3.3.8 has a weight of -1 points
(Audit and Accountability Family) 8/9
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) – Control 3.3.8
Control Identifier: 3.3.8
Control Title: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Control Description:
This control focuses on safeguarding audit information and audit logging tools from unauthorized access, alterations, and deletions. Our organization takes comprehensive measures to achieve this control requirement, as detailed below:
Security Information and Event Management (SIEM):
-
Our organization employs a Security Information and Event Management (SIEM) system to manage and retain audit logs effectively. This SIEM system operates independently, ensuring the integrity and security of audit data.
-
The SIEM solution may be either cloud-based or on-premises, but it is always implemented as a separate and isolated system.
-
Access to the SIEM system is protected by its own secure login system, independent of other authentication mechanisms like Active Directory.
Immutable Audit Logs:
- Audit logs and records are configured to be immutable for a minimum period of one year. Once data is written into the system, it cannot be erased or modified within this timeframe.
Limited Access:
- Only authorized users with explicit permissions have access to the SIEM solution. Unauthorized access to the SIEM system is not possible, as it is entirely isolated and air-gapped from other systems.
Protection of Audit Information:
- Audit information encompasses all relevant data, including audit records, audit log settings, and audit reports, necessary for conducting system activity audits.
Technical Protections:
- Technical safeguards are implemented to prevent unauthorized access to audit information. These safeguards include robust authentication mechanisms, encryption, and access controls.
Limitations on Audit Logging Tools:
- Access to and execution of audit logging tools are restricted to authorized individuals with the appropriate permissions. Unauthorized use or execution of these tools is not allowed.
Physical and Environmental Protections:
- Physical protection of audit information is addressed through media protection measures and compliance with physical and environmental protection requirements.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) for Control 3.3.8
Control Identifier: 3.3.8
Control Title: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Control Description: This control focuses on safeguarding audit information and audit logging tools from unauthorized access, alterations, and deletions.
Current Status: The organization has implemented measures to protect audit information and audit logging tools as outlined in the SSP.
POA&M Items:
1. SIEM System Configuration Enhancement:
-
Description: Review and enhance the configuration of the SIEM system to ensure it effectively manages and retains audit logs.
-
Responsible Party: IT Security Team
-
Target Completion Date: MM/DD/YYYY
2. Immutable Audit Logs Implementation:
-
Description: Implement and verify the immutability of audit logs and records for a minimum period of one year.
-
Responsible Party: System Administrators
-
Target Completion Date: MM/DD/YYYY
3. Access Control Review:
-
Description: Review and update access control policies to ensure only authorized users have access to the SIEM solution.
-
Responsible Party: IT Security Team
-
Target Completion Date: MM/DD/YYYY
4. Technical Protections Enhancement:
-
Description: Evaluate and enhance technical safeguards for preventing unauthorized access to audit information, including encryption and authentication mechanisms.
-
Responsible Party: IT Security Team
-
Target Completion Date: MM/DD/YYYY
5. Limitations on Audit Logging Tools:
-
Description: Ensure that only authorized individuals with the appropriate permissions can access and execute audit logging tools.
-
Responsible Party: System Administrators
-
Target Completion Date: MM/DD/YYYY
6. Physical and Environmental Protection Assessment:
-
Description: Conduct an assessment to verify compliance with physical and environmental protection requirements for safeguarding audit information.
-
Responsible Party: Facilities Management
-
Target Completion Date: MM/DD/YYYY
7. Ongoing Monitoring and Maintenance:
-
Description: Implement continuous monitoring processes to ensure that the protections for audit information and audit logging tools remain effective over time.
-
Responsible Party: IT Security Team
-
Target Completion Date: Ongoing
8. Documentation Update:
-
Description: Update documentation, including the SSP, to reflect the implementation and enhancements made to protect audit information and audit logging tools.
-
Responsible Party: IT Documentation Team
-
Target Completion Date: MM/DD/YYYY
9. Training and Awareness:
-
Description: Provide training and awareness programs to ensure that all relevant personnel are informed about the importance of protecting audit information.
-
Responsible Party: IT Security Team
-
Target Completion Date: MM/DD/YYYY
10. Periodic Review and Reporting:
-
Description: Establish a process for periodic review and reporting on the effectiveness of audit information protection measures to senior management.
-
Responsible Party: IT Security Team
-
Target Completion Date: MM/DD/YYYY
Review and Reporting: The organization’s IT Security Team will provide regular progress updates and reports to the senior management team regarding the status of the POA&M items and the overall effectiveness of the control.
Signature: [Authorized Official]
Date: MM/DD/YYYY
RELEVANT INFORMATION:
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.