AU-6: Audit Review, Analysis, And Reporting
Control Family:
Threats Addressed:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- AU-6: Audit Record Review, Analysis, and Reporting
Control Statement
The organization:
- Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
- Reports findings to [Assignment: organization-defined personnel or roles].
Supplemental Guidance
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.
Control Enhancements
AU-6(1): Process Integration
Baseline(s):
- Moderate
- High
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
AU-6(3): Correlate Audit Repositories
Baseline(s):
- Moderate
- High
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
AU-6(4): Central Review And Analysis
Baseline(s):
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
AU-6(5): Integration / Scanning And Monitoring Capabilities
Baseline(s):
- High
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
AU-6(6): Correlation With Physical Monitoring
Baseline(s):
- High
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
AU-6(7): Permitted Actions
Baseline(s):
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.
AU-6(8): Full Text Analysis Of Privileged Commands
Baseline(s):
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
AU-6(9): Correlation With Information From Nontechnical Sources
Baseline(s):
The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
AU-6(10): Audit Level Adjustment
Baseline(s):
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.