AU: Audit And Accountability

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and Reviews and updates the current:…

The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; Provides a rationale for why the auditable events are deemed to be…

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].

The information system: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and Reports findings to [Assignment: organization-defined personnel or roles].

The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and Does not alter the original content or time ordering of audit records.

The information system: Uses internal system clocks to generate time stamps for audit records; and Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and Generates audit records for the events defined in AU-2 d.…

The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].

The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.