OVERVIEW

This policy document provides security policy statements and commitment to develop, implement, and maintain an Information Security Audit and Accountability Policy and procedures to protect information and critical resources from a wide range of threats in order to ensure business continuity, minimize business risk for information systems and data.

AUDIT EVENTS (AU-2)

The following events shall be logged by the information system:

  • Information System Login (Authentication check, authorization check, data access)
  • Modification to User Privileges (Permission changes)
  • Modification to System Configuration (Administrator activity, data deletions, data changes)

Events are logged for consumption into a SIEM (Security information and Event management) system. Logs from information system servers are aggregated into a centralized SEIM in order to provide a central resource for any audit-related activities.

The events defined in this section have been determined by the security team (PL002) to be adequate to support after-the-fact investigations of security incidents and also adequate for a quarterly audit.

CONTENT OF AUDIT RECORDS (AU-3)

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

AUDIT STORAGE CAPACITY (AU-4)

The organization allocates audit record storage capacity to store logs/events for a minimum of 90 days.

RESPONSE TO AUDIT PROCESSING FAILURES (AU-5)

The SEIM shall be setup to alert data center operations team in the event of an log/audit processing failure.

The data center operations team shall immediately investigate the failure and resolve if possible (e.g. add more disk capacity) or escalate to the engineering team for assistance with resolution. If the issue cannot be resolved within 2 hours, the information system shall be taken offline.

AUDIT REVIEW, ANALYSIS, AND REPORTING (AU-6)

The data center operations team shall continuously review and analyze information system log/audit records for indications of unusual activity during the work day. This includes review of logs from after the end of the prior work day.

Any findings shall be reported to the security team (PL002) via the Change Management Process with 24 hours of discovery.

A quarterly audit of captured logs shall be manually performed.

TIME STAMPS (AU-8)

  1. All logs shall use internal system clocks to generate time stamps for log/audit records
  2. Records time stamps for audit records are captured using Coordinated Universal Time (UTC) with a minimum granularity of 1/100 of a second.

PROTECTION OF AUDIT INFORMATION (AU-9)

The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Reference Access Control Policy.

AUDIT RECORD RETENTION (AU-11)

The organization retains audit records for a minimum of 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

AUDIT GENERATION (AU-12)

  1. All components of the information system shall be capable of generating the events defined in AU-2 and also compatible with the SIEM so that events can be aggregated to a central system
  2. The SIEM shall allow the security team to select which auditable events are to be audited by specific components of the information system
  3. The SIEM shall be able to generate audit records for the events defined in AU-2 and with the content defined in AU-3.

AUDIT

  • Quarterly Management Review (MR002) includes review of all logged findings.
  • Quarterly Management Review (MR002) includes a manual audit of SIEM logs. Any irregularities shall be logged using the Change Management Process.
  • Annual Management Review (MR001) includes review of this policy.