Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
NIST 800-53 (r4) Supplemental Guidance:
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6.
References: None.
NIST 800-53 (r5) Discussion:
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
38North Guidance:
Meets Minimum Requirement:
The organization needs to protect audit information and tools from unauthorized access, modification, and deletion. This is typically done with the implementation of effective access controls to prevent unauthorized access, modification and deletion of audit information.
Best Practice:
Protect audit logs from unauthorized access only permitting specific roles to be permitted to access, modify or delete logs.
Audit logs that contain sensitive data like Personally Identifiable Information (PII) or Personal Health Information (PHI) etc. should be stored encrypted.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screen shots or a listing of Active Directory (AD) accounts and the roles that each user has to verify separation of duties that only certain individuals have access to access, modify, and delete logs
Screen shots or a listing of users in the Security Information and Event Management (SIEM) tool and the roles & permissions of each user holds verifying separation of duties ensuring all users do not have privileged access to access, modify, or delete logs.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse