Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/AU

Template:Doc:NIST SP 800-53r3 Appendix F/AU-1

Determine if: (i) the organization develops and formally documents audit and accountability policy; (ii) the organization audit and accountability policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities; (iv) the organization develops and formally documents audit and accountability procedures; (v) the organization audit and accountability procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls; and (vi) the organization disseminates formal documented audit and accountability procedures to elements within the organization having associated audit and accountability roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities].

Determine if: (i) the organization defines the frequency of audit and accountability policy reviews/updates; (ii) the organization reviews/updates audit and accountability policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of audit and accountability procedure reviews/updates; and (iv) the organization reviews/updates audit and accountability procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-2

Determine if: (i) the organization defines the list of events the information system must be capable of auditing based on a risk assessment and mission/business needs; (ii) the organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and help guide the selection of auditable events; (iii) the organization provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; (iv) the organization defines the subset of auditable events defined in (i) that are to be audited within the information system and the frequency of (or situation requiring) auditing for each identified event; and (v) the organization determines, based on current threat information and ongoing assessment of risk, the subset of auditable events defined in (i) to be audited within the information system, and the frequency of (or situation requiring) auditing for each identified event .

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; security plan; information system configuration settings and associated documentation; information system audit records; list of information system auditable events; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing information system auditing of organization-defined auditable events].

[Withdrawn: Incorporated into AU-12].

[Withdrawn: Incorporated into AU-12].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into AU-12].

[Withdrawn: Incorporated into AU-12].

[Withdrawn: Incorporated into AU-12].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into AU-12].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-2/3

Determine if: (i) the organization defines the frequency of reviews and updates to the list of organization-defined auditable events; and (ii) the organization reviews and updates the list of organization-defined auditable events in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; security plan; list of organization-defined auditable events; auditable events review and update records; information system audit records; information system incident reports; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-2/4

Determine if the organization includes execution of privileged functions in the list of events to be audited by the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; information system configuration settings and associated documentation; list of organization-defined auditable events; list of privileged security functions; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-3

Determine if the information system produces audit records that contain sufficient information to, at a minimum, establish: what type of event occurred; when (date and time) the event occurred; where the event occurred; the source of the event; the outcome (success or failure) of the event; and the identity of any user/subject associated with the event.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; list of organization-defined auditable events; information system audit records; information system incident reports; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system auditing of auditable events].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-3/1

Determine if: (i) the organization defines the additional, more detailed information to be included in audit records for audit events identified by type, location, or subject; and (ii) the information system includes the organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; list of organization-defined auditable events; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system audit capability to include more detailed information in audit records for audit events identified by type, location, or subject].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-3/2

Determine if: (i) the organization defines the information system components for which the content of audit records generated is centrally managed; and (ii) the organization centrally manages the content of audit records generated by organization-defined information system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; information system design documentation; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing centralized management of audit record content].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-4

Determine if: (i) the organization allocates audit record storage capacity; and (ii) the organization configures auditing to reduce the likelihood of audit record storage capacity being exceeded.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit storage capacity; information system design documentation; organization-defined audit record storage capacity for information system components that store audit records; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Audit record storage capacity and related configuration settings].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-5

Determine if: (i) the organization defines designated organizational officials to be alerted in the event of an audit processing failure; (ii) the information system alerts designated organizational officials in the event of an audit processing failure; (iii) the organization defines additional actions to be taken in the event of an audit processing failure; and (iv) the information system takes the additional organization-defined actions in the event of an audit processing failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system response to audit processing failures].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-5/1

Determine if: (i) the organization defines the percentage of maximum audit record storage capacity that, if reached, requires a warning to be provided; and (ii) the information system provides a warning when the allocated audit record storage volume reaches the organization-defined percentage of maximum audit record storage capacity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing audit storage limit warnings].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-5/2

Determine if: (i) the organization defines audit failure events requiring real-time alerts; and (ii) the information system provides a real-time alert when organization-defined audit failure events occur.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing real time audit alerts when organization-defined audit failure events occur].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-5/3

Determine if: (i) the information system enforces configurable traffic volume thresholds representing auditing capacity for network traffic; (ii) the organization defines if the network traffic above configurable traffic volume thresholds are rejected or delayed; and (iii) the information system rejects or delays, as defined by the organization, network traffic generated above configurable traffic volume thresholds.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Information system capability implementing configurable traffic volume thresholds].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-5/4

Determine if the information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Information system capability invoking system shutdown in the event of an audit failure].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6

Determine if: (i) the organization defines the frequency of information system audit record reviews and analyses; (ii) the organization reviews and analyzes information system audit records for indications of inappropriate or unusual activity in accordance with the organization-defined frequency; and (iii) the organization reports findings of inappropriate/unusual activities, to designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Test: [SELECT FROM: Information system audit review, analysis, and reporting capability].

Determine if the organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information , intelligence information, or other credible sources of information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; threat information documentation from law enforcement, intelligence community, or other sources; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/1

Determine if the information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; procedures for investigating and responding to suspicious activities; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Test: [SELECT FROM: Information system capability integrating audit review, analysis, and reporting into an organizational process for investigation and response to suspicious activities].

