home || catalog: SP800-53rev3 / class: Technical / family: (AU) Audit and Accountability ||
search controls:
search nistpubs:

AC
AT
AU

AU-01
AU-02 *
AU-03
AU-04
AU-05
AU-06
AU-07
AU-08
AU-09
AU-10
AU-11
AU-12
AU-13
AU-14
AU-3, AC-22

CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AU-02: Auditable Events  

base control objective:
The organization:
a. Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment: organization-defined subset of auditable events to be audited along with the frequency of (or situation requiring) auditing for each identified event].

supplemental objective information:
The purpose of this control is for the organization to identify events which need to be auditable as significant and relevant to the security of the information system; giving an overall system requirement in order to meet ongoing and specific audit needs. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are to be audited at a given point in time. For example, the organization may determine that the information system must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the extreme burden on system performance. In addition, audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems.

enhancements to the base objective:

(1) Withdrawn: Incorporated into AU-12.

(2) Withdrawn: Incorporated into AU-12.

(3) The organization reviews and updates the list of auditable events [Assignment: organization-defined frequency].

Enhancement Supplemental Guidance: The list of auditable events is defined in AU-02.

(4) The organization includes execution of privileged functions in the list of events to be audited by the information system.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (3) (4)     HIGH: base (3) (4)  

related (regimented) controls:

AU-3, AC-22  

documents referenced in SP800-53rev3 for AU-02:

Document Date Status Title
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-124 July, 2008 current   Guidelines on Cell Phone and PDA Security
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-72 November, 2004 current   Guidelines on PDA Forensics
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling
NIST SP800-92 September, 2006 current   Guide to Computer Security Log Management
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)

Search SP800-53rev3 catalog: