The organization will ensure that the key concepts of auditing are employed so that all audit trails capture sufficient information in audit records to establish what events occurred, the sources of the events, and the outcomes of the events. [UCF ID 00638]
Supporting and supported controls
This control directly supports:
• Establishing overall monitoring and logging operations [UCF Control ID 00637]
This control has the following supporting controls:
• Measurement [UCF Control ID 00639]
• Traceability [UCF Control ID 00640]
• Monitoring thoroughness [UCF Control ID 00641]
• Monitoring frequency [UCF Control ID 00642]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.7.13; FFIEC IT Examination Handbook – Information Security Pg 47, Pg 49, Pg 87, Exam Tier II Obj G.7; FFIEC IT Examination Handbook – Audit Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Management Pg 31-32; FFIEC IT Examination Handbook – Operations Exam Tier I Obj 8.1; Bank Secrecy Act (aka Currency and Foreign Transaction Reporting Act) Obj 8 (Processes); FDIC and FFIEC Guidance on Authentication in an Internet Banking Environment Pg 5; FFIEC IT Examination Handbook – Wholesale Payment Systems Pg 31; FFIEC IT Examination Handbook – Retail Payment Systems Pg 41, Exam Tier II Obj 8.5; FFIEC IT Examination Handbook – E-Banking Obj 5.3; The Standard of Good Practice for Information Security SM6.8.2(d), CB6.4.2(g), CI2.2.5, SD4.6.3(g), NW2.1.2(c ); Recommended Security Controls for Federal Information Systems, NIST SP 800-53 AU-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § AU-3, AU-3.2; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement § 314.100; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3
Sarbanes Oxley Guidance
§ 314.100 of SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement states that the auditor should examine the sources of information that the organization uses for monitoring the control activities. He/she should ensure the data that is being used for monitoring is accurate, preventing the organization from reaching incorrect conclusions based on misinformation.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Management Pg 31-32 states that the organization should record all System and Security Administrator activity in the appropriate audit trail or log.
The FDIC and FFIEC Guidance on Authentication in an Internet Banking Environment Pg 5 states that audit logs should be activated and maintained to identify unauthorized activities, detect intrusions, and reconstruct events.
Credit Card Guidance
PCI-DSS § 10.3 calls for the organization to record audit proper trail entries.
The Payment Card Industry's Security Audit Procedures § 10.3 states that the auditor should verify through interviews and observation, for each auditable event (from 10.2), that the audit trail captures the items listed in sections 10.3.1 through 10.3.5.
US Federal Security Guidance
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
NIST Guidance
NIST 800-53, AU-3, states that audit record contents should include, for most audit records:
1) date and time of the event;
2) the component of the information system (e.g., software component, hardware component) where the event occurred;
3) type of event;
4) subject identity; and
5) the outcome (success or failure) of the event.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.7.13 states that the types of events that should be recorded in a log should be based on the results of a risk analysis. .
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02102.doc