NIST 800-171 | AUDIT AND ACCOUNTABILITY
The audit is a key part of NIST 171 requirements especially now with the CMMC certification process.
Retention of records for purpose of audibility is important for these requirements. Retained records also help with the evidence required for investigations and audits.
Audit and Accountability
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs.
Event types can include:
Failed logons or failed accesses related to systems
Administrative privilege usage
Third-party credential usage.
Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network.
Audit record content that may be necessary to satisfy this requirement includes
Source and destination addresses
Access control or flow control rules invoked
NIST Special Publication 800-92 provides guidance on security log management.
3.3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible.
Audit record review, analysis, and reporting covers information security-related logging performed by organizations including:
Logging that results from monitoring of account usage
Mobile device connection
Use of maintenance tools
Temperature and humidity
Equipment delivery and removal
System component inventory
Communications at the system boundaries
Use of mobile code
Use of VoIP
3.3.3 Review and update audited events.
The intent of this requirement is to periodically re-evaluate which of the logged events will continue to be included in the list of events to be logged.
Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.
3.3.4 Alert in the event of an audit process failure.
Audit logging process failures include:
Failures in the audit record capturing mechanisms
Audit record storage capacity being reached or exceeded.
3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
Correlating these processes helps to ensure that they do not operate independently but rather collectively.
3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts.
Audit record reduction and report generation capabilities do not always emanate from the same system or organizational entities conducting auditing activities.
3.3.7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
Time stamps generated by the system include date and time.
Time is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
This requirement provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.
3.3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
Audit information includes all information needed to successfully audit system activity.
Audit logging tools are those programs and devices used to conduct audit and logging activities.
This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals.
3.3.9 Limit management of audit functionality to a subset of privileged users.
Individuals with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit logging activities or modifying audit records.
This requirement specifies that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.