The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency].
The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
[Withdrawn: Incorporated into AU-12].
[Withdrawn: Incorporated into AU-12].
The organization reviews and updates the audited events [Assignment: organization-defined frequency].
[Withdrawn: Incorporated into AC-6 (9)].
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.
The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.
The organization: a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and b. Reports findings to [Assignment: organization-defined personnel or roles].
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
[Withdrawn: Incorporated into SI-4].
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and b. Does not alter the original content or time ordering of audit records.
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].
The information system: a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
The information system: (a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].
The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
The information system writes audit trails to hardware-enforced, write-once media.
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].
The information system: (a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (b) Provides the means for authorized individuals to determine the identity of the producer of the information.
The information system: (a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (b) Performs [Assignment: organization-defined actions] in the event of a validation error.
The information system maintains reviewereleaser identity and credentials within the established chain of custody for all information reviewed or released.
The information system: (a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and (b) Performs [Assignment: organization-defined actions] in the event of a validation error.
[Withdrawn: Incorporated into SI-7].
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved.
The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.
The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.
The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency].
The information system provides the capability for authorized users to select a user session to captureecord or view/hear.
The information system initiates session audits at system start-up.
The information system provides the capability for authorized users to captureecord and log content related to a user session.
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.
The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].