AU-12(4): Query Parameter Audits of Personally Identifiable Information

Control Family:

Audit and Accountability

Parent Control:

AU-12: Audit Record Generation

CSF v1.1 References:

PR.PT-1
DE.CM-1
DE.CM-3
DE.CM-7

Threats Addressed:

Information Disclosure

Baselines:

(Not part of any baseline)

Control is new to this version of the control set.

Control Statement

Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

Supplemental Guidance

Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel.