Back

Protect against misusing automated audit tools.


CONTROL ID
04547
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Evaluate the measurement process used for metrics., CC ID: 06920
  • Evaluate the information technology products used for metrics., CC ID: 11644
  • Identify and communicate improvements in metrics reporting., CC ID: 06921


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Security audit activity should be managed by protecting software tools used in carrying out audits (e.g., by keeping them separate from tools / utilities used in the live environment and holding them in secure storage facilities, such as restricted software libraries). (SI.01.01.04e, The Standard of Good Practice for Information Security)
  • Security audit activity should be managed by protecting software tools used in carrying out audits (e.g., by keeping them separate from tools / utilities used in the live environment and holding them in secure storage facilities, such as restricted software libraries). (SI.01.01.04e, The Standard of Good Practice for Information Security, 2013)
  • Access to, and use of, audit tools that interact with the organization's information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data. (IAM-01, Cloud Controls Matrix, v3.0)
  • Access to, and use of, audit tools that interact with the organizations Information Systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data. (IS-29, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Access to information system audit tools should be protected to ensure that the audit tools are not misused or compromised. (§ 15.3.2, ISO 27002 Code of practice for information security management, 2005)
  • Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. (§ 12.4.2 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • When a web site is supported that has access to scoped systems and data, are there processes to manage threat and vulnerability assessment tools and the data they collect? (§ I.5.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is hosted that has access to scoped systems and data, are there processes to manage threat and vulnerability assessment tools and the data they collect? (§ I.5.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is maintained that has access to scoped systems and data, are there processes to manage threat and vulnerability assessment tools and the data they collect? (§ I.5.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Are information systems audit tools (e.g., software or data files) protected and separated from development and operational systems nor held in tape libraries or user areas? (§ L.12, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • CSR 2.1.4: The organization must use privilege restrictions to deny non-administrators access to administrator tools, utilities, and scripts. CSR 2.1.6: The organization must protect audit tools and audit information from unauthorized access, unauthorized modification, and unauthorized deletion. (CSR 2.1.4, CSR 2.1.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Information System shall protect the audit information and the audit tools from deletion, unauthorized access, and modification. (§ 5.4.5, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency's information system shall protect audit information and audit tools from modification, deletion and unauthorized access. (§ 5.4.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • If computer-assisted audit techniques (computer software and/or test data) are used to help with the auditing process, these tools and their documentation should be strictly controlled. (Pg 13, FFIEC IT Examination Handbook - Audit, August 2003)
  • Audit tools may give users powerful access to the system by bypassing security controls. Some controls that should be implemented to reduce this threat include implementing least possible privilege; implementing password protection; locking the audit tools in a cabinet; maintaining logs on the tools… (Pg 22, Pg 23, FFIEC IT Examination Handbook - Operations, July 2004)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., FedRAMP Security Controls High Baseline, Version 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., FedRAMP Security Controls Low Baseline, Version 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must protect all audit tools from unauthorized modification, unauthorized access, and deletion. (§ 5.6.2, Exhibit 4 AU-9, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The configuration of the system should be examined to ensure auditing information and auditing tools are protected from unauthorized access, modification, and deletion. Organizational records and documents should be examined to ensure specific responsibilities and actions are defined for the impleme… (AU-9, AU-9.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must state the conditions and rules for using audit tools. (SG.AU-13 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should protect access to audit tools to prevent possible misuse or compromise. (SG.AU-13 Supplemental Guidance, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, TX-RAMP Security Controls Baseline Level 1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, TX-RAMP Security Controls Baseline Level 2)