10.5 10.6Audit and Accountability (AU)
Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Recommended Continuous Monitoring Frequency: Annually
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Control: The organization:
-
Develops, documents, and disseminates to ISSO, ISSM, FSO and designated users and auditing personnel.
-
An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
-
Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
-
Reviews and updates the current:
-
Audit and accountability policy at least annually; and
-
Audit and accountability procedures at least annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.6.2AU-2 – Auditable Events
The information system must be capable of auditing the following events at a minimum:
|
Auditable Events
|
Success
|
Failure
|
1
|
Authentication Events to include Logons and Logoffs
|
X
|
X
|
2
|
Security relevant directories, objects and incidents (e.g. Security Accounts Manager (SAM) file, audit records, etc.) to include create, access, delete, modify, permission modification, ownership modification.
|
X
|
X
|
3
|
Export/Writes/Downloads to devices/digital media (e.g., CD/DVD, USB, SD)
|
X
|
X
|
4
|
Imports/Uploads from devices/digital media (e.g., CD/DVD, USB, SD)
|
|
X
|
5
|
User and Group Management Events, to include user add, delete, modify, disable, lock and group/role add, delete, modify
|
X
|
X
|
6
|
Use of Privileged/Special Rights events to include security or audit policy changes and configuration changes
|
X
|
X
|
7
|
Admin or root-level access
|
X
|
X
|
8
|
Privilege/Role escalation
|
X
|
X
|
9
|
Audit and security relevant log data access
|
X
|
X
|
10
|
System reboot, restart and shut down
|
X
|
X
|
11
|
Print to a device
|
X
|
X
|
12
|
Print to a file
|
X
|
X
|
13
|
Application (e.g., Adobe, Firefox, MS Office Suite) initialization
|
X
|
X
|
Recommended Continuous Monitoring Frequency: Quarterly
Program Frequency:
Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Determines that the information system is capable at a minimum of auditing the required events (see table above)
Click here to enter text.
Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events
Click here to enter text.
Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents
Click here to enter text.
Determines that the following events are to be audited within the information system. The organization should match the audited events with the Gold Master (AGM).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.6.2.1AU-2(3) – Auditable Events: Reviews and Updates
Recommended Continuous Monitoring Frequency: Quarterly
Program Frequency:
Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The Organization reviews and updates the audit events annually and based on situational awareness of threats and vulernabilities. The auditable events baseline list, as defined in the tables above, shall be reviewed annually or as policy and procedures dictate changes are required. The review shall include coordination with other organizational entities requiring audit-related information (e.g., Incident Response, Counterintelligence) to enhance mutual support and to help guide the selection of auditable events. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.6.2.2AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9) 10.6.3AU-3 – Content of Audit Records
Recommended Continuous Monitoring Frequency: Quarterly
Program Frequency:
Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Specifically, audit records shall contain, at a minimum, the following content:
-
USERID
-
Type of event/action
-
Success or failure of event/action
-
Date
-
Time
-
Terminal or workstation ID
-
Entity that initiated event/action
-
Entity that completed event/action
-
Remote Access
If manual audit collection is approved by the AO, the audit records shall contain, at a minimum, the following content:
-
Date
-
Identification of the user
-
Time the user logs on and off the system
-
Function(s) performed
-
Terminal or Workstation ID
Manual audit logs may be used to record the transmission of any data over a fax connected to a secure voice line (e.g., Secure Terminal Equipment (STE)). Reference DoDM 5205.07-V1, Enclosure 5, para 2.b. These logs will be maintained for one year and must include the following information:
-
Sender’s name, organization and telephone number
-
Date and time of fax transmission
-
Classification level of the information
-
Recipient’s name, organization and telephone number
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.6.3.1AU-3(1) – Content of Audit Records: Additional Audit Information
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system generates audit records containing the following additional information, such as
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.
Specifically, audit records shall contain, at a minimum, the following content:
USERID
Type of event/action
Success or failure of event/action
Date
Time
Terminal or Workstation ID
Entity that initiated event/action
Entity that completed event/action
Remote access
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.4AU-4 – Audit Storage Capacity (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization allocates audit record storage capacity in accordance with: community best practice and configures auditing to reduce the likelihood of such capacity being exceeded. Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events. The information system must be configured to allocate sufficient log record storage capacity so that it will not become exhausted. See also AU-5(1).
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.4.1AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system off-loads audit records based on organizational requirements onto a different system or media than the system being audited. Organizations should assign a frequency or threshold capacity when audit records are off-loaded. Related control: AU-9(2).
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.5AU-5 – Response to Audit Processing Failures (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user. Audit processing failures must be recorded in the audit log (second requirement below).
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
System should alert a system administrator and/or ISSM/ISSO. For IS that are not capable of providing a warning, procedures for a manual method must be documented.
