Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Audit and Accountability Controls (from NIST)

This audit and accountability control list and description are meant to tie the audit and accountability control to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Audit and accountability policy and procedures - Provides information about roles, responsibilities, and compliance regarding auditing. It addresses auditing of security controls including checking for proper server maintenance and controls to make sure it is properly done, security policies are being enforced, etc. The policy may set the level and detail of auditing and specify types of events that should be audited. (low)
  • Auditable events - Computer systems audit activities such as system events, application events, and security events including user logon and logoff times. The organization must decide which events should be monitored. The amount of logging and detail will affect system performance and storage so a balance must be found. Lists of auditable events are provided at Practices and Checklists / Implementation Guides. (low)
  • Content of audit records - The organization must decide what detail should be provided about the events that are audited. Information provided should detail the time of the event, the event outcome, the event source, and the type of event. (low)
  • Audit storage capacity - The systems must be managed to allow sufficient storage for audited events for a minimum period of time as specified by the organization. (low)
  • Audit processing - management and administrators are notified when the system reaches its limit of storage capacity and audit log are full. Either the system will need to be set to overwrite the oldest audit records, stop recording audits, or shut down. (low)
  • Andit monitoring, analysis, and reporting - Audit logs are regularly reviewed and monitored for suspicious activity or events. suspicious events or activities are investigated. Tools may be used to help automate and expedite the auditing process. (moderate)
  • Audit reduction and report generation - Tools are used to expedite the use of the audit logs. These tools support investigations and do not modify audit logs. (moderate)
  • Time stamps - All audit logs have the time of the event recorded. (moderate)
  • Protection of audit information - Only specific individuals can view audit logs and the logs are protected from unauthorized modification, deletion, or access. (low)
  • Non-repudiation - The audit (system) logs can be used to prove specific action was taken by specific individuals. (moderate)
  • Audit retention - The organization decides how long logs will be retained either on backup media or on the active system. (low)