Measurement

Status: Live

The organization will ensure that overall monitoring and logging operations include the capability to record detailed information in the audit records for audit events that can be identified by type, location, or subject. [UCF ID 00639]

Supporting and supported controls

This control directly supports:

Operationalizing key monitoring and logging concepts [UCF Control ID 00638]

There are no supporting controls.

Authority documents complied with:

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 430.01; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-3(1), AU-3.7; The Standard of Good Practice for Information Security, CI2.2.2; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 27; Archer Control Table, ATCS-225

Banking and Finance Guidance

The organization should identify indicators to be monitored. The indicators should be linked to thresholds to enable the organization to act on the risks quickly. [¶ 27, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[§ 430.01, GAO/PCIE Financial Audit Manual (FAM)]

NIST Guidance

For both moderate and high impact systems, the information system should provide the capability to include additional, more detailed information in the audit records for audit events identified by type, location, or subject. [AU-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure audit records can record more detailed information for events identified by type, location, or subject.
Test the auditing system by changing the configuration to add more detailed information and seeing if the additional information is recorded into the audit trail. [AU-3(1), AU-3.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

Security event log procedures should include a list of all systems that logging should be enabled on, the logging configuration for each system, where the logs are stored, how to protect the logs, how long to retain the logs, and how to analyze the logs. [CI2.2.2, The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems for which event and activity logging has been implemented in accordance with policy [UCF Control ID 02102]

Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy [UCF Control ID 02103]