3.3.9 has a weight of -1 points

(Audit and Accountability Family) 9/9

Limit management of audit logging functionality to a subset of privileged users.

Video

Example of Sysytem Security Plan (SSP):

      1. Control Identifier: 3.3.9

        Control Title: Limit management of audit logging functionality to a subset of privileged users.

        Control Description: This control focuses on restricting the management of audit logging functionality to a specific subset of privileged users. By doing so, the organization aims to prevent unauthorized individuals from inhibiting audit logging activities or modifying audit records, ensuring the reliability of audit information.

        Current Implementation:

        • Only authorized users have access to the system responsible for managing audit logs. This system, known as the Security Information and Event Management (SIEM) solution, operates with its own user authorization system and is isolated from other systems. It is air-gapped, ensuring complete separation from external access.

        Limitation of Privileged Access:

        • The organization defines privileged access in a granular manner, distinguishing between audit-related privileges and other privileges.

       

      Example of Plan of Action and Milestones ( POA & M):

      POA&M (Plan of Action and Milestones):

      1. Audit-Related Privilege Definition:

      • Description: Clearly define and document audit-related privileges within the organization’s access control policies.

      • Responsible Party: IT Security Team

      • Target Completion Date: MM/DD/YYYY

      2. Access Control Review:

      • Description: Review and update access control policies to ensure that only users with the appropriate audit-related privileges can manage audit logging functionality.

      • Responsible Party: IT Security Team

      • Target Completion Date: MM/DD/YYYY

      3. Privileged User Training:

      • Description: Provide specialized training to privileged users with audit-related privileges to ensure they understand their responsibilities and limitations regarding audit logging functionality.

      • Responsible Party: Training and Development Team

      • Target Completion Date: MM/DD/YYYY

      4. Continuous Monitoring:

      • Description: Establish a continuous monitoring process to regularly assess and verify that only authorized users with audit-related privileges are managing audit logging functionality.

      • Responsible Party: IT Security Team

      • Target Completion Date: Ongoing

      5. Documentation Update:

      • Description: Update documentation, including the SSP and access control policies, to reflect the implementation of this control and the definition of audit-related privileges.

      • Responsible Party: IT Documentation Team

      • Target Completion Date: MM/DD/YYYY

      6. Periodic Audit:

      • Description: Conduct periodic audits to confirm compliance with the control’s requirements and assess the effectiveness of limiting privileged access.

      • Responsible Party: Internal Audit Team

      • Target Completion Date: MM/DD/YYYY

      Completion Criteria: Each POA&M item should be completed as per the target completion date. The responsible parties should ensure that the control is effectively implemented and continuously monitored.

      Review and Reporting: The organization’s IT Security Team will provide regular progress updates and reports to the senior management team regarding the status of the POA&M items and the overall effectiveness of the control.

      Signature: [Authorized Official]

      Date: MM/DD/YYYY

      RELEVANT INFORMATION:

      Individuals with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit logging activities or modifying audit records. This requirement specifies that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges

      Resources to consider:

      Security Policy Document:

      This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

      Asset Inventory and Access Control Sheet:

      Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

      User Account Management Log:

      Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

      Password and Multi-Factor Authentication Policy:

      Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

      Process and Script Accountability Log:

      Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

      Device Access Control and VPN Policy:

      Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

      Access Control Review and Monitoring Schedule:

      Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

      User Training and Awareness Materials:

      Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.