Audit records shall be reviewed by the information resource custodian on a routine basis, or immediately upon receipt of an alert event. Any alert events that indicate suspicious behavior shall be reported to the chief information security officer as a potential security incident immediately upon discovery.
Audit findings are not effectively communicated or resolved by management.
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].
A reporting structure is defined and records are periodically promoted to specific management personnel for review, as applicable.
The state organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Obtain audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; threat information documentation from law enforcement, intelligence community, or other sources; information system configuration settings and associated documentation; information system audit records; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records and ascertain if :
(I)the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity;
(ii)the organization investigates suspicious activity or suspected violations;
(iii)the organization reports findings of inappropriate/unusual activities, suspicious behavior, or suspected violations to appropriate officials; and
(iv)the organization takes necessary actions in response to the reviews/analyses of audit records
