3.3.6 has a weight of -1 points

(Audit and Accountability Family) 6/9

Provide audit record reduction and report generation to support on-demand analysis and reporting.

Video

Example of Sysytem Security Plan (SSP):

    System Security Plan (SSP) for [Company Name]Control Number: 3.3.6

    Control Title: Provide audit record reduction and report generation to support on-demand analysis and reporting.


    I. Control Overview:

    The objective of this control is to ensure that audit records are efficiently reduced and organized such that on-demand analysis and reporting can be promptly and accurately conducted.


    II. Implementation at [Company Name]:

    A. SIEM Tool Deployment:

    • The SIEM tool is deployed across all company-owned workstations. This centralized system automatically aggregates logs from all integrated workstations.
    • Alerts of a serious or critical nature are immediately sent to both our Security Operations Center (SOC) and IT department, thereby streamlining the incident detection process.
    • This automation eliminates the need for IT support staff to comb through event logs manually, ensuring more timely responses to potential threats.

    B. Reporting Capabilities:

    • The SIEM tool allows for the generation of diverse reports, such as logon failures and the detection of anomalous user logins. This not only helps in identifying potential threats but also enables the organization to discern broader cybersecurity trends.

    C. Assessed Audit Record Collection:

    • The responsibility for collecting audit records has been delegated to specific individuals or teams within the company. This ensures accountability and clarity in the audit process.
    • Audit information structure and format have been standardized to facilitate consistent data analysis.

    D. Time Stamp Granularity:

    • Adjustments have been made to the time stamp granularity within the SIEM tool to enhance the precision of event logging.

    E. Defined Report Templates:

    • Based on prior identified reporting needs, customizable report templates have been crafted. These templates ensure that reports are consistently structured while still allowing for flexibility based on specific analysis requirements.

    F. Established On-Demand Procedures:

    • A clear procedure has been defined for on-demand access and analysis of audit records. This ensures that when real-time or impromptu reports are needed, there’s a standardized method to generate and deliver them.

    III. Solution Overview:

      • Together, the SIEM tool and Siemens SOC solution create a robust and integrated system that aligns with the organization’s commitment to cybersecurity and compliance with the defined control objectives.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Actions & Milestones (POA&M) for [Company Name]

    Control Number: 3.3.6


    1. Objective: Expand Reporting Capabilities

    • Action: Regularly review the effectiveness and relevance of the generated reports to adapt to evolving organizational needs.
    • Milestone: Bi-annual review of the report types and contents.
    • Estimated Completion Date: [Date]
    • Responsible Party: SOC Team & IT Department

    2. Objective: Refine Report Templates

    • Action: Seek feedback from users of the reports and refine templates to better serve the organization’s needs.
    • Milestone: Annual feedback collection and template refinement.
    • Estimated Completion Date: [Date]
    • Responsible Party: SOC Team

    3. Objective: Review On-Demand Procedures

    • Action: Regularly evaluate the efficiency of on-demand procedures to ensure rapid report generation and delivery.
    • Milestone: Bi-annual review and testing of on-demand report generation.
    • Estimated Completion Date: [Date]
    • Responsible Party: IT Department & SOC Team

     

    RELEVANT INFORMATION:

    Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or organizational entities conducting auditing activities. Audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can help generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient.

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.