Tactical/deployable information systems may be developed without all the features and security controls of standard information systems. Audit requirements for these systems should be reviewed for mission impact. For example, failure of the audit process should not interfere with continued normal operation of a mission critical system.
The information system:
|
Alerts designated organizational officials in the event of an audit processing failure
|
Click here to enter text.
|
Takes the following additional actions: at a minimum, record any audit processing failure in the audit log
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.5.1AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with single users.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides a warning to ISSM and IA personnel immediately when allocated audit record storage volume reaches [75 percent] of repository maximum audit record storage capacity. This control supports insider threat mitigation.
Auditing processing failures include, e.g. software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Weekly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The purpose of the review is to verify all pertinent activity is properly recorded and appropriate action has been taken to correct and report any identified problems. These reviews shall be documented in either an electronic or manual log. Organizationally defined personnel or roles may include ISO, ISSM.
The organization:
|
Reviews and analyzes information system audit at least weekly, or as directed by the AO/DAO for indications of inappropriate or unusual activity
|
Click here to enter text.
|
Reports findings to ISO, ISSM and FSO
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.1AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
Information systems shall integrate and, to the extent possible, automate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.2AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Standalone Overlay
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.3AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.4AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization integrates analysis of audit records with analysis of vulnerability scanning information; performance data; and/or information system monitoring information; and Program-defined data/information collected from other sources to further enhance the ability to identify inappropriate or unusual activity.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.5AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.6AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization correlates information from nontechnical sources with audit information to enhance organization wide situational awareness.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.6.7AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible source of information.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.7AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides an audit reduction and report generation capability that:
|
Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents
|
Click here to enter text.
|
Does not alter the original content or time ordering of audit records
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.7.1AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides the capability to sort and search audit records for events of interest based on selectable event criteria.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.8AU-8 – Time Stamps
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system:
|
Uses internal system clocks to generate time stamps for audit records
|
Click here to enter text.
|
Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time stamps shall include both date and time.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.8.1AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
Information systems shall synchronize internal information system clocks, at least every 24 hours, with an organization-defined time source, e.g. Domain Controller, US Naval Observatory time server. Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organizationally defined granularity in AU-8.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.9AU-9 – Protection of Audit Information (+ Privacy Overlay)
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
Information systems shall protect audit information and audit tools from unauthorized access, modification and deletion.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information shall be handled and protected at the same security level of the information system from which it originated, until reviewed and a determination is made of the actual classification.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.9.1AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
Organizations shall limit access to audit functionality to only a small subset of privileged users.
Where applicable, access shall be further restricted by distinguishing between privileged users with audit-related privileges and privileged users without audit-related privileges to improve audit integrity. Limiting the users with audit-related privileges helps to mitigate the risk of unauthorized access, modification, and deletion of audit information. This control supports insider threat mitigation.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.9.2AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7 10.6.10AU-11 – Audit Record Retention
Recommended Continuous Monitoring Frequency: Annual
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
Organizations shall retain audit records for a minimum of five (5) years for IS to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.10.1AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization employs a retention technology to access audit records for the duration of the required retention period to ensure that long-term audit records generated by the information system can be retrieved.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.11AU-12 – Audit Generation (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system:
|
Provides audit record generation capability for the auditable events defined in AU-2 at all information system and network components;
|
Click here to enter text.
|
Allows designated personnel to select which auditable events are to be audited by specific components of the information system
|
Click here to enter text.
|
Generates audit records for the list of audited events with the content defined in Content of Audit Records
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.11.1AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system compiles audit records from information systems auditable devices into a system-wide (logical or physical) audit trail that is time-correlated to within the tolerance defined in AU-8 and AU 12.
The AU-12 (1) organization-defined IS components is a subset of the organization-defined components in AU-12 focused on correlated and centralizing specific audits.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.11.2AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides the capability for organization-defined individual to change the auditing to be performed on information system components based on organizational defined selectable event criteria.
The information system binds the identity of the information producer to the information and provides the means for authorized individuals to determine the identity of the producer of the information.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.12AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides the capability for authorized users to select a user session to capture/record or view/hear. Verify system is capable of performing session audits, but do not initiate without legal counsel and AO involvement. This control may be used to audit file transfers of DTAs.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.12.1AU-14(1) – Session Audit: System Start-Up – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system initiates session audits at system start-up.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.12.2AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides the capability for authorized users to capture/record and log content related to a user session.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.12.3AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.13AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization employs an ISA, SLA or MOA for coordinating audit content among external organizations when audit information is transmitted across organizational boundaries.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.13.1AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
| 10.6.13.2AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly
|
Program Frequency:
|
Choose an item.
|
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
|
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
|
The organization provides cross-organizational audit information to specifically-identified organizations based on sharing agreements as identified in an ISA, SLA, or MOA.
|
Click here to enter text.
|
CONTINUOUS MONITORING STRATEGY
|
Click here to enter text.
|
Dostları ilə paylaş: |