Navigate Select Esc Close
CHAPTER
[06]

Accountability, Transparency, and Protection

Security and audit logging ensure your organisation's Kora instance remains secure, accountable, and compliant with regulatory requirements. Every action taken in Kora (who accessed what data, when, why) is recorded in immutable audit logs providing transparency, supporting investigations, and documenting compliance with organisational policies and regulatory obligations.

As a SuperUser, you're responsible for monitoring security, reviewing audit logs, investigating unusual activity, and maintaining the accountability that protects your organisation's data, animals, and regulatory standing.

Understanding Audit Logging

What Gets Logged

User Actions:

  • User account creation, modification, deletion
  • Login attempts (successful and failed)
  • Role assignments and permission changes
  • Password changes and resets
  • Account locks and unlocks

Animal Data Access:

  • Animal records viewed, created, modified, deleted
  • Observations recorded
  • Treatments administered
  • Movements logged
  • Traceability events created

Administrative Actions:

  • System configuration changes
  • Knowledge API content modifications
  • Maintenance tasks executed
  • Bulk operations performed
  • Feature flag updates (by Kora team)

Clinical Actions (Veterinarians):

  • Veterinary observations created
  • Diseases diagnosed
  • Treatment prescriptions
  • Multi-property access events

Regulatory Actions (If Enabled):

  • Compliance inspections
  • Regulatory data access
  • Cross-property visibility events

Every Log Entry Contains:

  • Timestamp: Exact date and time (UTC)
  • User: Who performed the action (user ID, name, email)
  • Action Type: What they did (viewed, created, modified, deleted)
  • Resource: What they acted on (animal ID, user account, system task)
  • Details: Specifics of what changed
  • IP Address (if configured): Where action originated
  • Result: Success, failure, partial success

Why Audit Logging Matters

Security: Detect unauthorised access. Identify suspicious activity patterns. Investigate security incidents. Trace compromised account actions. Monitor privilege escalation attempts.

Compliance: Document regulatory compliance (who accessed what regulated data). Demonstrate access control governance. Provide audit trail for inspections. Show adherence to data protection regulations (GDPR, CCPA, local equivalents). Evidence accountability for animal welfare and traceability requirements.

Troubleshooting: Understand what changed before issues appeared. Identify who made configuration changes causing problems. Trace data modification history. Reconstruct sequence of events during incidents.

Accountability: Every action traces to specific user account. No anonymous actions possible. SuperUser actions logged just like standard user actions. Transparency builds organisational trust.

Audit Log Immutability

Critical Principle: Audit logs are immutable. Once written, they cannot be modified or deleted, even by SuperUsers.

Why Immutability Matters: Ensures integrity during security investigations. Prevents tampering with evidence. Maintains trustworthiness for regulatory audits. Provides legally defensible documentation.

What This Means: You can read audit logs. You cannot modify or delete audit log entries. Even deleting user accounts doesn't delete their audit trail. Audit logs persist for organisational retention period (typically years).

Log Retention:

  • Active logs stored in primary database
  • Archived logs (older than retention period) moved to long-term storage
  • Retention duration based on: organisational policy, regulatory requirements (varies by jurisdiction and industry), legal obligations
  • Minimum recommended retention: 7 years for animal health/food safety operations

Reviewing Audit Logs

Accessing Audit Logs

User-Specific Audit Logs: Navigate to User Management, Select user, Activity/Audit tab. Shows all actions affecting or performed by specific user. Useful for investigating individual user behaviour.

System-Wide Audit Logs: Navigate to Security & Audit section (from Admin Dashboard). Shows all actions across entire organisation. Useful for comprehensive security monitoring.

