Back

Include a standard to collect and interpret event logs in the event logging procedures.


CONTROL ID
00643
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain event logging procedures., CC ID: 01335

This Control has the following implementation support Control(s):
  • Protect the event logs from failure., CC ID: 06290
  • Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs., CC ID: 01427
  • Compile the event logs of multiple components into a system-wide time-correlated audit trail., CC ID: 01424
  • Review and update event logs and audit logs, as necessary., CC ID: 00596
  • Reproduce the event log if a log failure is captured., CC ID: 01426


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should make provisions for analyzing and reporting on unauthorized access based on the audit trails. For systems that handle personal data, this is a requirement. (T37.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Banks should validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized… (Critical components of information security 17) xiv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A process to collect, process, review and retain system logs should be established to facilitate the FI's security monitoring operations. These logs should be protected against unauthorised access. (§ 12.2.2, Technology Risk Management Guidelines, January 2021)
  • All security-relevant events generated by a CDS are logged and regularly analysed. (Security Control: 0670; Revision: 4, Australian Government Information Security Manual, March 2021)
  • An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements. (Security Control: 0109; Revision: 6, Australian Government Information Security Manual, March 2021)
  • Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner. (D1:, Australian Government Information Security Manual, March 2021)
  • Event logs are collected and analysed in a timely manner to detect cyber security events. (D1:, Australian Government Information Security Manual, June 2023)
  • Event logs are collected and analysed in a timely manner to detect cyber security events. (D1:, Australian Government Information Security Manual, September 2023)
  • The organization must develop and document the auditing requirements for event logs, that includes the audit scope. (Control: 0109 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must develop and document the auditing requirements for event logs, that includes what is a violation of the information security policy. (Control: 0109 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization must develop and document the auditing requirements for event logs, that includes the actions to take when a violation is detected. (Control: 0109 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization must develop and document the auditing requirements for event logs, that includes the reporting requirements. (Control: 0109 Bullet 5, Australian Government Information Security Manual: Controls)
  • The organization must develop and document the auditing requirements for event logs, that includes specific responsibilities. (Control: 0109 Bullet 6, Australian Government Information Security Manual: Controls)
  • The Security Officer should manage and audit all event logs. The system manager or information owner should determine the audit requirements based on the security policy requirements. Personnel with system administrator privileges should not have system audit responsibilities. (§ 3.7.25, Australian Government ICT Security Manual (ACSI 33))
  • The specification of objective, verifiable and quantifiable performance indicators used to analyze efficiency and effectiveness is called for. (§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Audit trails need to be available and convertible to an intelligible format. (¶ 9, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to log events on all assets which are used for the development or operation of the cloud service and to store them in a central place. The logging includes def… (Section 5.6 RB-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Information security requirements regarding the handling of event logs are determined and fulfilled. (5.2.4 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Information security requirements relevant to the security during the handling of event logs, e.g. contractual requirements, are determined and implemented. (C, I, A) (5.2.4 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • Logs must be kept of the processing steps that were performed, especially the modifications, consultations, and transmissions, and the steps can be traced with regard to permissibility. This measure must take into account the state of the art and the costs to safeguard the data at an appropriate lev… (§ 14(2)7, § 14(3), Austria Data Protection Act)
  • (§ 4.2.4.2, OGC ITIL: Security Management)
  • Audit trail records must be accurately made and protected against unauthorized modification, loss, or damage in order to have a clear and accurate audit trail throughout the manufacturing process. (¶ 21.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Work with the business to define a balanced set of performance targets and have them approved by the business and other relevant stakeholders. Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets. Establish processes to collect timel… (ME1.2 Definition and Collection of Monitoring Data, CobiT, Version 4.1)
  • Log any attempts to violate the firewall rules. (§ 3-4, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • The organization must develop a data retention and disposal policy and retain data for as long as the information is necessary. (§ 3.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Are written policies and procedures defined for reviewing the following at least daily, either manually or via log tools? - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system co… (10.6.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are written policies and procedures defined for reviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy? (10.6.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (10.6.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • An automated audit trail should be implemented to track and monitor access to the application. Disabling the logs should not be done and could result in noncompliance with PCI DSS. (§ 4.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 (10.4.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Access to information in electronic format is necessary to use continuous auditing effectively. The access method selection should take into account factors such as network traffic, system performance, and volumes of data. The attainment of proper access rights must be ensured by the Chief Audit Exe… (§ 6 (Accessing Data), § 6 (Build Audit Technical Skills and Knowledge) ¶ 4, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The organization should have a plan outlining when audit trails should be reviewed, who should review them, what the reviewers should be looking for, and how the reviewers should report any anomalies. Station message detail recording (SMDR) is a PBX feature that logs inbound, outbound, and internal … (Pg 11-V-6, Pg 12-IV-22, Revised Volume 1 Pg 7-I-41, Protection of Assets Manual, ASIS International)
