Audit trails - Does your MIS have them?

[creese]

I believe there are plans a foot to improve Sysman7 to start to bring them into one area. Just have to remember, if it audits everything - like user x query student y - it's going to get VERY big VERY quickly. So it may only store "important" stuff.

With the number of users now, even in the smallest primary, the number of transaction daily will be enormous. If logging is to be brought in it will need a lot of thought. ho is going to clean up the logs and who is to say the person under investigation isn't going to clean them. I know it's all down to rights but many schools are a long way from accepting how important correct access rights are.

The number of schools that say 'can you make so & so a user of SIMS'.

[pete]

Just so long as they let us ship it to a secure logserver I'll be happy.

(No, keeping it on the (possibly compromised) system isn't a good idea).

[matt40k]

Just so long as they let us ship it to a secure logserver I'll be happy.

(No, keeping it on the (possibly compromised) system isn't a good idea).

That would be nice, for a centrally hosted environment. Let's just hope they (ie whoever setup the logserver), was smart enough not to use the same OS as the SIMS server and\or join it to the domain. Otherwise that would be a waste.

[GNewnham]

iSAMS has an audit trail which is accessed once you have clicked on the pupil record. Here is an extract from one pupil. I have cleared the actual userid and ip address but it does show both of these items.

Updated Contact# 5504 userid ip address 31 Aug 10 [14:29]
Updated Nutfield in field: TxtAcademicHouse userid ip address 15 Jul 10 [11:12]
Updated SR11 in field: TxtForm userid ip address 15 Jul 10 [11:12]
Updated 13 in field: IntNcYear userid ip address 15 Jul 10 [11:12]
Added SR11 in field: Future Form userid ip address 15 Jul 10 [10:42]
Added Nutfield in field: Future Academic House userid ip address 15 Jul 10 [10:39]
Updated Contact# 5504 userid ip address 22 Feb 10 [09:59]
Update: on 'CUSTOM_7' from ' ' to 'M28NXXjH' userid ip address 31 Jan 10 [17:18]
Added 109562951 in field: Passport Number userid ip address 28 Jan 10 [09:51]
Added Child in field: Passport Type userid ip address 28 Jan 10 [09:51]
Added British Citizen in field: txtpassportnationality userid ip address 28 Jan 10 [09:51]
Added Passport ID #1 userid ip address 28 Jan 10 [09:51]
Updated Contact# 5504 userid ip address 24 Nov 09 [09:22

There are also similar audit trails of subject set changes but there are several areas of the system that do not have any audit facility available.

[pete]

That would be nice, for a centrally hosted environment. Let's just hope they (ie whoever setup the logserver), was smart enough not to use the same OS as the SIMS server and\or join it to the domain. Otherwise that would be a waste.

I mean compromised not so much from the OS level (though that's an issue), but more from a "sufficient SIMS permissions to purge built-in logging", either on purpose or because they got a message saying "ooh, you've got a lot of logs".

We log ship via SSL as standard to Linux hosts. Having all the logs in one places (and being able to regex / filter through them to get an idea of what things were happening at the same time) makes troubleshooting and auditing easier.

[matt40k]

The thing about audit log is that you provide that something has happened and ideally by who. If your doing it for the point of view of someone doing something malicious, the thing to remember is a school isn't a business. In business if I, for example, changed someones data that I wasn't suppose to, I would be in the job centre tomorrow. In a school, a teacher would get a smacked wrist.

Having said that, they are alot of beniefts of having all the logs in the same place.

[Ketlane]

SchoolBase doesn't, but will do in the very near future. The change-log file becomes enormous pretty quickly, but having an audit trail is a occasionally very useful.

Forgot to say it already displays who made the last change - and the date/time of the change - to data relevant to the Admissions Register.

[JohnCondon]

Our MIS has data item auditing, coupled with user capacity to draw out reports (rather than SQL drilling) of said audits which will include
"Who made the change"
"When was the change made"
"What was it changed from "
"What was it changed to"
This is in addition to the web service audits available to the systems admin which also cover
"Who accessed which pages and when"
"Did anyone, of a given role, access an inordinate number of data items, suspicious activity"

The audits cover most of the core data items, attendance, personnel details, student data etc.

A full breakdown of auditted data items can be provided but I would rather do that via PM as more than the above may be construed as undue advertising.

Regards
John

[36Degrees]

Lesson marks has an audit trail, like other areas of SIMS.

Does that mean I can see who has amended a register in Lesson Monitor and when? If so, how would I see that information?

[matt40k]

Yes, Reports > Lesson Monitor \ Attendance > Module Reports > History of Changes Report