Filtered Audit Views:

  • Filter by date range (last 24 hours, last week, last month, custom range)
  • Filter by user (specific user or role)
  • Filter by action type (logins, data modifications, administrative actions)
  • Filter by resource (specific animal, location, system component)
  • Search by keyword (e.g., "locked", "deleted", "failed")

Reading Audit Log Entries

Example Audit Log Entry:

Timestamp: 2025-12-01 14:32:45 UTC
User: john.smith@example.com (UserID: a7b3c9d2)
Role: SuperUser
Action: User Account Created
Resource: jane.doe@example.com (new user account)
Details: {
  "Name": "Jane Doe",
  "Role": "Veterinarian",
  "LocationAccess": ["Smithfield Dairy", "Valley Farm"],
  "Permissions": ["VeterinaryObservations", "AnimalAccess"]
}
IP Address: 192.168.1.105
Result: Success

Interpretation: John Smith (a SuperUser) created a new user account. New user: Jane Doe, assigned Veterinarian role. Access granted to Smithfield Dairy and Valley Farm. Action succeeded. Occurred December 1, 2025 at 2:32 PM.

Example Failed Login Entry:

Timestamp: 2025-12-01 03:15:22 UTC
User: unknown.user@suspicious.com
Action: Login Attempt Failed
Details: {
  "Reason": "Invalid credentials",
  "Attempt": 5
}
IP Address: 203.45.67.89 (Unknown location)
Result: Failure (Account locked after 5 failed attempts)

Interpretation: Unknown email attempted login. Failed 5 times (exceeded security threshold). Account automatically locked. Suspicious IP address. Security Alert: Investigate potential unauthorised access attempt.

Audit Log Analysis Techniques

Chronological Review: Review logs in time sequence. Understand series of events leading to outcome. Reconstruct timeline during investigations.

Pattern Detection: Unusual login times (access at 3 AM when user normally works 9-5). Repeated failed login attempts (potential brute-force attack). Excessive data access (user accessing far more records than job requires). Geographic anomalies (login from unexpected location).

Correlation Analysis: Link related events (login to data access to data modification to logout). Identify suspicious sequences (account created, immediately granted SuperUser, bulk data export). Compare user activity patterns (is this user's behaviour consistent with their role?).

Anomaly Identification: Actions inconsistent with user's typical behaviour. Bulk operations outside normal workflow. Administrative actions by non-administrative users (permission escalation issue). Data access outside user's assigned locations.

Monitoring User Activity

Regular Activity Monitoring

Daily Quick Check (5 minutes): Review failed login attempts (any unusual patterns?). Check recent user account changes (expected or suspicious?). Note administrative actions (appropriate or questionable?).

Weekly Detailed Review (30 minutes): Analyse user login patterns (frequency, timing, locations). Review data access by role (users accessing appropriate data?). Investigate any flagged anomalies from daily checks. Document findings and follow-up actions.

Monthly Comprehensive Audit (2 hours): Full user activity analysis across all users. Role compliance review (users performing actions appropriate to their roles?). Permission verification (access levels still appropriate?). Security incident summary (any concerns identified during month?). Generate monthly security report.

Activity Alerts and Flags

Automatic Flags (If Configured):

  • Failed Login Threshold: Account locked after 5 failed attempts
  • Unusual Access Patterns: Data access far exceeding normal volume
  • After-Hours Activity: Access during unusual times (if organisation has defined normal hours)
  • Geographic Anomalies: Login from unexpected IP address or country
  • Bulk Operations: Large-scale data exports or deletions
  • Permission Changes: Role or permission modifications

Manual Review Triggers: User reports suspicious activity. Data discrepancies detected. Regulatory audit approaching. Security incident in related systems. Exit of employee with significant access.

Investigating Suspicious Activity

Investigation Workflow:

1. Identify Anomaly: Unusual audit log entry. Automated alert triggered. User report of unexpected behaviour.

2. Gather Context: Review surrounding audit log entries (what happened before and after?). Check user's typical activity pattern (is this unusual for them?). Verify user's role and permissions (are they authorised for this action?). Contact user if needed (was this intentional?).

