...
Depending on business risk it may be adequate to store the originating computer's Internet Protocol address and time stamps in database tables. Higher levels of business risk might require Secure Socket Layer (SSL) sessions, trusted time stamps, and comprehensive audit trails on the database tables involved.
It should be noted that while the policy directive stipulates that audit trails "identify the sending location", in practice it is not possible to identify the sending location of all Internet transactions with a high degree of confidence. In particular if the transacting party has motivation and technical competence there are widely available mechanisms to defeat any attempt at location.
...