Record detailed information in the audit trails for events that can be identified by type, location, or subject.

UCF ID: 00639
Control Type: Configuration
Status: Live

Supporting and supported controls

This control directly supports:

    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. [UCF Control ID 00638]

There are no supporting controls.

Authority documents complied with:

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 430.01; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AU-2(3), App F § AU-2(4), App F § AU-3(1); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-3(1), AU-3.7; The Standard of Good Practice for Information Security, CI2.2.2; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 27; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 13.4

Banking and Finance Guidance

The organization should identify indicators to be monitored. The indicators should be linked to thresholds to enable the organization to act on the risks quickly. [¶ 27, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[§ 430.01, GAO/PCIE Financial Audit Manual (FAM)]

NIST Guidance

App F § AU-2(3) The organization should establish timely reviews and updates of the list of auditable events.
App F § AU-2(4) The organization should include execution of privileged functions in the list of events to be audited.
App F § AU-3(1) The organization should include additional details in the audit records for audit events identified by type, location, or subject. [App F § AU-2(3), App F § AU-2(4), App F § AU-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure audit records can record more detailed information for events identified by type, location, or subject.
Test the auditing system by changing the configuration to add more detailed information and seeing if the additional information is recorded into the audit trail. [AU-3(1), AU-3.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Audit Trails. It is important to ensure the effectiveness of network security through detection, investigation and reporting of security incidents. Sufficient audit trail information of error conditions and valid events should be recorded to enable thorough review for suspected, and of actual, incidents. However, recognizing that recording huge amounts of audit related information can make analysis difficult to manage, and can affect performance, care has to be taken over time in what is actually recorded. Most audit safeguards required in relation to network connections and related IT systems can be determined by using Part 4 of TR 13335. For network connections, auditability of the following types of event is important:
• remote failed log-on attempts with dates and times,
• failed re-authentication (or token usage) events,
• security gateway traffic breaches,
• remote attempts to access audit trails,
• system management alarms with security implications (e.g. IP address duplication, bearer circuit disruptions),
Audit trails will contain sensitive information or information of use to those who may wish to attack the system through network connections. Further, possession of audit trails may provide proof of transfer over a network in the event of a dispute, and are therefore particularly necessary in the context of ensuring integrity and non-repudiation. Therefore all audit trails should be appropriately protected. [¶ 13.4, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

Security event log procedures should include a list of all systems that logging should be enabled on, the logging configuration for each system, where the logs are stored, how to protect the logs, how long to retain the logs, and how to analyze the logs. [CI2.2.2, The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which event and activity logging has been implemented in accordance with policy. [UCF Control ID 02102]
    Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy. [UCF Control ID 02103]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.