AU - Audit and Accountability
- Controls Count: 9
- Controls IDs: AU-5 (1), AU-5 (2), AU-6 (5), AU-6 (6), AU-9 (2), AU-9 (3), AU-10, AU-12 (1), AU-12 (3)
Controls
AU-5 (1): Storage Capacity Warning
Provide a warning to personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity. within time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined; when allocated audit log storage volume reaches percentage of repository maximum audit log storage capacity is defined; of repository maximum audit log storage capacity.
Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities.
a warning is provided to personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity. within time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined; when allocated audit log storage volume reaches percentage of repository maximum audit log storage capacity is defined; of repository maximum audit log storage capacity.
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit storage limit warnings
AU-5 (2): Real-time Alerts
Provide an alert within real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined; to personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined; when the following audit failure events occur: audit logging failure events requiring real-time alerts are defined;.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
an alert is provided within real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined; to personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined; when audit logging failure events requiring real-time alerts are defined; occur.
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy plan
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
AU-6 (5): Integrated Analysis of Audit Records
Integrate analysis of audit records with analysis of vulnerability scanning information, performance data, system monitoring information, and/or data/information collected from other sources to be analyzed is defined (if selected); to further enhance the ability to identify inappropriate or unusual activity.
Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.
analysis of audit records is integrated with analysis of vulnerability scanning information, performance data, system monitoring information, and/or data/information collected from other sources to be analyzed is defined (if selected); to further enhance the ability to identify inappropriate or unusual activity.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit review, analysis, and reporting
system design documentation
system configuration settings and associated documentation
integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing the capability to integrate analysis of audit records with analysis of data/information sources
AU-6 (6): Correlation with Physical Monitoring
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations.
information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
Audit and accountability policy
procedures addressing audit review, analysis, and reporting
procedures addressing physical access monitoring
system design documentation
system configuration settings and associated documentation
documentation providing evidence of correlated information obtained from audit records and physical access monitoring records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with physical access monitoring responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access
AU-9 (2): Store on Separate Physical Systems or Components
Store audit records the frequency of storing audit records in a repository is defined; in a repository that is part of a physically different system or system component than the system or component being audited.
Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.
audit records are stored the frequency of storing audit records in a repository is defined; in a repository that is part of a physically different system or system component than the system or component being audited.
Audit and accountability policy
system security plan
privacy plan
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
system or media storing backups of system audit records
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing the backing up of audit records
AU-9 (3): Cryptographic Protection
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system hardware settings
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Cryptographic mechanisms protecting the integrity of audit information and tools
AU-10: Non-repudiation
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed actions to be covered by non-repudiation are defined;.
Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed actions to be covered by non-repudiation are defined;.
Audit and accountability policy
system security plan
privacy plan
procedures addressing non-repudiation
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing non-repudiation capability
AU-12 (1): System-wide and Time-correlated Audit Trail
Compile audit records from system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined; into a system-wide (logical or physical) audit trail that is time-correlated to within level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;.
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.
audit records from system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined; are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit record generation
system design documentation
system configuration settings and associated documentation
system-wide audit trail (logical or physical)
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability
AU-12 (3): Changes by Authorized Individuals
Provide and implement the capability for individuals or roles authorized to change the logging on system components are defined; to change the logging to be performed on system components on which logging is to be performed are defined; based on selectable event criteria with which change logging is to be performed are defined; within time thresholds in which logging actions are to change is defined;.
Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).
the capability for individuals or roles authorized to change the logging on system components are defined; to change the logging to be performed on system components on which logging is to be performed are defined; based on selectable event criteria with which change logging is to be performed are defined; within time thresholds in which logging actions are to change is defined; is provided;
the capability for individuals or roles authorized to change the logging on system components are defined; to change the logging to be performed on system components on which logging is to be performed are defined; based on selectable event criteria with which change logging is to be performed are defined; within time thresholds in which logging actions are to change is defined; is implemented.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit record generation
system design documentation
system configuration settings and associated documentation
system-generated list of individuals or roles authorized to change auditing to be performed
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability