in real-time and notify the information technology and security departments if suspicious activity occurs. Without real-time capability, risks may be unnoticed while the IT department addresses other types of technology issues.
Organizations using activity monitoring tools should be open about the program. Users should be aware of the use of monitoring and agree to have their sessions recorded and monitored. This acknowledgement can be included in contractual or user agreements.
Allow privileged access
Access to an organization’s information should be granted only to important users who need it for effective work production, a practice known as the “principle of least privilege.” Other activities not required for a user’s work role should be restricted, and it is not necessary to give privileged users unlimited access.
To have an effective activity monitoring program, an organization must make sure individuals’ accounts aren’t hacked or inappropriately used or accessed. It should ensure account passwords are complex, unique and never shared or reused. Be vigilant about identifying stolen credentials.
To further ensure activity is accurately monitored, an organizations should create strong authentication procedures for privileges accounts such as two or multi-factor authentication.
IT executives should manage remote access through organizational protocols. Deny protocol channels such as file transfers between group members, port-forwarding (intercepting data traffic) and disk sharing.
Create a chain of custody
Collect and preserve chain-of-custody forensic evidence, such as capture files, screenshots and keystrokes, and reconstruct incidents in their full context.
Implement data protection policies
Establish and enforce data protection policies such as appropriate file sharing, handling sensitive data, authorized services and applications, and acceptable use. Educate users on the policies and effective cyber security habits via data security awareness programs.
Act quickly to counteract risky moves
If a risky action such as downloading customer information is performed, the security team should have the ability to score the severity of the activity and identify the users putting the organization at risk. Look for data protection tools that combine user activity monitoring with data discovery and classification, policy-based controls and advanced reporting features.