G.3.4 Session audits

Control Details

Objective

Identify security risks in the supply chain.

Definition

Include contract employees and prime contractors in session audits to identify security risks in the supply chain. Session audits can include monitoring keystrokes, tracking websites visited, and recording information or file transfers and may involve implementing specialized session capture technology. As such, the privacy risks of session audits should be considered, and session audits may only be activated under certain circumstances, e.g., the organization is suspicious of a specific individual.

Assessment Questions

1. Under what circumstances are contract employees included in audits to identify security risks in the supply chain?

Reference sources

1. 800-161 AU-14