AuditRubric
de-cm-3 high Detect / Continuous Monitoring

Personnel activity and technology usage are monitored to detect potentially adverse events

Insider threats, whether from malicious employees or compromised accounts, are responsible for a significant portion of data breaches. Monitoring how people use systems and data helps you catch unusual behavior before it becomes a full breach: bulk downloads before an employee resigns, login activity at odd hours, or data being sent to personal cloud storage. This control also satisfies audit requirements for user activity monitoring that appear in SOC 2, ISO 27001, and many regulatory frameworks.

Estimated effort: 6h
user-activitydlpuebainsider-threataudit-logs

Implementation steps

  1. 1

    Enable audit logging for user activity on critical systems

    Turn on detailed audit logs for your identity provider, email system, file storage, and any application holding sensitive data. Capture login events, file access, downloads, permission changes, and admin actions.

    oktaaws-cloudtrailmicrosoft-entra-idgoogle-workspace
  2. 2

    Deploy a DLP or UEBA solution

    Use a data loss prevention or user and entity behavior analytics tool to establish baselines for normal activity and alert on deviations. Focus initially on high-risk events: large exports, access to sensitive data stores, and activity outside normal hours.

    microsoft-purviewcrowdstrikevaronisexabeamsecuronix
  3. 3

    Define and document monitoring policies

    Write a brief policy stating what is monitored, why, and how the data is used. Notify employees that systems are monitored in your acceptable use policy. This is required by most compliance frameworks and reduces legal exposure.

  4. 4

    Create alerts for high-risk user activity

    Set up alerts for: bulk file downloads, forwarding email externally, access to data outside normal job function, login from new device or location, and access during offboarding period.

    datadogsplunkpagerduty

Evidence required

User activity audit log samples

Exports or screenshots showing user activity logs are being captured for critical systems.

  • · Okta system log export showing login and admin events
  • · AWS CloudTrail log showing IAM activity
  • · Google Workspace audit log for Drive file access

DLP or UEBA tool configuration

Screenshots or config export from your monitoring tool showing active policies and alert rules.

  • · Microsoft Purview DLP policy list
  • · Varonis alert rule configuration
  • · SIEM query or detection rule for bulk download behavior

Acceptable use or monitoring policy

Written document informing employees that systems are monitored, included in onboarding or policy documentation.

  • · Acceptable use policy page with monitoring notice
  • · Employee handbook section on technology monitoring
  • · Security policy document signed during onboarding

Related controls

de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-2 medium

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring
de-cm-4 critical

Malicious code is detected

Continuous Monitoring
de-cm-5 high

Unauthorized network connections are detected

Continuous Monitoring