Organizational Control: Audit Review, Analysis, And Reporting

Control ID: AU-6 Audit Review, Analysis, And Reporting Family: Audit and Accountability Source: NIST 800-53r4
Control: The organization:
  1. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
  2. Reports findings to [Assignment: organization-defined personnel or roles].
Supplemental Guidance:
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

Related Controls: AC-2, AC-3, AC-6, AC-17, AT-3, CA-7, CM-5, CM-10, CM-11, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, AU-7, AU-16, IA-3, SI-7
Control Enhancements:
(1) Audit Review, Analysis, And Reporting | Process Integration
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
Supplemental Guidance: Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.
Related Controls: N/A

(3) Audit Review, Analysis, And Reporting | Correlate Audit Repositories
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
Supplemental Guidance: Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e.,organizational, mission/business process, and information system) and supports cross-organization awareness.
Related Controls: AU-12, IR-4

(5) Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber-attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.
Related Controls: AU-12, IR-4, RA-5

(6) Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
Supplemental Guidance: The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations.
Related Controls: N/A
References: N/A
Mechanisms:

Protocol Implementation Conformance Statements: N/A