AU
Family: |
Audit and Accountability |
||
Class: |
Technical |
Download AU Baseline Security Controls here
AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
Control: The organization develops, disseminates, and reviews/updates [Assignment: organization defined frequency]:
a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the audit and accountability family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The audit and accountability policy can be included as part of the general information security policy for the organization. Audit and accountability procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the audit and accountability policy.
Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100.
| LOW AU-1 | MOD AU-1 |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
Parameter: at least annually
Additional Requirements and Guidance:
None.
AUDITABLE EVENTS
Control: The organization:
a. Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events];
d. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment: organizationdefined subset of the auditable events defined in AU-2 a. to be audited along with the frequency of (or situation requiring) auditing for each identified event].
Supplemental Guidance: The purpose of this control is for the organization to identify events which need to be auditable as significant and relevant to the security of the information system; giving an overall system requirement in order to meet ongoing and specific audit needs. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are to be audited at a given point in time. For example, the organization may determine that the information system must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the extreme burden on system performance. In addition, audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems.
Related control: AU-3.
Control Enhancements:
(3) The organization reviews and updates the list of auditable events [Assignment: organization defined frequency].
Enhancement Supplemental Guidance: The list of auditable events is defined in AU-2.
(4) The organization includes execution of privileged functions in the list of events to be audited by the information system.
Enhancement Supplemental Guidance: None.
References: NIST Special Publication 800-92; Web: CSRC.NIST.GOV/PCIG/CIG.HTML.
| LOW AU-2 | MOD AU-2 (3) (4) |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
(a) Parameter: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
(d) Parameter: See additional requirements and guidance.
(d) Parameter: continually
(3) Parameter: annually or whenever there is a change in the threat environment
Additional Requirements and Guidance:
(d) Requirement: The service provider defines the subset of auditable events from AU-2a to be audited. The events to be audited are approved and accepted by JAB.
(3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB.
(4) Requirement: The service provider configures the auditing features of operating systems, databases, and applications to record security-related events, to include logon/logoff and all failed access attempts.
CONTENT OF AUDIT RECORDS
Control: The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.
Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
Related controls: AU-2, AU-8.
Control Enhancements:
(1) The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject.
Enhancement Supplemental Guidance: An example of detailed information that the organization may require in audit records is full-text recording of privileged commands or the individual identities of group account users.
References: None.
| LOW AU-3 | MOD AU-3 (1) |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
(1) Parameter: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon
Additional Requirements and Guidance:
(1) Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the JAB.
(1) Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
AUDIT STORAGE CAPACITY
Control: The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
Supplemental Guidance: The organization considers the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity.
Related controls: AU-2, AU-5, AU-6, AU-7, SI-4.
Control Enhancements: None.
References: None.
| LOW AU-4 | MOD AU-4 |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
None.
Additional Requirements and Guidance:
None.
RESPONSE TO AUDIT PROCESSING FAILURES
Control: The information system:
a. Alerts designated organizational officials in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Supplemental Guidance: The organization considers the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity.
Related control: AU-4.
Control Enhancements: None.
References: None.
| LOW AU-5 | MOD AU-5 |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
(b) Parameter: low-impact: overwrite oldest audit records; moderate-impact: shut down
Additional Requirements and Guidance:
None.
AUDIT REVIEW, ANALYSIS, AND REPORTING
Control: The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and
b. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
Supplemental Guidance: None.
Related control: AU-7.
Control Enhancements: None.
References: None.
| LOW AU-6 | MOD AU-6 |
Federal Risk and Authorization Management Program
Control Enhancements:
(1) The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
(3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
| LOW AU-6 | MOD AU-6 (1) (3) |
Control Parameter Requirements:
(a) Parameter: at least weekly
Additional Requirements and Guidance:
None.
AUDIT REDUCTION AND REPORT GENERATION
Control: The information system provides an audit reduction and report generation capability.
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and
b. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
Supplemental Guidance: An audit reduction and report generation capability provides support for near real-time audit review, analysis, and reporting requirements described in AU-6 and after-the-fact investigations of security incidents. Audit reduction and reporting tools do not alter original audit records.
Related control: AU-6.
Control Enhancements:
(1) The information system provides the capability to automatically process audit records for events of interest based on selectable event criteria.
Enhancement Supplemental Guidance: None.
References: None.
| LOW Not Selected | MOD AU-7 (1) |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
None.
Additional Requirements and Guidance:
None.
TIME STAMPS
Control: The information system uses internal system clocks to generate time stamps for audit records.
Supplemental Guidance: Time stamps generated by the information system include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Related control: AU-3.
Control Enhancements:
(1) The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source].
Enhancement Supplemental Guidance: None.
References: None.
| LOW AU-8 | MOD AU-8 (1) |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
(1) Parameter: at least hourly
(1) Parameter: http://tf.nist.gov/tf-cgi/servers.cgi
Additional Requirements and Guidance:
(1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.
(1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.Guidance: Synchronization of system clocks improves the accuracy of log analysis.
PROTECTION OF AUDIT INFORMATION
Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Related controls: AC-3, AC-6.
Control Enhancements: None.
References: None.
| LOW AU-9 | MOD AU-9 |
Federal Risk and Authorization Management Program
Control Enhancements:
(2) The information system backs up audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.
| LOW AU-9 | MOD AU-9 (2) |
Control Parameter Requirements:
(2) Parameter: at least weekly
Additional Requirements and Guidance:
None.
Federal Risk and Authorization Management Program
NON-REPUDIATION
Control: The information system protects against an individual falsely denying having performed a particular action.
Supplemental Guidance: message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).
Related control: SC-13.
Control Enhancements:
(5) The organization employs [Selection: FIPS-validated; NSA-approved] cryptography to implement digital signatures.
Enhancement Supplemental Guidance: None.
References: None.
| LOW Not Selected | MOD AU-10 (5) |
Control Parameter Requirements:
(5) Selection: FIPS-validated; NSA-approved
Additional Requirements and Guidance:
(5) Requirement: The service provider implements FIPS-140-2 validated cryptography (e.g., DOD PKI Class 3 or 4 tokens) for service offerings that include Software-as-a-Service (SaaS) with email.
AUDIT RECORD RETENTION
Control: The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Supplemental Guidance: The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated. The National Archives and Records Administration (NARA) General Records Schedules (GRS) provide federal policy on record retention.
Control Enhancements: None.
References: None.
| LOW AU-11 | MOD AU-11 |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
Parameter: at least ninety days
Additional Requirements and Guidance:
Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
PROTECTION OF AUDIT INFORMATION
Control: The information system:
a. Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and
c. Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.
Supplemental Guidance: Audits records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).
Related controls: AU-2, AU-3.
Control Enhancements: None.
References: None.
| LOW AU-12 | MOD AU-12 |
Federal Risk and Authorization Management Program
Control Parameter Requirements:
(a) Parameter: all information system components where audit capability is deployed
Additional Requirements and Guidance:
None.