Traceability

Status: Live

The organization will develop, disseminate, and review: 1) a formal traceability standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00640]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 47, Pg 48, Exam Tier II Obj B.12, Exam Tier II Obj C.9; FFIEC IT Examination Handbook – Operations, July 2004, Pg 37; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 7.7; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R5.1.2; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-3.a(1), § 2-3.a(1)(c); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-602.b, § 8-607.b; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.2, Exhibit 4 AU-3; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 6.2.1; ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 8.2, § C.3; Archer Control Table, ATCS-334; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 4.1

Banking and Finance Guidance

Operating system access should be monitored and record user, terminal, date, and time of access. Access to system utilities should be logged. [Pg 47, Pg 48, Exam Tier II Obj B.12, Exam Tier II Obj C.9, FFIEC IT Examination Handbook – Information Security]

An audit trail should be maintained of all issued and unissued negotiable instruments. [Pg 37, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 7.7, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Energy Guidance

The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. [CIP-007-1 R5.1.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

All activities should be traceable to an individual user and should be set as part of the default installation. [§ 4.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

All information systems should implement an audit trail to maintain a history of the system's use. The audit trail should have enough detail to reconstruct the events when a security incident occurs. [§ 2-3.a(1), § 2-3.a(1)(c), Army Regulation 380-19: Information Systems Security, February 27, 1998]

The audit trail must provide for individual accountability to ensure all actions taken by a user are associated with the user. [§ 8-602.b, § 8-607.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

US Internal Revenue Guidance

The audit logs must be able to track activities that take place on the system. [§ 5.6.2, Exhibit 4 AU-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Other Configuration Guidance

Audit log must record all authentication failures and violations. For each event the audit log must contain, at a minimum, the date and time of the event, the event's origin, all user identification information, and the type of event. [§ 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

ISO Guidance

Each auditable event should be traceable to the individual ID of the user who caused the event. [§ 8.2, § C.3, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.