Compiling audit records from multiple components into a systemwide audit trail

Status: Live

The organization will ensure that the information system provides the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail. [UCF ID 01424]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj M.5; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-2(1), AU-3(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-2(1), AU-2.8, AU-3(2), AU-3.9; Australian Government ICT Security Manual (ACSI 33), § 3.7.10; Archer Control Table, ATCS-229; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.3.1.E

Banking and Finance Guidance

[Exam Tier II Obj M.5, FFIEC IT Examination Handbook – Information Security]

Payment Card Guidance

Coordinate logging events with other networking devices within the organization. [§ 4.3.1.E, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

NIST Guidance

The information system must provide the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail.
For high impact systems, the information system should provide the capability to centrally manage the content of audit records generated by individual components throughout the system. [AU-2(1), AU-3(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

The audit trail should be examined to ensure it accurately compiles data from multiple components into a single, time-correlated audit trail.
Test the audit trail by performing actions that generate audit events on different components to ensure the audit events from multiple components are accurately recorded in the audit trail.
Interviews should be conducted with personnel involved in the auditing process to ensure audit records from multiple systems are compiled into a single, time-correlated audit trail. [AU-2(1), AU-2.8, AU-3(2), AU-3.9, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Asia and Pacific Rim Guidance

All events occurring on the organization's networks should be logged and correlated into one event log. [§ 3.7.10, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.