So I’ve been working on an internal security review and discovering that the bulk of the issues I run into stem from the fact that the users don’t seem to understand the need for an audit trail.
To me, security consists of confidentiality, authenticity, and the auditability. It’s easy to explain the need for the first two, or at least, people don’t need me to explain why they are a part of security. I get the normal “But we have a firewall, why do we need security?”, but that’s minor. But when it comes to issues that center around preserving an audit trail, I get blank stares and a complete lack of understanding as if they just don’t understand at all what I’m talking about or why a security review would be remotely concerned with maintaining a record of who did what on a system.
The sad thing is even some people who should know better have failed to understand it.