Introduction
Audit trails maintain a record of system activity, and provide the ability to establish individual accountability, detect system anomalies, and reconstruct system events using key records. A robust Audit and Accountability program includes system configuration, appropriate tools, and procedures in keeping with an organizational Audit and Accountability Policy.
System Audit Logs and User Identification
| Control | |
| 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
| 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. |
Covered information systems must be able to create “system audit logs” that provide information such as user identification, source-and-destination IP addresses, time stamps, shared files and networks, system configuration changes, real-time system notifications, and other information required to ensure the security and integrity of the system and the system data. Featured functions must be archivable and searchable.
These logs will allow system administrators to check for noncompliance and abnormal activities and reconstruct events should an incident occur. System audit logs can also serve as evidence in the event of legal action due to a data breach.
There are a number of Audit Management Software programs available … consult with your organization’s IT professionals on the best option.
Review and Alert
| Control | |
| 3.3.3 | Review and update logged events |
| 3.3.4 | Alert in the event of an audit logging process failure. |
System audit logs should be reviewed at a frequency designated in the organization’s Audit and Accountability Policy. Review frequency may differ based on the data the system processes. Without regular review of system audit logs, the organization may be vulnerable to undetected incidents and system failures. Regular review also gives the organization an opportunity to evaluate the effectiveness and applicability of the events being logged.
An alert is an automated notification to designated system administrators and security personnel that a network event has taken place. Alerts should be received for instances such as: software and hardware errors, low storage space, slow response time, and other events that lead to a failure in the audit logging process. Alerts for different events can be individually configured with regards to the type of, and recipients of, notifications. Recipients can include system administrators, Incident Response Teams, and/or organizational leadership.
Report and Response
| Control | |
| 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. |
| 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. |
Many Audit Management Software programs provide the means for automatic, real-time event analysis and report generation. This allows for quick action to address anomalies and suspected malicious activity. Since multiple components within a system can be audited, the Audit Management Software should have the capability to centrally review and analyze audit records from all applicable components within the system.
System audit reports should be analyzed alongside vulnerability scan results, physical access monitoring, and even audit results of other systems to provide cross-organizational awareness for strategic planning.
Raw data is often difficult to review due to the format and volume of data. Audit record reduction is an automated process for interpreting and extracting meaningful information from raw data, allowing for more concise and relevant reports. These reports can be invaluable when conveyed to incident responders needing to take quick action.
Time Synchronization
| Control | |
| 3.3.7 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
Internal system clocks are used to generate time stamps, and critical systems must have the correct and consistent time, to allow for the reliable correlation of events on multiple systems. To achieve this synchronization, each system should be configured to synchronize its time with a central time server, such as a NIST-operated NTP (Network Time Protocol) server.
Information on NIST NTP services can be found at https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authenticated-ntp-service.
Protect Audit Information
| Control | |
| 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
| 3.3.9 | Limit management of audit logging functionality to a subset of privileged users. |
Since system audit logs and reports can be critical for monitoring and responding to security incidents, the confidentiality, availability and integrity of the information must be protected. This can be achieved by encrypting the data and restricting the decryption key information to only those who need it. Critical system audit information should be moved to a separate system or system component repository for further protection.
To retain the integrity of audit data, access to the programs and devices used to conduct audit and logging activities must be restricted to only pre-defined individuals or roles with privileged access. Further, separation of duties must be implemented between audit management personnel and others with privileged access to the system. If the need arises for technical support from system administrators, one-time credentials can be issued, with monitoring of the technical support activities.
Need Help?
If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.
FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities. With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.
Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC). Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements. An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.
As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.
FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC-AB Registered Provider Organization.
Please visit https://foxguardsolutions.com/cmmc/ for more information.