3. Assess Severity:

  • Low: Likely innocent, no security impact (user testing features, accidental click)
  • Medium: Unclear intent, potential policy violation (unusual data access requiring explanation)
  • High: Clear security concern (unauthorised access, data exfiltration, system tampering)

4. Respond Appropriately:

Low Severity: Document investigation findings. No immediate action required. Monitor for recurrence.

Medium Severity: Contact user for explanation. Review user's access levels (are permissions appropriate?). Document conversation and findings. Adjust permissions if needed.

High Severity: Immediately lock user account (prevent further unauthorised activity). Preserve evidence (capture audit logs, document all findings). Escalate to organisational security team (IT security, management, legal if serious). Investigate extent of compromise (what data was accessed? what actions taken? what damage occurred?). Coordinate incident response (follow organisational security incident protocol). Document thoroughly (complete investigation record for legal/compliance).

5. Remediate and Prevent: Fix vulnerability that allowed incident. Strengthen security controls. Improve monitoring to detect similar incidents earlier. Update user training if human error contributed. Review and adjust security policies if needed.

Example Investigation Scenarios

Scenario 1: Unusual After-Hours Access

Alert: User sarah.johnson@example.com (Standard User) accessed 50 animal records at 2:30 AM on Saturday.

Investigation: Sarah's typical activity: Normally works Monday-Friday, 8 AM to 5 PM, accesses 5-10 records per day. This activity: Weekend, middle of night, 10x normal volume. Contact Sarah: "I noticed unusual activity on your account early Saturday morning. Were you working this weekend?" Sarah responds: "No, I haven't worked since Friday afternoon. That wasn't me."

Conclusion: Account compromised

Actions: Immediately lock Sarah's account. Force password reset. Review audit logs: What data was accessed? Was any data modified or exported? No data export detected, only viewing animal records. Reset Sarah's password, unlock account. Require multi-factor authentication for all users (prevent future password compromise). Document incident and response.

Outcome: Security incident contained, minimal data exposure, preventive measures implemented.

Scenario 2: Bulk Administrative Action

Alert: SuperUser mike.admin@example.com assigned "SuperUser" role to 15 users simultaneously via bulk operation.

Investigation: Mike's role: Long-time trusted administrator. This activity: Bulk SuperUser assignment very unusual (SuperUser role should be rare, carefully controlled). Review affected users: Mix of veterinarians and standard users. Contact Mike: "I see you assigned SuperUser role to 15 users this morning. Can you explain what this was for?" Mike responds: "That was a mistake! I meant to assign 'Veterinarian' role to the new vet clinic staff, not SuperUser. Wrong role selected in bulk operation."

Conclusion: Human error, not security threat

Actions: Review which users received SuperUser (were any already SuperUsers?). Remove SuperUser role from all 15 users (reverse erroneous bulk operation). Assign correct "Veterinarian" role to appropriate users. Document mistake and resolution. Consider UI improvement: Confirmation dialogue for SuperUser assignment (prevent future mistakes).

Outcome: Error quickly identified and corrected, no security impact, process improvement identified.

Security Protocols

Access Control Principles

Least Privilege: Users have minimum access needed for job function. SuperUser role granted only to organisational administrators. Location access limited to where users actually work. Permissions restricted to what users' roles require.

Separation of Duties: Clinical access (Veterinarian role) and administrative access (SuperUser role) generally separated. Financial operations (if integrated) separated from operational access. Regulatory oversight (if enabled) separated from operational management.

Regular Access Review: Quarterly review of all user accounts. Annual comprehensive audit of role assignments. Prompt access revocation when users leave organisation.

Need-to-Know: Users see only data relevant to their responsibilities. Cross-property access granted only when operationally necessary. Sensitive data (e.g., financial information if integrated) restricted appropriately.

Authentication and Password Security

Password Requirements: Minimum complexity (length, character types). Periodic password changes (if organisational policy requires). No password reuse (new password must differ from previous passwords). Secure password reset process (email verification).

