AU-06 Audit Record Review, Analysis, and Reporting
a. Review and analyze system audit records au-06_odp.01 for indications of au-06_odp.02 and the potential impact of the inappropriate or unusual activity;
b. Report findings to au-06_odp.03 ; and
c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
| Parameter ID | Definition |
|---|---|
| au-06_odp.01 | frequency |
| au-06_odp.02 | inappropriate or unusual activity |
| au-06_odp.03 | personnel or roles |
Baselines
- L
- M
- H
- P
Guidance
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
References 2
- SP 800-86 Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86.
- SP 800-101 Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1.
Control Enhancements 10
- AU-06(01) Automated Process Integration L M H P
- AU-06(02) Automated Security Alerts
- AU-06(03) Correlate Audit Record Repositories L M H P
- AU-06(04) Central Review and Analysis L M H P
- AU-06(05) Integrated Analysis of Audit Records L M H P
- AU-06(06) Correlation with Physical Monitoring L M H P
- AU-06(07) Permitted Actions L M H P
- AU-06(08) Full Text Analysis of Privileged Commands L M H P
- AU-06(09) Correlation with Information from Nontechnical Sources L M H P
- AU-06(10) Audit Level Adjustment
Related controls 30
- AC-02 Account Management L M H P
- AC-03 Access Enforcement L M H P
- AC-05 Separation of Duties L M H P
- AC-06 Least Privilege L M H P
- AC-07 Unsuccessful Logon Attempts L M H P
- AC-17 Remote Access L M H P
- AU-07 Audit Record Reduction and Report Generation L M H P
- AU-16 Cross-organizational Audit Logging L M H P
- CA-02 Control Assessments L M H P
- CA-07 Continuous Monitoring L M H P
- CM-02 Baseline Configuration L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-06 Configuration Settings L M H P
- CM-10 Software Usage Restrictions L M H P
- CM-11 User-installed Software L M H P
- IA-02 Identification and Authentication (Organizational Users) L M H P
- IA-03 Device Identification and Authentication L M H P
- IA-05 Authenticator Management L M H P
- IA-08 Identification and Authentication (Non-organizational Users) L M H P
- IR-05 Incident Monitoring L M H P
- MA-04 Nonlocal Maintenance L M H P
- MP-04 Media Storage L M H P
- PE-03 Physical Access Control L M H P
- PE-06 Monitoring Physical Access L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SC-07 Boundary Protection L M H P
- SI-03 Malicious Code Protection L M H P
- SI-04 System Monitoring L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P