Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/AU/Low

Template:Doc:NIST SP 800-53r3 Appendix F/AU-1

Determine if: (i) the organization develops and formally documents audit and accountability policy; (ii) the organization audit and accountability policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities; (iv) the organization develops and formally documents audit and accountability procedures; (v) the organization audit and accountability procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls; and (vi) the organization disseminates formal documented audit and accountability procedures to elements within the organization having associated audit and accountability roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities].

Determine if: (i) the organization defines the frequency of audit and accountability policy reviews/updates; (ii) the organization reviews/updates audit and accountability policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of audit and accountability procedure reviews/updates; and (iv) the organization reviews/updates audit and accountability procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-2

Determine if: (i) the organization defines the list of events the information system must be capable of auditing based on a risk assessment and mission/business needs; (ii) the organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and help guide the selection of auditable events; (iii) the organization provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; (iv) the organization defines the subset of auditable events defined in (i) that are to be audited within the information system and the frequency of (or situation requiring) auditing for each identified event; and (v) the organization determines, based on current threat information and ongoing assessment of risk, the subset of auditable events defined in (i) to be audited within the information system, and the frequency of (or situation requiring) auditing for each identified event .

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; security plan; information system configuration settings and associated documentation; information system audit records; list of information system auditable events; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing information system auditing of organization-defined auditable events].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-3

Determine if the information system produces audit records that contain sufficient information to, at a minimum, establish: what type of event occurred; when (date and time) the event occurred; where the event occurred; the source of the event; the outcome (success or failure) of the event; and the identity of any user/subject associated with the event.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; list of organization-defined auditable events; information system audit records; information system incident reports; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system auditing of auditable events].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-4

Determine if: (i) the organization allocates audit record storage capacity; and (ii) the organization configures auditing to reduce the likelihood of audit record storage capacity being exceeded.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit storage capacity; information system design documentation; organization-defined audit record storage capacity for information system components that store audit records; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Audit record storage capacity and related configuration settings].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-5

Determine if: (i) the organization defines designated organizational officials to be alerted in the event of an audit processing failure; (ii) the information system alerts designated organizational officials in the event of an audit processing failure; (iii) the organization defines additional actions to be taken in the event of an audit processing failure; and (iv) the information system takes the additional organization-defined actions in the event of an audit processing failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system response to audit processing failures].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-6

Determine if: (i) the organization defines the frequency of information system audit record reviews and analyses; (ii) the organization reviews and analyzes information system audit records for indications of inappropriate or unusual activity in accordance with the organization-defined frequency; and (iii) the organization reports findings of inappropriate/unusual activities, to designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Test: [SELECT FROM: Information system audit review, analysis, and reporting capability].

Determine if the organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information , intelligence information, or other credible sources of information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; threat information documentation from law enforcement, intelligence community, or other sources; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-8

Determine if the information system uses internal system clocks to generate time stamps for audit records.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing time stamp generation].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-9

Determine if the information system protects audit information and audit tools from unauthorized: access; modification; and deletion.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; audit tools; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing audit information protection].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-11

Determine if: (i) the organization defines the retention period for audit records; (ii) the retention period for audit records is consistent with the records retention policy; and (iii) the organization retains audit records for the organization-defined time period consistent with the records retention policy to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record retention; security plan; organization-defined retention period for audit records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit record retention responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AU-12

Determine if: (i) the organization defines the information system components that provide audit record generation capability for the list of auditable events defined in AU-2; (ii) the information system provides audit record generation capability, at organization-defined information system components, for the list of auditable events defined in AU-2; (iii) the information system allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and (iv) the information system generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3..

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system audit record generation responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].