Audit logging requirements

From wiki.gpii
Jump to: navigation, search


All of the below content is deprecated in favor of the policy kit. Kept only for historical purposes, but please do not attempt to implement based on the below.

Previous Content


The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits.

NIST in FISMA Compliance

The National Institute of Standards and Technology (NIST) is chartered with developing and issuing standards, guidelines, and other publications which federal agencies must follow to implement FISMA and manage cost‐effective programs to protect their information and information systems. NIST Special Publications (SP) 800‐series combined with NIST’s FIPS 199 and FIPS 200 create the risk‐based framework which federal agencies and systems use to assess, select, monitor and document security controls for their information systems.

Audit and Accountability Policies

Components shall ensure that audit records shall be sufficient detail to facilitate the reconstruction of events if compromise or malfunction occurs or is suspected. Audit records shall be reviewed as specified in the SSP. The audit record shall contain at least the following information:

  • Identity of each user and or component attempting to access the information system. Including but not limited to
    • user_id, client_service, access_Token, grant_type, client_ID, authenticationInfo (object), authorizationInfo (object)
  • Time and date of the access and the logoff
  • Activities that might modify, bypass, or negate information security safeguards
  • Event details, namly - Event success or failure and description
  • Security-relevant actions associated with processing
  • All activities performed using an administrator’s identity
  • Any access to systems functions or audit trails
  • Activation or cessation of system functions or processes

Audit logging toolkit for Node.js. Choose a storage or notification strategy by utilizing one or more extendable transport systems. Automate log creation by utilizing plugins for common libraries such as CouchDB (CRUD logging via model plugin) and Express (access logging via route middleware).

- Develop detailed audit logging strategy that meets FISMA and NIST requirements across code base

- Configure Library, Add transport system, Identify couchDB instance and configuration 

- Configure retention policy per NIST guidance. 180 days online. 7 years offline 

- Create Behavior based modeling for privacy enforcement 

- Proactive alerting of potential issues 

- Accurate search and investigative functionality on SIEM 

- Develop statistical, pattern and rule based correlation rules across GPII components critical applications and systems of log events 

- Develop early detection of security/privacy breaches 

- Automated reporting/alerting

Components shall evaluate the system risks associated with extracts of PII from databases. If the risk is determined to be sufficiently high, a procedure shall be developed for logging computer-readable data extracts. If logging these extracts is not possible, this determination shall be documented, and compensating controls identified in the SSP.

Component SOCs shall implement both general and threat-specific logging.

- Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction.

- Systems should record logs in a standardized format such as syslog entries

Audit and Accountability Policy and Procedures (AU-1)

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: 

a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 

b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. 

Auditable Events (AU-2)

The organization: 

a. Determines based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events]; 

b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; 

c. Provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and 

d. Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited along with the frequency of (or situation requiring) auditing for each identified event]. 

Content of Audit Records (AU-3)

The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. 

Control Enhancements: 

(1) The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject. 

(2) The organization centrally manages the content of audit records generated by [Assignment: organization-defined information system components]. 


- Identity of each user and device accessing or attempting to access the GPII

- Time and date of the access and the logoff (The audit records will be time stamped using the clocks provided with each of component’s respective operating system).

- Activities that might modify, bypass, or negate IT security safeguards

- Security-relevant actions associated with processing

- All activities performed using an administrator’s identity  

Audit Storage Capacity (AU-4)

The system allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. 

Implementation: The GPII will be developed to allocate audit record storage capacity and configure auditing to reduce the likelihood of such capacity being exceeded. 

Response to Audit Processing Failures (AU-5)

The system: 

a. Alerts designated organizational officials in the event of an audit processing failure; and 

b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. 

Audit Review, Analysis, and Reporting (AU-6)

a. Reviews and analyzes information system audit records for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and 

b. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. 

Control Enhancements: 

(1) The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. 

Reviews and analyzes information system audit records for indications of inappropriate or unusual activity” at “organization-defined frequency

Audit Reduction and Report Generation (AU-7)

The information system provides an audit reduction and report generation capability. 

Control Enhancements: 

(1) The information system provides the capability to automatically process audit records for events of interest based upon selectable, event criteria. 


Time Stamps (AU-8)

The information system uses internal system clocks to generate time stamps for audit records.

Control Enhancements: 

(1) The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]. 


Protection of Audit Information (AU-9)

The information system protects audit information and audit tools from unauthorized access, modification, and deletion. 


Non-Repudiation (AU-10)

Design a solution that addresses log reliability for investigative and monitoring purposes. Logs must be accurately timed and stored in a manner preventing changes. One mentioned choice is “hardware-enforced, write-once media.

Audit Record Retention (AU-11)

The organization retains audit records for 90 days online to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. 


Audit Generation (AU-12)

The information system: 

a. Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components]; 

b. Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and 

c. Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3. 

Control Enhancements:

(1) The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. 


Monitoring for Information Disclosure (AU-13)
Session Audit (AU-14)

<references />