Account Lockout: Automatic lock after multiple failed login attempts (typically 5 attempts). Manual unlock by SuperUser (after investigation). Time-based automatic unlock (if configured, e.g., 30 minutes).

Session Management: Automatic logout after inactivity period. Session invalidation on password change. Single session per user (prevents session sharing).

Multi-Factor Authentication (If Enabled): Additional verification beyond password (SMS code, authenticator app, email code). Required for SuperUser accounts (highly recommended). Optional for standard users (based on organisational security policy).

Data Protection

Data in Transit: HTTPS encryption for all web traffic (data encrypted between user's browser and Kora server). TLS encryption for email notifications.

Data at Rest: Database encryption (if configured at infrastructure level). Backup encryption (encrypted backup files).

Data Access Logging: Every data access logged (who viewed which animal records). Audit trail for sensitive data access. Regulatory compliance for data protection laws.

Data Retention and Deletion: Soft delete for most data (marked deleted, not permanently removed immediately). Hard delete after retention period. Audit logs retained per compliance requirements. User data protection (GDPR right to erasure balanced with operational/legal retention needs).

Compliance Documentation

Regulatory Audit Support

Common Audit Requirements: Access control documentation (who has access to what data). Audit trail evidence (demonstrating accountability for regulated actions). Data integrity proof (showing data hasn't been tampered with). Change management records (documenting system modifications). Incident response documentation (how security issues were handled).

Preparing for Regulatory Audits:

1. Comprehensive Audit Log Export: Export audit logs for audit period (typically last year or since last audit). Filter to compliance-relevant actions (animal health records, traceability events, veterinary observations). Provide in readable format (CSV, PDF report, or structured data as required).

2. User Access Report: List of all users with access during audit period. Roles and permissions for each user. Access review documentation (showing regular access reviews occurred). Veterinarian credential verification records.

3. Data Integrity Evidence: Traceability chain integrity (cryptographic verification if used). Audit log immutability documentation. Backup and recovery procedures.

4. Security Incident Summary: Any security incidents during audit period. How incidents were investigated and resolved. Preventive measures implemented post-incident.

5. Compliance-Specific Reports:

  • Traceability compliance: Complete movement histories
  • Veterinary record compliance: Treatment documentation, withdrawal periods
  • Biosecurity compliance: Quarantine documentation, disease reporting
  • Data protection compliance: How personal data is protected, retention policies

Demonstrating Accountability

For Regulatory Authorities: "Here's the complete audit trail showing every treatment administered, who administered it, when, and what withdrawal periods were observed." "Every animal movement is documented with who authorised it, when it occurred, and complete chain of custody." "Here's evidence that every notifiable disease was reported within required timeframes."

For Internal Compliance Officers: "All user access changes are logged, showing only authorised personnel accessed sensitive data." "Every administrative action traces to specific SuperUser with business justification." "Security incidents were identified, investigated, and remediated with complete documentation."

For External Auditors: "Data integrity is maintained through immutable audit logging and cryptographic traceability chains." "Access controls follow least privilege principle, regularly reviewed and documented." "Backup and disaster recovery procedures tested quarterly with documented results."

Compliance Reporting Workflows

Quarterly Compliance Report:

  1. Generate user access summary
  2. Export audit logs for quarter
  3. Summarise security incidents (if any)
  4. Document access reviews performed
  5. Report to compliance officer or management

Annual Regulatory Audit:

  1. Comprehensive audit log export (full year)
  2. User access documentation (all users, all role changes)
  3. Security incident summary (investigations and resolutions)
  4. Compliance-specific reports (traceability, veterinary records, biosecurity)
  5. Prepare for auditor questions (understand audit logs thoroughly)

Post-Incident Compliance Documentation:

  1. Incident timeline (what happened, when)
  2. Investigation findings (who, what, why)
  3. Remediation actions (how issue was fixed)
  4. Preventive measures (how recurrence prevented)
  5. Evidence preservation (audit logs, communications, decisions)

Incident Response

Security Incident Types

Account Compromise: User account accessed by unauthorised party. Password stolen, session hijacked, or credentials leaked.

