Back

Compile the event logs of multiple components into a system-wide time-correlated audit trail.


CONTROL ID
01424
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Include a standard to collect and interpret event logs in the event logging procedures., CC ID: 00643

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Records of system/data access should be collected and retained to obtain audit trails. In addition, access records should be checked on a regular basis to make public the fact that system/data accesses are checked for authenticity, thereby deterring unauthorized access. (P10.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Given the multiplicity of devices and systems, banks should consider deploying a Security Information and Event Management (SIEM) system tool for log aggregation and consolidation from multiple machines/systems and for log correlation and analysis, as indicated earlier in the chapter. Furthermore, e… (Critical components of information security 21) vi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Carrying out logging and auditing is critical along with correlating server and network logs across virtual and physical infrastructures to reveal security vulnerabilities and risk (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Correlation of multiple events registered on system logs should be performed to identify suspicious or anomalous system activity patterns. (§ 12.2.5, Technology Risk Management Guidelines, January 2021)
  • A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains. (Security Control: 1523; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Events are correlated across event logs to prioritise audits and focus investigations. (Security Control: 1228; Revision: 2, Australian Government Information Security Manual, March 2021)
  • A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs. (Security Control: 1405; Revision: 1, Australian Government Information Security Manual, March 2021)
  • A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. (Control: ISM-1405; Revision: 3, Australian Government Information Security Manual, June 2023)
  • A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. (Control: ISM-1405; Revision: 3, Australian Government Information Security Manual, September 2023)
  • The database event logs should be logged to a secure logging server, so they are centrally located. (Control: 1280, Australian Government Information Security Manual: Controls)
  • The organization should use an accurate time source consistently over the systems to aid in correlating the logged events across multiple systems. (Control: 0988, Australian Government Information Security Manual: Controls)
  • The organization should correlate the events across the logs in order to prioritize the audits and focus any investigations. (Control: 1229, Australian Government Information Security Manual: Controls)
  • The organization should use tools to correlate events of interest across all networks. (Control: 1032 Bullet 2, Australian Government Information Security Manual: Controls)
  • All events occurring on the organization's networks should be logged and correlated into one event log. (§ 3.7.10, Australian Government ICT Security Manual (ACSI 33))
  • The organization should implement centralized logging and time-synchronized logging for allowed and blocked network activity. (Mitigation Strategy Effectiveness Ranking 23, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should implement centralized logging and time-synchronized logging of successful and unsuccessful computer events. (Mitigation Strategy Effectiveness Ranking 24, Strategies to Mitigate Targeted Cyber Intrusions)
  • Logged incidents are centrally aggregated and consolidated (event correlation). Rules for identifying relations between incidents and assessing them according to their criticality are implemented. These incidents are handled according to the security incident management process. (Section 5.13 SIM-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Ensure centralized and remote logging is configured Description: Docker supports various logging mechanisms. A preferable method for storing logs is one that supports centralized and remote management. Rationale: Centralized and remote logging ensures that all important log records are safe even in … (2.12, The Center for Internet Security Docker Level 2 Docker Linux Benchmark, 1.2.0)
  • Time linked audit trails should be available for the inspector in a human readable format. (¶ 20.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • How are audit logs correlated between client environments (such as a VM image) and CSP infrastructure (such as the hypervisor or underlying system)? (Appendix D, Regularly Monitor and Test Networks Bullet 4, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Coordinate and correlate wireless logging events with other networking devices within the environment. (4.3.5 E, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Coordinate IDS/IPS logging events with other networking devices within the organization. (§ 4.3.1.E, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic s… (Control 12.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given syst… (Control 6.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should aggregate and consolidate logs from multiple machines with the use of a security event Information Management System tool. (Critical Control 14.10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. (CIS Control 6: Sub-Control 6.6 Deploy SIEM or Log Analytic Tools, CIS Controls, 7.1)
  • Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis. (CIS Control 6: Sub-Control 6.6 Deploy SIEM or Log Analytic Tools, CIS Controls, V7)
  • Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies … (CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting, CIS Controls, V8)
  • Centralize, to the extent possible, audit log collection and retention across enterprise assets. (CIS Control 8: Safeguard 8.9 Centralize Audit Logs, CIS Controls, V8)
  • The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment. (DE.AE-3.1, CRI Profile, v1.2)
  • The organization deploys tools, as appropriate, to perform real-time central aggregation and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence from multiple sources, including both internal and external sources, to better detect and prev… (DE.AE-3.2, CRI Profile, v1.2)
