AU-02-727 Audit Events

Audit Events

Audit Events
Audit and Accountability
Detect, Identify
Control Oversight and Safeguard Assurance, Security Monitoring and Event Analysis
August 18, 2016

All Agency-owned information resources shall adopt Center for Internet Security (CIS) Benchmarks Level I standards for audit event policies where possible. In the event a benchmark is not available, all security events should log successes for all process-related security events, and successes and failures for all user-related security events, as a minimum.

Unauthorized access and activity is undetected due to incomplete log information.
The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
The organization monitors the use of information systems, maintains security related system logs, and retains logs in accordance with the organization’s records retention schedules.
Information resources systems shall provide the means whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or affect the release of confidential information. Appropriate audit trails shall be maintained to provide accountability for updates to mission critical information, hardware and software and for all changes to automated security or access rules. Based on the risk assessment, a sufficiently complete history of transactions shall be maintained to permit an audit of the information resources system by logging and tracing the activities of individuals through the system.
Obtain audit and accountability policy; procedures addressing auditable events; security plan; information system configuration settings and associated documentation; information system audit records; list of organization-defined auditable events; list of privileged security functions; other relevant documents or records and ascertain if : (I)the organization defines in the security plan, explicitly or by reference, information system auditable events; (ii)the organization-defined auditable events include those deemed by the organization to be adequate to support after-the-fact investigations of security incidents; (iii)the information system generates audit records for the organization-defined auditable events; (v)the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. (vi)the organization periodically reviews and updates the list of organization-defined auditable events (vii)the organization includes execution of privileged functions in the list of events to be audited by the information system