home || catalog: SP800-53rev3 / class: Technical / family: (AU) Audit and Accountability ||
search controls:
search nistpubs:

AC
AT
AU

AU-01
AU-02
AU-03
AU-04
AU-05
AU-06 *
AU-07
AU-08
AU-09
AU-10
AU-11
AU-12
AU-13
AU-14

CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AU-06: Audit Monitoring, Analysis, and Reporting  

base control objective:
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and
b. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.

supplemental objective information:

enhancements to the base objective:

(1) The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

(2) Withdrawn: Incorporated into SI-04.

(3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

(4) The information system centralizes the review and analysis of audit records from multiple components within the system.

Enhancement Supplemental Guidance: An example of an automated mechanism for centralized review and analysis is a Security Information Management (SIM) product.

(5) The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity.

Enhancement Supplemental Guidance: A Security Event/Information Management system tool can facilitate audit record aggregation and consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by the organization (with localized script adjustments, as necessary), provides a more cost effective approach for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of the vulnerability scans and correlating attack detection events with scanning results.

(6) The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
Enhancement Supplemental Guidance: The organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy.

Enhancement Supplemental Guidance: Permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records include, for example, read, write, append, and delete.

(7) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].

(8) The organization performs, in a physically dedicated information system, full-text analysis of privileged functions executed.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base (1)  

related (regimented) controls:

AU-07   Audit Reduction and Report Generation

documents referenced in SP800-53rev3 for AU-06:

Document Date Status Title
NIST SP800-115 September, 2008 current   Technical Guide to Information Security Testing and Assessment
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling
NIST SP800-92 September, 2006 current   Guide to Computer Security Log Management
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)

Search SP800-53rev3 catalog: