Description:
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).
Priority: High
Category: Situational Awareness
Services Associated with AWS:
- AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screen shot of configuration settings
- Technical: screen shot of logs from SIEM
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- Centralized Log Management
- Security Information & Event Management (SIEM)
What needs to be answered :
Can actions be traced to an individual user so they can be held accountable for their actions?
- Enable User Accountability through Unique Tracing of Actions
Description: This check ensures that organizations establish mechanisms to uniquely trace the actions of individual system users, enabling accountability for their activities. The audit records include information that links audit events to specific users to the extent feasible. Organizations consider logging practices for various activities such as account usage, remote access, wireless connectivity, mobile device connections, system boundary communications, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, environmental conditions, equipment inventory, use of mobile code, and Voice over Internet Protocol (VoIP) usage. - Capture User Identification Information in Audit Records
Description: This check verifies that audit records capture user identification information to facilitate the unique tracing of user actions. The information includes user identifiers, such as usernames or user account identifiers, associated with the performed actions. This allows for the correlation of audit events with specific users and supports accountability for their actions. - Maintain Audit Logs for Sufficient Retention Period
Description: This check ensures that audit logs are retained for a sufficient period to support the traceability of individual user actions. The retention period aligns with the organization's requirements and regulatory obligations. By retaining logs for an appropriate duration, organizations can perform retrospective analysis and investigations, if necessary, to trace actions back to specific users.
More Details:
Logging and monitoring systems ensure trace of information access back to individual users.