AU-01-727 Audit and Accountability Policy and Procedures
Audit and Accountability Policy and Procedures
AU-01-727
Audit and Accountability Policy and Procedures
Audit and Accountability
Detect, Identify
Control Oversight and Safeguard Assurance, Security Monitoring and Event Analysis
LOW, MOD, HIGH
P1
Yes
May 20, 2016
Information resource owners shall ensure an appropriate degree of activity logging is implemented to document critical events which occur on the information resource. These activity logs shall be reviewed on a regular basis (to be determined as part of the risk assessment process) by the information resource custodian or other designated representative.
The chief information security officer shall routinely review all mission-critical information resources to ensure compliance with the Agency-established configuration baseline and appropriate vulnerability management standards.
Critical business processes and sensitive data are compromised due to flawed audit process.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
The organization has written and documented audit and accountability procedures in place.
The state organization develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
Obtain audit and accountability policy and procedures; other relevant documents or records and ascertain if
(I)the organization develops and documents audit and accountability policy and procedures;
(ii)the organization disseminates audit and accountability policy and procedures to appropriate elements within the organization;
(iii)responsible parties within the organization periodically review audit and accountability policy and procedures; and
(iv)the organization updates audit and accountability policy and procedures when organizational review indicates updates are required.
(v)the audit and accountability policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance;
(vi)the audit and accountability policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and
(vii)the audit and accountability procedures address all areas identified in the audit and accountability policy and address achieving policy-compliant implementations of all associated audit and accountability controls.