Template:Cybersecurity/Audit and accountability
AU-1 Audit and accountability policy and procedures
This control recommends the organization develop, document, disseminate, review, and update audit and accountability policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of audit and accountability action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, page 60
- State of North Carolina Audit and Accountability Policy
- LIMSpec 7.1, 7.2
AU-2 Audit events
This control recommends the organization scrutinize the information system to ensure it's fully capable of auditing the events the organization requires to meet its business, cybersecurity, and regulatory goals. It also recommends the organization find common ground within other areas of the organization to improve selection of auditable events, provide rationale for their selection, and implement within the information system the selected auditable events at the recommended frequency or during a specific situation. NIST SP 800-53, Rev. 4 also notes: "Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems."
Additional resources:
AU-3 Content of audit reports
This control recommends the system be capable of generating audit records that, at a minimum, provide who enacted an event, when it was enacted, where it occurred, what occurred, and what the outcome was. Regulations and standards may dictate what must be recorded beyond those aspects.
Additional resources:
AU-4 Audit storage capacity
This control recommends the organization allocate sufficient resources to ensure the storage capacity of the system is sufficient to hold all its audit records. What that storage capacity should be will be most heavily dictated by data retention regulations and standards (see AU-11), followed by available organizational resources to commit to long-term storage. Additional safeguards such as sending warning messages to designated personnel or system roles when storage space reaches a critical minimum may be useful.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
AU-5 Response to audit processing failures
This control recommends the system be able to alert specific personnel or system roles when an audit processing failure occurs and take action as specified by the organization. This action includes shutting down the system, overwriting the oldest audit record (because storage capacity is maxed), or discontinuing the generation of audit records. The system should also allow the organization to specify action differently for various types of failures.
Additional resources:
AU-6 Audit review, analysis, and reporting
This control recommends the organization, as part of policy, review, analyze, and report on the results from generated system audit records at defined frequencies, focusing on inappropriate or unusual activity that may compromise the security of the system. The finding may be reported to designated individuals within the organization, designated departments within the organization, or even regulatory bodies outside the organization.
Additional resources:
AU-6 (1) Audit review, analysis, and reporting: Process integration
This control enhancement recommends the organization implement some sort of automation into their system to better integrate audit review, analysis, and reporting processes with organizational investigation processes (e.g., incident response, continuous monitoring, etc.) in order to better and more quickly respond to cyber threats.
Additional resources:
AU-8 Time stamps
This control recommends the system use a reliable system clock for generating its audit records. The system clock should be able to generate time stamps in Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meet organizational requirements for granularity, all the way down to the millisecond level.
Additional resources:
- LIMSpec 9.3 and 31.5
AU-9 Protection of audit information
This control recommends the system be capable of logically protecting audit information (records, settings, and reports) and tools from unauthorized access, modification, and deletion.
Additional resources:
AU-11 Audit record retention
This control recommends the organization, in tandem with the its overall record retention policy, retain audit records for a defined period of time. That time period may be dictated by administrative, operational, or regulatory policy.
Additional resources:
AU-11 (1) Audit record retention:Long-term retrieval capability
This control enhancement recommends the organization ensure the availability and retrievability of audit information stored long-term. This assurance can be made in several ways, including verifying the information system is correctly providing access to the information to authorized individuals; ensuring records in old, difficult-to-read formats get updated; and retaining the necessary documentation and hardware to read and interpret older record systems.
Additional resources:
AU-12 Audit generation
This control aligns with AU-2 and AU-3, in as much as it recommends the system be capable of generating audit records for the auditable events defined in AU-2 at various organization-defined points in the information system. This control also recommends the system to allow authorized users to assign which auditable events are to be audited by which points in the system. And of course, the system should be capable of generating the audit records with the content as defined in AU-3.
Additional resources: