What You Need To Know About the Audit and Accountability (AU) Control Family

by Shea Simpson

What is auditing?

Auditing is the implementation of logging events that are occurring within an information system.

Why is the Audit and Accountability (AU) control family important?

The AU control family deals with the audit capabilities of an information system and the ability to link those events to individual users of the system to implement accountability. The AU control family contains provisions that ensure the right elements exist in information system logs, the logs are easily correlated to tell the story of who is doing what within the system, and that the logs are regularly reviewed to detect malicious activity.

In our article on the Access Control family, we used the analogy of giving keys out so that others could access your house. So let’s assume you have a group of people that are allowed in your house for different reasons. What if something happens while you’re gone? Let’s say that nice 65” UHD flat screen you got on Black Friday goes missing. There are several people who could have taken it.

Enter auditing. Instead of keys, let’s switch over to a keyless entry system with different combinations for each member of the group that needs access to your house. If that keyless entry system logged who entered the building at a specific time, you could narrow your list of suspects down to those individuals who had gone into the house the day your TV went missing.

System auditing works the same way. However, instead of looking for missing TVs, a good auditing system is looking at ALL events that occur within the system. It tracks the time the event occurred, the type of event, the source and outcome of the event, and any identities associated with the event. This makes it much easier to keep track of who is doing what within the system.

How does a good auditing implementation help governments?

Accountability. When a system has a sufficient auditing implementation in place, each event is easily traceable back to an identity, which is associated with a person or a group of people. This ensures that, should malicious activity occur within the system, you know who is doing it, how it is being done, where it is being done and when it is being done.

What is the easiest/simplest way for a provider to determine their current AU implementation?

Answer the following questions:

  • What events are you logging? Are those events sufficient to tell a complete story of the activities occurring within your system at all times?
  • Are you using logging tools? Are the tools used sufficient to capture all the necessary components of the events?
  • Are the log timestamps in sync across the various devices and systems? The only way to correlate log events is if the timestamps are standardized. The most common approach is to ensure all logs can be mapped to UTC.
  • Are your logs and logging tools protected from unauthorized access?
  • Are you reviewing the logs on a regular basis?

What does StateRAMP require in terms of the AU control family?

To meet the StateRAMP Minimum Mandates, service provider systems must be capable of the following:

  • Creating logs that contain the following information:
    • The type of event
    • When the event occurred
    • Where the event occurred
    • The source of the event
    • The outcome of the event
  • Any identities involved in the event
  • Timestamps that are correlated and can be mapped to UTC
  • Audit information and tools protected from unauthorized access, modification, and deletion
  • Audit logs retained for at least 90 days online and at least 1 year either online or offline

StateRAMP PMO Recommendations for Service Providers

While not a requirement for a service provider’s system, there are some recommendations the PMO has regarding system auditing. The first is establishing a central repository for the logs. This might be a syslog server or an S3 bucket to which all logs are sent. A central repository makes it much easier to read through your audit trail.

The next recommendation is that a service provider employs a Security Incident & Event Management platform (SIEM). A SIEM is an ideal way to correlate your logs, review your logs, and, as is standard on most SIEM products today, set up alerting should potentially malicious activity occur. Some commonly used SIEM products include Microsoft’s Azure Sentinel, the open-source Security Onion, the ever-popular Splunk, and the AWS-based Securonix.