Control: The organisation:
B. Reports findings to `{`Assignment: organisation-defined personnel or roles`}`.
Supplemental Guidance: Audit review, analysis, and reporting covers information security-related auditing performed by organisations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organisational entities that include, for example, incident response team, help desk, information security group/department. If organisations are prohibited from reviewing and analysing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organisations granted such authority.
Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7.
Audit Review, Analysis, and Reporting Control Enhancements:
AU-6 (1) Audit Review, Analysis, and Reporting - Process Integration
The organisation employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organisational processes for investigation and response to suspicious activities.
Supplemental Guidance: Organisational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.
AU-6 (2) Audit Review, Analysis, and Reporting - Automated Security Alerts
[Withdrawn: Incorporated into SI-4].
AU-6 (3) Audit Review, Analysis, and Reporting - Correlate Audit Repositories
The organisation analyses and correlates audit records across different repositories to gain organisation-wide situational awareness.
Supplemental Guidance: Organisation-wide situational awareness includes awareness across all three tiers of risk management (i.e., organisational, mission/business process, and information system) and supports cross-organisation awareness.
AU-6 (4) Audit Review, Analysis, and Reporting - Central review and analysis
The information system provides the capability to centrally review and analyse audit records from multiple components within the system.
Supplemental Guidance: Automated mechanisms for centralised reviews and analyses include, for example, Security Information Management products.
AU-6 (5) Audit Review, Analysis, and Reporting - Integration / Scanning and Monitoring capabilities
The organisation integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organisation-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardised audit record analysis scripts developed by organisations (with localised script adjustments, as necessary) provides more cost-effective approaches for analysing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorised use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.
AU-6 (6) Audit Review, Analysis, and Reporting - Correlation with physical monitoring
The organisation correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
Supplemental Guidance: The correlation of physical audit information and audit logs from information systems may assist organisations in identifying examples of suspicious behaviour or supporting evidence of such behaviour. For example, the correlation of an individual’s identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations.
AU-6 (7) Audit Review, Analysis, and Reporting - Permitted actions
The organisation specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.
Supplemental Guidance: Organisations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete.
AU-6 (8) Audit Review, Analysis, and Reporting - Full text analysis of privileged commands
The organisation performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
Supplemental Guidance: This control enhancement requires a distinct environment for the dedicated analysis of audit information related to privileged users without compromising such information on the information system where the users have elevated privileges including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and all parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes, for example, the use of pattern matching and heuristics.
AU-6 (9) Audit Review, Analysis, and Reporting - Correlation with information from nontechnical sources
The organisation correlates information from nontechnical sources with audit information to enhance organisation-wide situational awareness.
Supplemental Guidance: Non technical sources include, for example, human resources records documenting organisational policy violations (e.g., sexual harassment incidents, improper use of organisational information assets). Such information can lead organisations to a more directed analytical effort to detect potential malicious insider activity. Due to the sensitive nature of the information available from nontechnical sources, organisations limit access to such information to minimise the potential for the inadvertent release of privacy-related information to individuals that do not have a need to know. Thus, correlation of information from nontechnical sources with audit information generally occurs only when individuals are suspected of being involved in a security incident. Organisations obtain legal advice prior to initiating such actions.
Related control: AT-2.
AU-6 (10) Audit Review, Analysis, and Reporting - Audit level adjustment
The organisation adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Supplemental Guidance: The frequency, scope, and / or depth of the audit review, analysis, and reporting may be adjusted to meet organisational needs based on new information received.