Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
AU-6 (6) Additional FedRAMP Requirements and Guidance: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
NIST 800-53 (r4) Supplemental Guidance:
The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identify for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations.
NIST 800-53 (r5) Discussion:
The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations.
38North Guidance:
Meets Minimum Requirement:
The Cloud Service Provider (CSP) correlates Cloud Service Offering (CSO) audit logs and physical access monitoring logs within a Securtiy Information and Event Managment (SIEM) tool to further enhance the ability of the CSP to identify suspicious, unusual, or malevolent activity against the CSO.
Best Practice:
If applicable, the CSO should forward physical audit logs from the building management system to the SIEM to further enhance the ability to identify suspicious or malevolent activities.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review recent tickets generated that show an audit review of the CSO included not only a review of SIEM CSO audit logs but also included review of CSO physical access logs to the location of the CSO components.
Review recent incident response after action reports to determine how the CSO audit logs and physical access logs were used to correlate a potential incident.
Evidence that the data center physical access logs (PE-6) and visitor access logs (PE-8) were reviewed at least monthly
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse