The RMF Control Family AU, Audit and Accountability, addresses the need for organizations to audit system activity and hold individuals accountable for their actions.
Controls in the AU Control Family
The AU Control Family includes the following controls:
- AU-1: Audit and Accountability Policy and Procedures: This control requires organizations to develop and implement an audit and accountability policy and procedures. This policy should define the roles and responsibilities for audit and accountability, and the process for auditing system activity and holding individuals accountable.
- AU-2: Audit Events: This control requires organizations to generate audit events for all system activity that is relevant to security. This includes audit events for user logins, file access, and system changes.
- AU-3: Content of Audit Records: This control requires organizations to ensure that audit records contain sufficient information to identify the user, the action performed, the date and time of the action, and the outcome of the action.
- AU-4: Audit Storage Capacity: This control requires organizations to have sufficient audit storage capacity to retain audit records for the required period of time.
- AU-5: Response to Audit Processing Failures: This control requires organizations to have a process for responding to audit processing failures. This process should include identifying and correcting the cause of the failure, and recovering any lost audit data.
- AU-6: Audit Review, Analysis, and Reporting: This control requires organizations to review and analyze audit records on a regular basis to identify security incidents and trends. This information should be used to generate audit reports that are shared with appropriate management personnel.
- AU-7: Audit Reduction and Report Generation: This control requires organizations to reduce audit records to a manageable size before generating audit reports. This can be done by aggregating audit data or filtering out irrelevant audit data.
- AU-8: Time Stamps: This control requires organizations to ensure that all audit records are time stamped accurately. This helps to ensure that audit records can be correlated with other events to investigate security incidents.
- AU-9: Protection of Audit Information: This control requires organizations to protect audit information from unauthorized access, modification, or destruction. This can be done by encrypting audit data or storing audit data on a separate system.
- AU-10: Non-Repudiation: This control requires organizations to ensure that audit records cannot be repudiated. This can be done by using a digital signature or other cryptographic technique.
- AU-11: Audit Record Retention: This control requires organizations to retain audit records for the required period of time. This period of time will vary depending on the organization’s security requirements and applicable laws and regulations.
- AU-12: Audit Generation: This control requires organizations to generate audit records for all system activity that is relevant to security. This includes audit events for user logins, file access, and system changes.
- AU-13: Monitoring for Information Disclosure: This control requires organizations to monitor audit records for indicators of information disclosure. This can be done by using a security information and event management (SIEM) system or other tools to analyze audit data.
- AU-14: Session Audit: This control requires organizations to audit all user sessions. This includes audit events for user logins, logouts, and activity within the session.
- AU-15: Alternate Audit Capability: This control requires organizations to have an alternate audit capability in case the primary audit system fails. This alternate audit capability should be able to collect and store audit records until the primary audit system is restored.
- AU-16: Cross-Organizational Auditing: This control requires organizations to share audit records with other organizations as needed to support cross-organizational security initiatives. This can be done through a secure information sharing environment or other secure means.
Benefits of Implementing the AU Control Family
There are a number of benefits to implementing the AU Control Family, including:
- Improved security: The AU Control Family helps to improve the security of information systems by auditing system activity and holding individuals accountable for their actions. This can help to deter unauthorized access, use, disclosure, disruption, modification, or destruction of information systems.
- Reduced risk: The AU Control Family helps to reduce the risk