3.3.1 has a weight of -5 points

(Audit and Accountability Family) 1/9

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Video

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for Control 3.3.1

Control Identifier: 3.3.1

Control Title: System Audit Logs and Records

1. Control Description: Control 3.3.1 mandates the creation and retention of system audit logs and records, enabling the monitoring, analysis, investigation, and reporting of any unlawful or unauthorized system activity.

2. Implementation Status: Implemented

3. Implementation Description:

a. Objective: Our primary objective is to continuously monitor, analyze, and report on system activity that may indicate potential security threats or breaches.

b. Methodology:

SIEM Utilization: Our SIEM tool (Azure Sentinel) is employed to aggregate and monitor all audit logs, ensuring that even if local event logs are deleted, copies are retained

c. Event Types and Relevance:

We have earmarked specific event types deemed vital for system and operational security, including password changes, failed logons/accesses, administrative privilege usage, and third-party credential applications.
Event types selected are synchronized with the requirements for each Controlled Unclassified Information (CUI) security provision.

d. Audit Requirements and Considerations:

We determined an appropriate logging level for each event type, ensuring a balance between auditing needs and system performance impacts.
Explicit content for audit records is determined, capturing essential data such as timestamps, source/destination addresses, user/process identifiers, event details, success/failure status, files involved, and rules invoked.
We’ve judiciously decided on the necessary detail levels for logs, ensuring clarity while avoiding irrelevant or potentially misleading data.
Logging requirements encompass distributed transactional processes and activities in cloud architectures.

e. Retention and Review:

Our policy mandates the retention of audit logs for a 6 month period.
Audit logs undergo routine reviews and analyses, aiding in risk-based decisions and highlighting potential security threats.

f. Guidance and Best Practices:

For effective security log management, we’ve consulted and integrated insights from the NIST Special Publication 800-92.

4. Monitoring & Reporting:

Our SIEM tool and physical premise security system remain pivotal in logging and monitoring all relevant system activities.
The company has outlined precise audit log requirements for every system within the environment that could produce pertinent security log data. This covers computer endpoints accessing CUI, servers processing CUI, the company firewall, and physical premise security systems.
Regular analytical reviews of the audit logs pinpoint potential security incidents or abnormalities, promoting timely responses and action.

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) for Control 3.3.1

Control Identifier: 3.3.1

Control Title: System Audit Logs and Records

2. Implementation Status: Implemented

3. Identified Gaps:

Note: Since the control has been implemented, this section identifies potential future gaps or improvements.

Potential need for enhanced encryption methods for stored logs to ensure data integrity and security.
Expansion of monitored event types as new technologies and threats emerge.
Regular updates to physical security systems for monitoring on-premises activities.

4. Actions Planned:

a. Enhanced Encryption:

Objective: Ensure stored logs’ security and integrity.
Action Steps:
1. Research new encryption techniques or tools suitable for our SIEM tool and storage solutions.
2. Implement the selected encryption method.
3. Conduct a security test to confirm the effectiveness of the new encryption.
Expected Completion: [Specify Date]

b. Expansion of Monitored Events:

Objective: Stay updated with new technologies and potential threats.
Action Steps:
1. Confer with IT and security teams to identify emerging tech and threats.
2. Update the SIEM tool configurations to monitor new event types.
3. Train IT staff and relevant teams on the significance and indications of these new event types.
Expected Completion: [Specify Date]

c. Physical Security Systems Update:

Objective: Improve monitoring of on-premises activities.
Action Steps:
1. Evaluate the current physical security systems’ performance and identify areas of improvement.
2. Procure and install updated physical security systems as needed.
3. Train the security team on the features and proper utilization of the new systems.
Expected Completion: [Specify Date]

5. Monitoring & Review:

Continuous monitoring through the SIEM tool will ensure compliance and timely identification of potential issues.
Scheduled quarterly reviews of this POA&M to track progress, address any delays, and re-prioritize actions as needed.

6. Responsible Parties:

IT Department: Oversee the enhancement of encryption and expansion of monitored events.
Security Department: Responsible for the update and proper functioning of physical security systems.
HR & Training Department: Facilitate the necessary training sessions for updated systems and event types.

RELEVANT INFORMATION:

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management.

Resources to consider:



Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.



Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.



User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.



Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.



Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.



Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.



Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.



User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.