Nist 800-171

Audit and Accountability:

    3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
    3.3.3 Review and update logged events.
    3.3.4 Alert in the event of an audit logging process failure.
    3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
    3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting.
    3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
    3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
    3.3.9 Limit management of audit logging functionality to a subset of privileged users.

    RELEVANT INFORMATION:

    These controls focus on establishing a comprehensive audit logging and monitoring system to track system activity, ensure accountability, and detect potential security threats. They involve creating and maintaining detailed audit logs, correlating records for investigation, and protecting the information from unauthorized access. Additionally, the controls include alert mechanisms and time synchronization for accurate reporting and analysis.

    Resources to consider:

    3.1.1

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.