[Withdrawn: Incorporated into SI-4].

[Withdrawn: Incorporated into SI-4].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into SI-4].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/3

Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; information system audit records across different repositories; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/4

Determine if the information system centralizes the review and analysis of audit records from multiple components within the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Test: [SELECT FROM: Information system capability for centralizing review and analysis of audit records from multiple information system components].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/5

Determine if the organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to enhance the ability to identify inappropriate or unusual activity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system capability for centralizing review and analysis of audit records from multiple information system components].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/6

Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; documentation providing evidence of correlated information obtained from audit records and physical access monitoring records; security plan; other relevant documents or records].

Test: [SELECT FROM: Information system capability for centralizing review and analysis of audit records from multiple information system components].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/7

Determine if the organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; security plan; other relevant documents or records].

[Withdrawn: Incorporated into SI-4].

[Withdrawn: Incorporated into SI-4].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into SI-4].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6/9

Determine if the organization performs full-text analysis of privileged functions executed in a physically dedicated information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-7

Determine if the information system provides an audit reduction and report generation capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit reduction and report generation; information system design documentation; audit reduction, review, and reporting tools; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Test: [SELECT FROM: Audit reduction and report generation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-7/1

Determine if the information system provides the capability to automatically process audit records for events of interest based on selectable event criteria.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit reduction and report generation; information system design documentation; information system configuration settings and associated documentation; documented criteria for selectable events to audit; audit reduction, review, and reporting tools; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Audit reduction and report generation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-8

Determine if the information system uses internal system clocks to generate time stamps for audit records.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing time stamp generation].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-8/1

Determine if: (i) the organization defines the frequency of internal clock synchronization for the information system; (ii) the organization defines the authoritative time source for internal clock synchronization; and (iii) the organization synchronizes internal information system clocks with the organization-defined authoritative time source in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing internal information system clock synchronization].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-9

Determine if the information system protects audit information and audit tools from unauthorized: access; modification; and deletion.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; audit tools; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing audit information protection].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-9/1

Determine if the information system produces audit records on hardware-enforced, write-once media.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].

Test: [SELECT FROM: Media storage devices to hold audit records].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-9/2

Determine if: (i) the organization defines the system or media for storing back up audit records that is a different system or media than the system being audited; (ii) the organization defines the frequency of information system backups of audit records; and (iii) the information system backs up audit records, in accordance with the organization-defined frequency, onto organization-defined system or media.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; security plan; information system design documentation; information system configuration settings and associated documentation, system or media storing backups of information system audit records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-9/3

Determine if the information system uses cryptographic mechanisms to protect the integrity of audit information and audit tools.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-9/4

Determine if : (i) the organization authorizes access to management of audit functionality to only a limited subset of privileged users; and (ii) the organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-10

Determine if the information system protects against an individual falsely denying having performed a particular action.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-10/1

Determine if the information system associates the identity of the information producer with the information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-10/2

Determine if the information system validates the binding of the information producer's identity to the information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-10/3

Determine if the information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-10/4

Determine if the information system validates the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-10/5

Determine if: (i) the organization defines whether FIPS-validated or NSA-approved cryptography is employed to implement digital signatures; and (ii) the organization employs the organization-defined cryptography to implement digital signatures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms implementing digital signature capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-11

Determine if: (i) the organization defines the retention period for audit records; (ii) the retention period for audit records is consistent with the records retention policy; and (iii) the organization retains audit records for the organization-defined time period consistent with the records retention policy to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record retention; security plan; organization-defined retention period for audit records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit record retention responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-12

Determine if: (i) the organization defines the information system components that provide audit record generation capability for the list of auditable events defined in AU-2; (ii) the information system provides audit record generation capability, at organization-defined information system components, for the list of auditable events defined in AU-2; (iii) the information system allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and (iv) the information system generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3..

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit record generation responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-12/1

Determine if: (i) the information system produces a system-wide (logical or physical) audit trail of information system audit records; (ii) the organization defines the information system components from which audit records are to be compiled into the system-wide audit trail; (iii) the information system compiles audit records from organization-defined information system components into the system-wide audit trail; (iv) the organization defines the acceptable level of tolerance for relationship between time stamps of individual records in the system-wide audit trail; and (v) the system-wide audit trail is time-correlated to within the organization-defined level of tolerance to achieve a time ordering of audit records.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-12/2

Determine if the information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-13

Determine if: (i) the organization defines the frequency of monitoring open source information for evidence of unauthorized exfiltration or disclosure of organization information; and (ii) the organization monitors open source information for evidence of unauthorized exfiltration or disclosure of organizational information in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing information disclosure monitoring; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for monitoring open source information for evidence of unauthorized exfiltration or disclosure].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-14

Determine if: (i) the information system provides the capability to capture/record and log all content related to a user session; and (ii) the information system provides the capability to remotely view/hear all content related to an established user session in real time.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing user session auditing; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing user session auditing capability].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-14/1

Determine if the information system initiates session audits at system start-up

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing user session auditing; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing user session auditing capability].