Generation of an audit plan before the implementation of audit policy is the initial step. After this, it would be important to establish the kind of information I want to through collection of audit events. Since the organization is interested mainly in forensics, I would use the audit log to establish exactly what takes place within the organization. As a result, I will gather a combination of success as well as failure audits (Godbole, 2009).
It is important to consider the available resources for the collection and reviewing of an audit log. Another vital step is the collection and archiving of security logs in the organization. After this it is necessary to audit both success and failure events within the system event category as this will assist in identifying abnormal activities that may show an intruder trying to access the organization's computer or the network (Godbole, 2009).
Auditing success events within the policy change event category on domain controllers is the next step. In case an event is logged within the policy change classification, it will indicate that the Local Security Authority (LSA) security policy configuration has been changed (Spencer, 2006).
The other step involves auditing success events within the account management event category. When auditing success events, I will be able to verify changes that take place to both account properties as well as group properties. Auditing success events within the logon event category is also necessary. This will be of importance since it will avail a record when every user logs on and off from the computer. Incase a person who is not authorized steals the user password, it will be possible to establish when the security was violated (Spencer, 2006).
Auditing success events within the account logon event category on domain controllers is another important step. This is important is identification of the users who logged on to or logged off from the domain (Spencer, 2010).
I would change and modify the auditing policy settings for an event category within the organization. This will involve the local computers in the organization, for domain controllers as well as for domain and organization unit since I will be the domain controller and this will involve being on a workstation having administration tools pack installed (Spencer, 2010).
Finally I will set a suitable size for the security log and this will be based on the number of events that that the auditing policy setting generate (Spencer, 2010).
