Now that we have covered the base features it’s time to consider how these tie in with policies, workflow, and reporting. We’ll focus on the features needed to support these processes rather than defining the processes themselves.

Policy Creation

File Activity Monitoring products support two major categories of policies:

  • Entitlement (Permissions/Access Control) policies. These define which users can access which repositories and types of data. They define rules for things like orphaned user accounts, separation of duties, role/group conflicts, and other situations that don’t require real-time file activity.
  • Activity-based polices. These alert and block based on real-time user activity.

When evaluating products, look for a few key features to help with policy creation and management:

  • Policy templates that serve as examples and baselines for building your own policies.
  • A clean user interface that allows you to understand business context. For example, it should allow you to group categories, pool users and groups to speed up policy application (e.g., combine all the different accounting related groups into “Accounting”), and group and label repositories. This is especially important given the volume of entries to manage when you integrate with large user directories and multi-terabyte repositories.
  • New policy wizards to speed up policy creation.
  • Hierarchical management for multiple FAMs in the same organization.
  • Role-based administration, including roles for super administrators and assigning policies to sub-administrators.
  • Policy backup and restore.


As with policy creation, we see workflow requirements focusing on the two major functions of FAM: entitlement management and activity monitoring.

Entitlement Management

This workflow should support a closed-loop process for collection of privileges, analysis, and application of policy-based changes. Your tool should do more than merely collect access rights – it should help you build a process to ensure that access controls match your policies. This is typically a combination of different workflows for different goals – including identification of orphan accounts with access to sensitive data, excessive privileges, conflict of interest/separation of duties based on user groups, and restricting access to sensitive repositories.

Each product and policy will be different, but they typically share a common pattern:

  1. Collect existing entitlements.
  2. Analyze based on policies.
  3. Apply corrective actions (either building an alerting/blocking policy or changing privileges).
  4. Generate a report of identified and remediated issues.

The workflow should also link into data owner identification because this must often be understood before changing rights.

Activity Monitoring and Protection

The activity monitoring workflow is very different than entitlement management. Here the focus is on handling alerts and incidents in real time. The key interface is the incident handling queue that’s common to most security tools. The queue lists incidents and supports various sorting and filtering options. The workflow tends to follow the following structure:

  1. Incident occurs and alert appears in the queue. It is displayed with the user, policy violated, and repository or file involved.
  2. The incident handler can investigate further by filtering for other activity involving that user, that repository, or that policy over a given time period (or various combinations).
  3. The handler can assign or escalate the incident to someone else, close the incident, or take corrective actions such as adjusting the file permissions manually.

The key to keeping this efficient is not requiring the incident handler to jump around the user interface in a manual process. For example, clicking on an incident should show its details and then links to see other related incidents by user, policy, and repository.

Incidents should also be grouped logically – an attempt to copy an entire directory should appear as one incident, not one incident for each of 1,000 files in the repository.

Any FAM product may also include additional workflows, such as one for identifying file owners.


One of the most important functions for any File Activity Monitoring product is robust reporting – this is particularly important for meeting compliance requirements.

Aside from a repository of pre-defined reports for common requirements such as PCI and HIPAA, the tool should allow you to generate arbitrary reports. (We hate to list that as a requirement, but we still occasionally see security tools that don’t support creation of arbitrary reports).