Description
The information system generates audit records for the following events: [Assignment: organization-defined auditable events].
Supplemental Guidance
The purpose of this control is to identify important events which need to be audited as significant and relevant to the security of the information system. The organization specifies which information system components carry out auditing activities. Auditing activity can affect information system performance. Therefore, the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Additionally, the security audit function is coordinated with the network health and status monitoring function to enhance the mutual support between the two functions by the selection of information to be recorded by each function. The checklists and configuration guides at http://csrc.nist.gov/pcig/cig.html provide recommended lists of auditable events. The organization defines auditable events that are adequate to support after- the-fact investigations of security incidents. NIST Special Publication 800-92 provides guidance on computer security log management.
Changes from Rev 4
Title changed for 'Audit Events' Changes parameter regarding the specific types of events that the system is capable of logging Requires the review and update the event types selected for logging at a specific frequency Incorporates withdrawn control AU-02(3) Incorporates audit elements of withdrawn App J control UL-02