The organization will ensure that the information system provides the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail. [UCF ID 01424]
Supporting and supported controls
This control directly supports:
• Collection and interpretation of logs [UCF Control ID 00643]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.7.10; FFIEC IT Examination Handbook – Information Security Exam Tier II Obj M.5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 AU-2(1), AU-3(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § AU-2(1), AU-2.8, AU-3(2), AU-3.9; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3
US Federal Security Guidance
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
NIST Guidance
NIST 800-53, AU-2(1) states that the information system must provide the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail.
AU-3(2) states that for high impact systems, the information system should provide the capability to centrally manage the content of audit records generated by individual components throughout the system.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.7.10 states that all events occurring on the organization's networks should be logged and correlated into one event log. .