All audit records shall include the date and time of the event, component of the information resource where the event occurred, the type of event, the user or subject's identity, and the outcome of the event.
The lack of logging mechanisms to record and store user activities, exceptions, and information security events may result in unauthorized access or activity going undetected.
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
The organization utilizes logging mechanisms, including the generation of audit reporting records.
Audit record content includes, for most audit records:
• date and time of the event;
• the component of the information system (e.g., software component, hardware component) where the event occurred;
• type of event;
• user/subject identity; and
• the outcome (success or failure) of the event. NIST Special Publication 800-92 provides guidance on computer security log management.
Obtain audit and accountability policy; procedures addressing content of audit records; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records and ascertain if:
(I)the information system audit records capture sufficient information to establish what events occurred;
(ii)the information system audit records capture sufficient information to establish the sources of the events; and
(iii)the information system audit records capture sufficient information to establish the outcomes of the events.
(iv) the information system provides the capability to include additional, more detailed information in the audit records for audit events identified by type, location, or subject.
