AU-03 Content of Audit Records
Ensure that audit records contain information that establishes the following:
a. What type of event occurred;
b. When the event occurred;
c. Where the event occurred;
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated with the event.
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
Control Enhancements 3
- AU-03(01) Additional Audit Information L M H P
- AU-03(02) Centralized Management of Planned Audit Record Content
- AU-03(03) Limit Personally Identifiable Information Elements L M H P
Related controls 9
- AU-02 Event Logging L M H P
- AU-08 Time Stamps L M H P
- AU-12 Audit Record Generation L M H P
- AU-14 Session Audit L M H P
- MA-04 Nonlocal Maintenance L M H P
- PL-09 Central Management L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P
- SI-11 Error Handling L M H P