  • Standards / procedures should cover analysis of security-related event logs (including normalisation, aggregation, and correlation). (CF.10.04.02e, The Standard of Good Practice for Information Security)
  • Security event log management should include guidance on the content of reports. (CF.10.04.03-5, The Standard of Good Practice for Information Security)
  • Security-related event log analysis should include processing of key security-related events (e.g., using techniques such as normalisation, aggregation, and correlation). (CF.10.04.08a, The Standard of Good Practice for Information Security)
  • Security-related event log analysis should include interpreting key security-related events (e.g., identification of unusual activity). (CF.10.04.08b, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover analysis of security-related event logs (including normalisation, aggregation, and correlation). (CF.10.04.02e, The Standard of Good Practice for Information Security, 2013)
  • Security event log management should include guidance on the content of reports. (CF.10.04.03-5, The Standard of Good Practice for Information Security, 2013)
  • Security-related event log analysis should include processing of key security-related events (e.g., using techniques such as normalisation, aggregation, and correlation). (CF.10.04.08a, The Standard of Good Practice for Information Security, 2013)
  • Security-related event log analysis should include interpreting key security-related events (e.g., identification of unusual activity). (CF.10.04.08b, The Standard of Good Practice for Information Security, 2013)
  • Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such … (Control 6.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The system should use a standardized format to record data into the logs. (Critical Control 14.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. (CIS Control 8: Safeguard 8.2 Collect Audit Logs, CIS Controls, V8)
  • Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. (CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews, CIS Controls, V8)
  • The audit log should have the ability to use a set of rules to determine if a potential violation has occurred. This set of rules should identify events whose occurrence or accumulated occurrence could indicate a potential violation. The audit system should be able to maintain system usage profiles … (§ 8.3, § C.4, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Outsourced service providers should ensure that log files are periodically analyzed by security personnel. (§ 7.5.8(a), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • when the results from monitoring and measurement shall be analysed and evaluated; and (§ 9.1 ¶ 2 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • to collect and preserve incident-related audit logs and other relevant evidence. (§ 16.1.2 Health-specific controls ¶ 1(c), ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement. (9.1.3 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • when the results from monitoring and measurement shall be analysed and evaluated. (9.1.1 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • monitoring and measurement results; (9.3.2 ¶ 1(c)(5), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • monitoring and measurement results; (Section 9.3 ¶ 2(c) bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • monitoring and measurement results; (§ 9.3 ¶ 2(c)(2), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • when the results from monitoring and measurement shall be analysed and evaluated; (§ 9.1 ¶ 1 e), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. (§ 8.15 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Log information recorded for purposes such as security monitoring and operational diagnostics may contain PII. Measures, such as controlling access (see 9.2.3), should be put in place to ensure that logged information is only used for its intended purposes. (§ 12.4.2 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Log information recorded for purposes such as security monitoring and operational diagnostics can contain PII. Measures, such as controlling access (see 9.2.3), should be put in place to ensure that logged information is only used for its intended purposes. (§ 12.4.2 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment. (DE.AE-3.1, CRI Profile, v1.2)
  • The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. (DE.DP-5.1, CRI Profile, v1.2)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (PR.PT-1, CRI Profile, v1.2)
  • Event data are collected and correlated from multiple sources and sensors. (DE.AE-3, CRI Profile, v1.2)
  • The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment. (DE.AE-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. (DE.DP-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the a… (AU-6(5) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must ensure that selected system elements at critical control points provide system activity logs and user network activity logs. The organization must review system audit logs on demand and, at least daily, for the following activities: logons and errors; system resource utilizatio… (CSR 10.2.9, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Review audit information for broad activity in addition to per-machine activity. (AU.4.054, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Review audit information for broad activity in addition to per-machine activity. (AU.4.054, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • The audit trail must be scheduled, on a regular basis, to be analyzed using automated tools. (§ 8-602.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Audit log content. ASTM E2147-18, (incorporated by reference in §170.299). (§ 170.210 (h), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Audit log content. ASTM E2147-18, (incorporated by reference in §170.299). (§ 170.210 (h), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take nec… (§ 5.4.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take nec… (§ 5.4.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the… (App A Objective 15:7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Types of logs to be collected. (App A Objective 15:7b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review information systems reports for management, and determine whether they provide the information necessary to help manage the institution effectively. Determine the following: (App A Objective 3:6, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Identify the financial institution staff members who perform periodic monitoring of RDC customer activity and describe the process used. (App A Tier 2 Objectives and Procedures N.9 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the adequacy of logs maintained for ACH payments received from, and delivered to, each customer. (Exam Tier II Obj 9.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Calls for access to audit trails and the logging of invalid access attempts. (AC-4.1, AC-4.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization integrates analysis of audit records with analysis of [FedRAMP Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization-defined data/information collected from other sources]] to fu… (AU-6(5) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. (AU-6(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., FedRAMP Security Controls High Baseline, Version 5)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., FedRAMP Security Controls High Baseline, Version 5)
  • Correlate information from monitoring tools and mechanisms employed throughout the system. (SI-4(16) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Integrate analysis of audit records with analysis of [FedRAMP Assignment: Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization -defined data/information collected from other sources]] to further… (AU-6(5) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., FedRAMP Security Controls Low Baseline, Version 5)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., FedRAMP Security Controls Low Baseline, Version 5)
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. (AU-6(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Correlate information from monitoring tools and mechanisms employed throughout the system. (SI-4(16) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Document the organization's decisions regarding audits and reviews. (§ 4.15.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. (AU-6(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropria… (AU-6(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. (AU-6(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should use an automated auditing tool to help in reviewing access point and authentication server audit data. (Table 8-3 Item 35, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Access to all audit trails must be made available. (§ 3.13, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records, documents, and the system configuration should be examined to ensure automated mechanisms are implemented to integrate the monitoring, analysis, and reporting of audit records into a process for investigating and responding to suspicious activities. Test the system by genera… (AU-6(1), AU-6.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the a… (AU-6(5) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • There should be a method for tracing all console activities to a user, either manually (e.g., control room sign in) or automatic (e.g., login at the application and/or OS layer). Policies and procedures for what is logged, how the logs are stored (or printed), how they are protected, who has access … (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 7, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Assess the validity of source data and subsequent findings. (T0347, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. (CT.DM-P8, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The smart grid Information System should use automated mechanisms for integrating the audit review, analysis, and reporting into a process for investigating and responding to suspicious activities. (SG.AU-6 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must adjust the level of audit review, analysis, and reporting when there is a change in risk to the operations, assets, individuals, other organizations, or the nation is determined by intelligence information, law enforcement information, or another credible source. (App F § AU-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should integrate the analysis of audit records with vulnerability scanning, performance data, and network monitoring information to enhance the ability to identify unusual activity or inappropriate activity. (App F § AU-6(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Assess the validity of source data and subsequent findings. (T0347, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents. (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {vulnerability scanning information} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {performance data} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {information system monitoring information} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {organizationally documented data/information collected from other sources} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization specifies the permitted actions for each {information system process} associated with the review, analysis, and reporting of audit information. (AU-6(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization specifies the permitted actions for each {role} associated with the review, analysis, and reporting of audit information. (AU-6(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization specifies the permitted actions for each {user} associated with the review, analysis, and reporting of audit information. (AU-6(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents. (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {vulnerability scanning information} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {performance data} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {information system monitoring information} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization integrates analysis of audit records with analysis of {organizationally documented data/information collected from other sources} to further enhance the ability to identify inappropriate or unusual activity. (AU-6(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents. (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents. (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the a… (AU-6(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the a… (AU-6(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops profiles representing common traffic patterns and/or events; and (SI-4(13)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. (AU-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropria… (AU-6(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Correlate information from monitoring tools and mechanisms employed throughout the system. (SI-4(16) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop profiles representing common traffic and event patterns; and (SI-4(13)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. (AU-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and (AU-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropria… (AU-6(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Correlate information from monitoring tools and mechanisms employed throughout the system. (SI-4(16) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop profiles representing common traffic and event patterns; and (SI-4(13)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Information is correlated from multiple sources (DE.AE-03, The NIST Cybersecurity Framework, v2.0)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., TX-RAMP Security Controls Baseline Level 1)
  • Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (AU-2c., TX-RAMP Security Controls Baseline Level 2)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., TX-RAMP Security Controls Baseline Level 2)
  • The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (AU-6(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16) ¶ 1, TX-RAMP Security Controls Baseline Level 2)