Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Reviews and analyzes information system audit records [FedRAMP Assignment: (L)(M)(H) at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].
AU-6 Additional FedRAMP Requirements and Guidance: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
NIST 800-53 (r4) Supplemental Guidance:
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7.
References: None.
NIST 800-53 (r5) Discussion:
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
38North Guidance:
Meets Minimum Requirement:
Part a.
The Cloud Service Offering (CSO) audit records are required to be reviewed by the Cloud Service Provider (CSP) at least weekly for any indication of inappropriate or unusual activity [as defined by the CSP].The intent of this control is to ensure that the CSO produces audit trail data with sufficient detail to provide accountability for individual activity, allows for reconstruction of audit events, an ability to monitor for problems and intrusion detection on a weekly basis.
Part b.
The audit record findings identified from the “at least weekly” audit log review are reported to organization defined personnel or roles.
Best Practice:
The CSO ticketing system should be used to create the weekly review of audit records. The ticket itself will track who was assigned to the review and should contain the audit logs that were reviewed.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review the audit policy and procedure to ensure the inappropriate or unusual activity events that are to be reviewed on a weekly basis are defined by the CSP. Additionally, review to ensure the CSP has defined the personnel or roles responsible for the inappropriate or unusual activity event log weekly review.
Request evidence to support weekly reviews of CSO for inappropriate or unusual activity events. Sample evidence;
This could be ticketing system records (ex. JIRA) to showcase that the review was performed and typically has a copy of the logs reviewed within the ticket.
This could be a weekly report provided by personnel or responsible roles based on the review of the inappropriate or unusual activity events.
Slack messages that validate personnel or responsible roles are reviewing audit logs for inappropriate or unusual activity events.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse