NIST SP 800-53A
.pdfSpecial Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: AUDIT AND ACCOUNTABILITY |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AU-9 |
PROTECTION OF AUDIT INFORMATION |
|
|
|
|
|
|
AU-9.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if the information system protects audit information and audit tools from |
||
|
unauthorized: |
|
|
|
- |
access; |
|
|
- |
modification; and |
|
|
- |
deletion. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; audit tools; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit information protection].
AU-9(1) PROTECTION OF AUDIT INFORMATION
AU-9(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system produces audit records on hardware-enforced, writeonce media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].
Test: [SELECT FROM: Media storage devices to hold audit records].
APPENDIX F-AU |
PAGE F-71 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AU-9(2) PROTECTION OF AUDIT INFORMATION
AU-9(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the system or media for storing back up audit records that is a different system or media than the system being audited;
(ii)the organization defines the frequency of information system backups of audit records; and
(iii)the information system backs up audit records, in accordance with the organizationdefined frequency, onto organization-defined system or media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; security plan; information system design documentation; information system configuration settings and associated documentation, system or media storing backups of information system audit records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].
AU-9(3) PROTECTION OF AUDIT INFORMATION
AU-9(3).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses cryptographic mechanisms to protect the integrity of audit information and audit tools.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].
AU-9(4) PROTECTION OF AUDIT INFORMATION
AU-9(4).1 ASSESSMENT OBJECTIVE:
Determine if :
(i)the organization authorizes access to management of audit functionality to only a limited subset of privileged users; and
(ii)the organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].
APPENDIX F-AU |
PAGE F-72 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: AUDIT AND ACCOUNTABILITY |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
AU-10 |
NON-REPUDIATION |
|
|
|
|
AU-10.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system protects against an individual falsely denying having |
|
|
performed a particular action. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; |
|
|
information system design documentation; information system configuration settings and |
|
|
associated documentation; information system audit records; other relevant documents or |
|
|
records]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. |
|
|
|
|
|
|
|
AU-10(1) |
NON-REPUDIATION |
|
|
|
|
AU-10(1).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system associates the identity of the information producer |
|
|
with the information. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; |
|
|
information system design documentation; information system configuration settings and |
|
|
associated documentation; information system audit records; other relevant documents or |
|
|
records]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. |
|
|
|
|
|
|
|
AU-10(2) |
NON-REPUDIATION |
|
|
|
|
AU-10(2).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system validates the binding of the information producer’s |
|
|
identity to the information. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; |
|
|
information system design documentation; information system configuration settings and |
|
|
associated documentation; information system audit records; other relevant documents or |
|
|
records]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. |
|
|
|
|
APPENDIX F-AU |
PAGE F-73 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AU-10(3) |
NON-REPUDIATION |
|
|
AU-10(3).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system maintains reviewer/releaser identity and credentials |
|
within the established chain of custody for all information reviewed or released. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; |
|
information system design documentation; information system configuration settings and |
|
associated documentation; information system audit records; other relevant documents or |
|
records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. |
|
|
|
|
AU-10(4) |
NON-REPUDIATION |
|
|
AU-10(4).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system validates the binding of the reviewer’s identity to the |
|
information at the transfer/release point prior to release/transfer from one security |
|
domain to another security domain. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; |
|
information system design documentation; information system configuration settings and |
|
associated documentation; information system audit records; other relevant documents or |
|
records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. |
|
|
|
|
AU-10(5) |
NON-REPUDIATION |
|
|
AU-10(5).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if: |
|
(i) the organization defines whether FIPS-validated or NSA-approved cryptography is |
|
employed to implement digital signatures; and |
|
(ii) the organization employs the organization-defined cryptography to implement |
|
digital signatures. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; |
|
information system design documentation; information system configuration settings and |
|
associated documentation; information system audit records; other relevant documents or |
|
records]. |
|
Test: [SELECT FROM: Cryptographic mechanisms implementing digital signature capability within the |
|
information system]. |
|
|
APPENDIX F-AU |
PAGE F-74 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: AUDIT AND ACCOUNTABILITY |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AU-11 |
AUDIT RECORD RETENTION |
|
|
|
|
|
|
AU-11.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the retention period for audit records; |
|
|
(ii) |
the retention period for audit records is consistent with the records retention policy; |
|
|
|
and |
|
|
(iii) |
the organization retains audit records for the organization-defined time period |
|
|
|
consistent with the records retention policy to provide support for after-the-fact |
|
|
|
investigations of security incidents and to meet regulatory and organizational |
|
|
|
information retention requirements. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record retention; security plan; organization-defined retention period for audit records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit record retention responsibilities].
APPENDIX F-AU |
PAGE F-75 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: AUDIT AND ACCOUNTABILITY |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AU-12 |
AUDIT GENERATION |
|
|
|
|
|
|
AU-12.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the information system components that provide audit |
|
|
|
record generation capability for the list of auditable events defined in AU-2; |
|
|
(ii) |
the information system provides audit record generation capability, at organization- |
|
|
|
defined information system components, for the list of auditable events defined in |
|
|
|
AU-2; |
|
|
(iii) |
the information system allows designated organizational personnel to select which |
|
|
|
auditable events are to be audited by specific components of the system; and |
|
|
(iv) |
the information system generates audit records for the list of audited events defined |
|
|
|
in AU-2 with the content as defined in AU-3.. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit record generation responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].
AU-12(1) AUDIT GENERATION
AU-12(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the information system produces a system-wide (logical or physical) audit trail of information system audit records;
(ii)the organization defines the information system components from which audit records are to be compiled into the system-wide audit trail;
(iii)the information system compiles audit records from organization-defined information system components into the system-wide audit trail;
(iv)the organization defines the acceptable level of tolerance for relationship between time stamps of individual records in the system-wide audit trail; and
(v)the system-wide audit trail is time-correlated to within the organization-defined level of tolerance to achieve a time ordering of audit records.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].
APPENDIX F-AU |
PAGE F-76 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
AU-12(2) AUDIT GENERATION
AU-12(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].
APPENDIX F-AU |
PAGE F-77 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: AUDIT AND ACCOUNTABILITY |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AU-13 |
MONITORING FOR INFORMATION DISCLOSURE |
|
|
|
|
|
|
AU-13.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the frequency of monitoring open source information for |
|
|
|
evidence of unauthorized exfiltration or disclosure of organization information; and |
|
|
(ii) |
the organization monitors open source information for evidence of unauthorized |
|
|
|
exfiltration or disclosure of organizational information in accordance with the |
|
|
|
organization-defined frequency. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing information disclosure monitoring; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for monitoring open source information for evidence of unauthorized exfiltration or disclosure].
APPENDIX F-AU |
PAGE F-78 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: AUDIT AND ACCOUNTABILITY |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
AU-14 |
SESSION AUDIT |
|
|
|
|
|
|
AU-14.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the information system provides the capability to capture/record and log all content |
|
|
|
related to a user session; and |
|
|
(ii) |
the information system provides the capability to remotely view/hear all content |
|
|
|
related to an established user session in real time. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing user session auditing; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing user session auditing capability].
AU-14(1) SESSION AUDIT
AU-14(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system initiates session audits at system start-up
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing user session auditing; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing user session auditing capability].
APPENDIX F-AU |
PAGE F-79 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION |
CLASS: MANAGEMENT |
|||
|
|
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|||
CA-1 |
SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES |
|||
CA-1.1 |
ASSESSMENT OBJECTIVE: |
|
||
|
Determine if: |
|
||
|
(i) |
the organization develops and formally documents security assessment and |
||
|
|
authorization policy; |
|
|
|
(ii) |
the organization security assessment and authorization policy addresses: |
||
|
|
- |
purpose; |
|
|
|
- |
scope; |
|
|
|
- |
roles and responsibilities; |
|
|
|
- |
management commitment; |
|
|
|
- coordination among organizational entities; and |
|
|
|
|
- |
compliance; |
|
|
(iii) |
the organization disseminates formal documented security assessment and |
||
|
|
authorization policy to elements within the organization having associated security |
||
|
|
assessment and authorization roles and responsibilities; |
|
|
|
(iv) |
the organization develops and formally documents security assessment and |
||
|
|
authorization procedures; |
|
|
|
(v) |
the organization security assessment and authorization procedures facilitate |
||
|
|
implementation of the security assessment and authorization policy and associated |
||
|
|
security assessment and authorization controls; and |
|
|
|
(vi) |
the organization disseminates formal documented security assessment and |
||
|
|
authorization procedures to elements within the organization having associated |
||
|
|
security assessment and authorization roles and responsibilities. |
||
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
||
|
Examine: [SELECT FROM: Security assessment and authorization policies and procedures; other |
|||
|
|
|
relevant documents or records]. |
|
|
Interview: [SELECT FROM: Organizational personnel with security assessment and authorization |
|||
|
|
|
responsibilities]. |
|
|
|
|
||
CA-1.2 |
ASSESSMENT OBJECTIVE: |
|
||
|
Determine if: |
|
||
|
(i) |
the organization defines the frequency of security assessment and authorization |
||
|
|
policy reviews/updates; |
|
|
|
(ii) |
the organization reviews/updates security assessment and authorization policy in |
||
|
|
accordance with organization-defined frequency; |
|
|
|
(iii) |
the organization defines the frequency of security assessment and authorization |
||
|
|
procedure reviews/updates; and |
|
|
|
(iv) the organization reviews/updates security assessment and authorization procedures |
|||
|
|
in accordance with organization-defined frequency. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policies and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security assessment and authorization responsibilities].
APPENDIX F-CA |
PAGE F-80 |