Data Breach: Unauthorised access to sensitive data. Data exfiltration (export or copying of data outside authorised use).

Privilege Escalation: User gains permissions beyond what they're authorised for. Misconfiguration or security flaw exploited.

Insider Threat: Authorised user accessing data inappropriately. Malicious or negligent employee actions.

System Tampering: Unauthorised configuration changes. Data modification or deletion outside normal workflow.

Incident Response Workflow

Phase 1: Detection and Identification (Immediate)

  1. Identify anomalous activity (audit logs, alerts, user reports)
  2. Assess severity (low, medium, high, critical)
  3. Document initial findings (timestamp, evidence, preliminary assessment)

Phase 2: Containment (Immediate for High/Critical)

  1. Lock compromised accounts (prevent further unauthorised activity)
  2. Preserve evidence (export relevant audit logs, document all findings)
  3. Isolate affected systems (if infrastructure compromise suspected)
  4. Prevent further damage (revoke permissions, restrict access)

Phase 3: Investigation (Hours to Days)

  1. Comprehensive audit log analysis (reconstruct full timeline)
  2. Identify scope (what data accessed? what actions taken? what damage occurred?)
  3. Determine root cause (how did incident happen? what vulnerability exploited?)
  4. Assess impact (operational, compliance, legal, reputational)

Phase 4: Eradication and Recovery (Days)

  1. Remove unauthorised access (reset passwords, revoke compromised credentials)
  2. Fix vulnerability (patch security flaw, correct misconfiguration)
  3. Restore normal operations (unlock accounts, restore access after verification)
  4. Verify security (confirm threat eliminated, no backdoors remain)

Phase 5: Post-Incident Activities (Weeks)

  1. Complete documentation (full incident report with timeline, findings, actions)
  2. Lessons learned (what went wrong? what worked well? what should change?)
  3. Preventive measures (improve security controls, update policies, enhance monitoring)
  4. Compliance notification (report to regulatory authorities if required by law)
  5. User communication (inform affected parties, update security guidance)

Incident Response Example

Incident: Data breach suspected. Large volume of animal records exported by compromised account.

Detection: Automatic alert triggered: user.name@example.com exported 1,000 animal records at 11:45 PM (unusual volume, unusual time).

Immediate Response (11:50 PM): SuperUser on-call receives alert. Immediately locks user.name@example.com account. Exports audit logs showing export activity. Escalates to IT security team.

Investigation (Next Morning): Review audit logs: Account logged in from IP address in different country than user's normal location. Contact user: "Did you export data last night?" User: "No, I haven't logged in since yesterday afternoon." Conclusion: Account compromised, unauthorised data export occurred.

Containment: Account already locked (done during immediate response). Review what data was exported: 1,000 cattle records (names, weights, locations, health histories). No financial data, no user personal information, animal data only. Search for exported file in external destinations (email, cloud storage): None found (likely manual screen capture or copy-paste).

Eradication: Force password reset for compromised account. Enable multi-factor authentication for all SuperUser accounts immediately. Review all recent exports by all users (no other suspicious activity).

Recovery: Reset user's password, unlock account after MFA enabled. User regains access with secure credentials.

Post-Incident: Document complete incident timeline. Assess compliance impact: Animal data breach, no personal data, no financial data. Check regulatory notification requirements: Not required (animal operational data, no personal identifying information, no public health impact). Implement preventive measures: Mandate MFA for all users, implement export volume alerts, require justification for large exports. Update incident response procedures based on lessons learned. Report incident to management with recommendations.

Outcome: Incident contained within 12 hours, no ongoing threat, preventive measures implemented, compliance obligations met.

WORDS
[2,919]
READ TIME
[15m]