  • The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment. (DE.AE-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization deploys tools, as appropriate, to perform real-time central aggregation and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence from multiple sources, including both internal and external sources, to better detect and prev… (DE.AE-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Components should provide sufficient audit storage capacity, taking into account retention policy, the auditing to be performed and the online audit processing requirements. Components may rely on the system into which they are integrated to provide the majority of audit storage capacity. However, t… (§6.11.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of … (AU-12(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system provides the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • incorporate information from its monitoring activities that identify potential system events and circumstances that were previously not considered (¶ 3.82 Bullet 1 Sub-Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Are the logs from network devices aggregated to a central server? (§ G.11.5.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • CSR 2.1.1: The organization must centrally manage audit records that are generated by the system's individual components. CSR 2.1.7: Audit records from multiple system components must be compiled into a system-wide (physical or logical), time-correlated audit trail. (CSR 2.1.1, CSR 2.1.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Collect audit information (e.g., logs) into one or more central repositories. (AU.3.048, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. (AU.3.051, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Collect audit information (e.g., logs) into one or more central repositories. (AU.3.048, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. (AU.3.051, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. (AU.3.051, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Collect audit information (e.g., logs) into one or more central repositories. (AU.3.048, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. (AU.L2-3.3.5 Audit Correlation, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Send individual intrusion detection logs to a central logging facility where correlation and analysis will be accomplished as a system wide intrusion detection effort. (§ 5.10.1.3 ¶ 3(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the… (App A Objective 15:7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementing procedures to correlate events. (App A Objective 16:4b Bullet 13, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Processes to effectively collect, aggregate, analyze, and correlate security event information from discrete systems and applications. (App A Objective 6.35.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system provides the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system compiles audit records from [FedRAMP Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps o… (AU-12(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Compile audit records from [FedRAMP Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records… (AU-12(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trai… (AU-12(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. (AU-6(9) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the … (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Event data are collected and correlated from multiple sources and sensors (DE.AE-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Event data are collected and correlated from multiple sources and sensors (DE.AE-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Event data are aggregated and correlated from multiple sources and sensors. (DE.AE-3, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The audit trail should be examined to ensure it accurately compiles data from multiple components into a single, time-correlated audit trail. Test the audit trail by performing actions that generate audit events on different components to ensure the audit events from multiple components are accurat… (AU-2(1), AU-2.8, AU-3(2), AU-3.9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of … (AU-12(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. (T0166, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should correlate and analyze the audit records from across the systems. (SG.AU-6 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should use automated mechanisms to compile audit records from multiple systems into one record. (SG.AU-6 Additional Considerations A3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should provide the capability of compiling the audit records from multiple components into a system-wide, time-correlated audit trail. (SG.AU-15 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. (3.3.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. (3.3.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. (3.3.5, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should centralize the review and analysis of all audit records from multiple sources in the system. (App F § AU-6(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should compile audit records into a systemwide (logical or physical) audit trail that is correlated by system time stamps of individual records in the audit trail. (App F § AU-12(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should centrally manage audit record content generated by specific Information System components. (App F § AU-3(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should analyze and correlate all system audit records across different repositories to maintain organizational situation awareness. (App F § AU-6(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should correlate audit records with physical access monitoring to identify unusual system activity. (App F § AU-6(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. (T0166, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness. (AU-6(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system compiles audit records from {organizationally documented information system components} into a system-wide (logical or physical) audit trail that is time-correlated to within {organizationally documented level of tolerance for relationship between time stamps of individual rec… (AU-12(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. (AU-12(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system compiles audit records from {organizationally documented information system components} into a system-wide (logical or physical) audit trail that is time-correlated to within {organizationally documented level of tolerance for relationship between time stamps of individual rec… (AU-12(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of … (AU-12(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system provides the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of … (AU-12(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness. (AU-6(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. (AU-12(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. (AU-6(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trai… (AU-12(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. (AU-12(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. (AU-6(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. (AU-6(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trai… (AU-12(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. (AU-6(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. (AU-12(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness. (AU-6(9) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • a solution that centralizes logging and security event alerting. (§ 500.14 Monitoring and Training (b)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. (AU-6(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)