All Agency-owned information resources shall adopt Center for Internet Security (CIS) Benchmarks Level I standards for audit processing failure policies where possible. If a benchmark is not available, the information resource shall overwrite the oldest audit records and alert the information resource custodian to the occurrence.
Unauthorized system activities are undetected because of inconsistent audit log monitoring.
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Automated alerts are generated and provided to state organization personnel in the event of an audit failure.
The information system alerts appropriate organizational officials in the event of an audit processing failure.
Obtain audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; other relevant documents or records. And ascertain if
(I)the organization defines in the security plan, explicitly or by reference, actions to be taken in the event of an audit processing failure;
(ii)the organization defines in the security plan, explicitly or by reference, personnel to be notified in case of an audit processing failure; and
(iii)the information system alerts appropriate organizational officials and takes any additional organization-defined actions in the event of an audit failure, to include audit storage capacity being reached or exceeded.