3.3.2 has a weight of -3 points
(Audit and Accountability Family) 2/9
Ensure that the actions of individual system users can be uniquely traced users, so they can be held accountable for their actions.
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP): Control 3.2.2
Objective:
Ensure that the actions of individual system users can be uniquely traced to users, so they can be held accountable for their actions.
Implementation:
- User Authentication:
- Active Directory Domain Services (ADDS): Our organization uses ADDS to ensure that all users are given unique login credentials. No shared accounts exist within our infrastructure, making it easier to trace activities back to specific users.
- Monitoring:
- SIEM Tool Integration: Our SIEM solution ( Azure Sentinel) is deployed on all company-owned workstations, providing a centralized repository of all system events and user activities.
- Privileged-Access Monitoring: The SIEM tool actively records all privileged-access actions, ensuring that higher-level activities are transparent and traceable.
- Physical Tracking:
- Physical Premise Security System: Our organization has implemented an access badge system to control and monitor access to various parts of our facility. The badge system logs entry and exit times for every user.
- Security Cameras: Strategically placed security cameras capture physical activities within our premises. This provides an additional layer of security and ensures that we can trace physical actions back to individuals.
- Event Correlation:
- IP, MAC, & User Correlation: Every action recorded in our SIEM solution is associated with a specific IP address, MAC address, and user account. This allows for a high level of granularity when tracing actions back to users or devices.
- Time-stamped Events: All logged actions within the SIEM have precise timestamps. This helps in reconstructing events, correlating different activities, and identifying patterns.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M) for Control 3.2.2
| Milestone | Task/Action | Responsible Party | Start Date | Expected Completion Date | Status | Notes |
|---|---|---|---|---|---|---|
| 1. | Initial Setup & Integration | |||||
| Integrate Active Directory Domain Services (ADDS) for user authentication | IT Team | [Start Date] | [End Date] | [In Progress/Done] | Ensure all users have unique credentials | |
| Deploy SIEM solution on all workstations | IT Team | [Start Date] | [End Date] | [In Progress/Done] | Verify the compatibility and efficiency of the SIEM tool | |
| 2. | Physical Security Implementation | |||||
| Setup Physical Premise Security System | Admin & Security Teams | [Start Date] | [End Date] | [In Progress/Done] | Badge system should be reliable and regularly audited | |
| Install and test security cameras | Security Team | [Start Date] | [End Date] | [In Progress/Done] | Ensure coverage of all critical areas | |
| 3. | Monitoring & Verification | |||||
| Periodic review of SIEM logs | Security & IT Teams | [Start Date] | [Recurring Date] | [In Progress/Done] | Weekly/Monthly reviews depending on organization size and requirements | |
| Regular tests of badge system and cameras | Admin & Security Teams | [Start Date] | [Recurring Date] | [In Progress/Done] | Conduct surprise drills or use test scenarios | |
| 4. | Continuous Improvement & Training | |||||
| Train employees on importance of unique credentials and security best practices | HR & Training Teams | [Start Date] | [End Date] | [In Progress/Done] | Make this training mandatory for all employees | |
| Upgrade SIEM tool capabilities and integration if needed | IT Team | [Start Date] | [End Date] | [In Progress/Done] | Keep an eye on advancements in SIEM solutions | |
| 5. | Audit & Compliance | |||||
| Internal Audit to ensure Control 3.2.2 compliance | Internal Audit Team | [Start Date] | [End Date] | [In Progress/Done] | Should be conducted annually or as deemed necessary |
RELEVANT INFORMATION:
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.