AU-9: Protection of Audit Information

CSF v2.0 References:


Previous Version:

Control Statement

  1. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
  2. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.

Supplemental Guidance

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

Control Enhancements

AU-9(5): Dual Authorization


(Not part of any baseline)

Enforce dual authorization for [Assignment (one or more): movement, deletion] of [Assignment: organization-defined audit information].

AU-9(6): Read-only Access


(Not part of any baseline)

Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles].