Level 2


Description:

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). 


Priority: High 


Domain: AUDIT AND ACCOUNTABILITY (AU) 


Services Associated with AWS: 

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure Log Analytics
  • Azure Security Center
  • Azure Sentinel
  • Azure Monitor


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of logs from SIEM


Possible Technology Considerations:

  • Secure Baseline Configurations (SBC)
  • Centralized Log Management
  • Security Information & Event Management (SIEM)


What needs to be answered:

Can actions be traced to an individual user so they can be held accountable for their actions?


Checks for AWS

  • Enable User Accountability through Unique Tracing of Actions
    Description: This check ensures that organizations establish mechanisms to uniquely trace the actions of individual system users, enabling accountability for their activities. The audit records include information that links audit events to specific users to the extent feasible. Organizations consider logging practices for various activities such as account usage, remote access, wireless connectivity, mobile device connections, system boundary communications, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, environmental conditions, equipment inventory, use of mobile code, and Voice over Internet Protocol (VoIP) usage.
  • Capture User Identification Information in Audit Records
    Description: This check verifies that audit records capture user identification information to facilitate the unique tracing of user actions. The information includes user identifiers, such as usernames or user account identifiers, associated with the performed actions. This allows for the correlation of audit events with specific users and supports accountability for their actions.
  • Maintain Audit Logs for Sufficient Retention Period
    Description: This check ensures that audit logs are retained for a sufficient period to support the traceability of individual user actions. The retention period aligns with the organization's requirements and regulatory obligations. By retaining logs for an appropriate duration, organizations can perform retrospective analysis and investigations, if necessary, to trace actions back to specific users.
     


Checks for Azure

  • Enable User Accountability through Unique Tracing of Actions in Azure:
    Description: This check ensures that organizations in Azure establish mechanisms to uniquely trace the actions of individual system users, enabling accountability for their activities. The audit records generated capture information that links audit events to specific users to the extent feasible. Organizations consider logging practices for various activities, including account usage, remote access, wireless connectivity, mobile device connections, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, environmental conditions (such as temperature and humidity), equipment delivery and removal, system component inventory, use of mobile code, and Voice over Internet Protocol (VoIP) usage. By enabling unique tracing of user actions, organizations can hold individuals accountable for their actions within the system.
  • Capture User Identification Information in Audit Records in Azure:
    Description: This check verifies that audit records in Azure capture user identification information to facilitate the unique tracing of user actions. The information includes user identifiers, such as usernames or user account identifiers, associated with the performed actions. By including user identification information in audit records, organizations can correlate audit events with specific users and enhance accountability for their actions.
  • Maintain Audit Logs for Sufficient Retention Period in Azure:
    Description: This check ensures that audit logs in Azure are retained for a sufficient period to support the traceability of individual user actions. The retention period is determined based on the organization's requirements and regulatory obligations. By maintaining audit logs for an appropriate duration, organizations can perform retrospective analysis and investigations if needed, enabling the tracing of actions back to specific users and facilitating accountability.


More Details: Logging and monitoring systems ensure trace of information access back to individual users.