Key Takeaways
- Successful cybersecurity practices are based on established controls and system event logging monitoring, auditing, and reporting.
- The integration of system capabilities should notify administrators with real-time alerts and reporting along with time stamps for audit records.
- The integrity and accuracy of audit logging processes is essential in preventing gaps in security monitoring.
- Audit logging and monitoring should be assigned only to identified privileged users.
NIST SP 800-171 – Audit and Accountability Security Requirement Overview
This blog focuses on the creation and preservation of system audit logs (3.3.1), the unique traceability of system actions (3.3.2), and the importance of reviewing and updating logged events (3.3.3). This NIST SP 800-171 security requirement is crucial in supporting the cybersecurity framework for an organization.
Audit and Accountability tools work together to identify, document, and report on auditable system transactions and provide audit records to meet system compliance.
- Auditing is the process of systematically examining cybersecurity controls and procedures to assess their effectiveness. This can involve reviewing logs, interviewing personnel, and testing security systems. The goal of an audit is to identify any weaknesses or gaps in the system environment and take corrective action to address them.
- Accountability is the process of holding individuals and organizations responsible for their actions. Accountability is achieved through reviewing audit transaction records including the information needed to link audit events to the actions of an individual.
Understanding and Implementing Audit and Accountability
3.3.1. Creating and retaining system audit logs and records. The system audit log tracks system activities providing a chronological account for security analysis and compliance. This process involves configuring systems to automatically log key events like user logins, file accesses, and system changes. These logs must be stored securely in a centralized log management system based on the regulatory standards your company is aiming to align to whether it is FISMA, HIPAA, SOX, GLBA, or PCI DSS. Audit logs should be reviewed and backed up on a regular schedule to meet compliance requirements.
3.3.2. Providing means to link individual system actions to specific users. Just as every item in a store has a unique barcode to track it, there is a unique identifier for every user action that takes place within an organization’s system. This identifier highlights the traceability of actions of a given user. Audit logs must record specific activities of users and associate them to their accounts. This is important for accountability purposes as well as assessing security incidents. In order to ensure traceability, user privileges as well as access log reviews should be regularly performed.
3.3.3. Audit log reviews and updates. Audit log reviews and updates should be automated systems that identify and flag unusual activities including log doctoring. Regularly updating logging criteria based on emerging threats and changes within the organization and industry are critical. In addition, training personnel who are involved in reviewing these logs will keep them up to date on best practices.
Integration of Audit Logging Processes
3.3.4. Alert in the event of an audit Logging process failure. Ensuring the integrity of audit logging processes is essential in preventing gaps in security monitoring. 3.3.4 requires organizations to have alerts generated for failures in the logging process. Audit logging failures include: software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. Alerts allow for a timely response by the appropriate personnel. Audit record review, analysis, and reporting processes should be integrated and not operate independently.
3.3.5. Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. Integrating and correlating processes will aid in avoiding redundancies in reviewing and analyzing audit records. The correlation of audit record review, analysis, and reporting processes regarding the assessment is agnostic to whether applied at the system level or organization level across all systems.
3.3.6. Provide audit record reduction and report generation to support on-demand analysis and reporting. Efficiency in auditing under requirement 3.3.6 distills audit records down to essential information, generates reports as needed, and optimizes resources for agile analysis and reporting. An example of a meaningful format would be using data mining techniques with advanced data filters to identify anomalous behavior in audit records.
3.3.7. Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. Organizations should have accurate and uniform timestamps within multiple system clocks and systems connected over a network. Organizations should ensure system clocks within a network are set to Coordinated Universal Time (UTC). Time service is critical to security capabilities such as access control, identification, and authentication. Organizations will enhance their ability to maintain a trustworthy chronological record of events when in compliance.
Limit Audit Logging Functionality to Authorized Users
3.3.9. Limit management of audit logging functionality to a subset of privileged users. There are several reasons to limit audit logging functionality. By restricting who can modify audit logs, this reduces the likelihood of someone tampering with the data whether intentionally or accidentally. Also, with less users having access to modify logging settings, chances of misconfigurations are low. Limits to audit logging functionality helps maintain the integrity and reliability of your audit data. Organizations can ensure accountability by enforcing the principles of least privilege, only allowing users to have the necessary permissions to complete their tasks. This makes it easier to identify who made changes to logging configurations and trace suspicious activity back to specific users. Restricting audit log management aligns with several security compliance frameworks and regulations, such as NIST SP 800-171 and CMMC, which emphasize the importance of protecting audit data and ensuring its integrity.
How to Limit Management of Audit Logging
- Identify the privileged users: Determine which users require access to manage audit logging based on their roles and responsibilities. These roles usually include system administrators, security analysts, and auditors.
- Implement access controls: Grant permissions to manage audit logging configurations to dedicated users. This may require creating dedicated roles or user groups with specific privileges for audit log management.
- Document and monitor access: Clearly document who has access to manage audit logging and regularly monitor their activity for any suspicious or unauthorized changes.
- Train users: Educate users on the importance of protecting audit data and the consequences of tampering or misconfiguring audit logs. Schedule annual compliance training.
The required control of audit records and user accountability as outlined in NIST SP 800-171 Revision 2 are key requirements in fortifying an organization’s defense against cybersecurity-related threats. This requirement focusing on recording processes, individual accountability, and securing logs enable organizations to be able to develop a solid and agile security framework.
These are just a few examples of how to implement Audit and Accountability whether you are a DoD Contractor or part of the Defense Industrial Base (DIB). Look for our next blog on Configuration Management.
Stay Ahead of the Game: Ensure Your NIST SP 800-171 Compliance for DoD Contracts
IBSS will use our 20 years of corporate DoD cybersecurity experience to prepare you for NIST SP 800-171 compliance. We specialize in developing cybersecurity strategies that align with organizational business processes to detect or prevent cyber attacks. We identify threats and vulnerabilities, and we assist organizations with managing risks to critical data. We provide expert support to promote compliance with Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), NIST SP 800-171, and Privacy requirements.
Contact us now to get a free consultation on how to develop your company’s NIST SP 800-171 SSP.