First, make sure your procedural and policy ducks are in a row and carefully align what you do and say within that policy. Second, think through your priorities. Suspecting one end user has acquired super-user access may have serious overall implications — such as potential violation of defense contracting requirements or HIPAA obligations. Perhaps the priority should be a rebuild of your <a href=”http://www.lulu.com/product/hardcover/it-auditing-assuring-infromation-assets-protection/6209242″>access control</a> structure; since one “known” violation suggests there could be others. Third, obtain line management support at an appropriate level before, for example, installing key board capture or other detection measures.