Overview:
Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
Action Items:
3.3.5[a]
Determine if: audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.
3.3.5[b]
Determine if: defined audit record review, analysis, and reporting processes are correlated.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Audit and accountability policy; procedures addressing audit record review, analysis, and reporting; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing investigation of and response to suspicious activities; system audit logs and records across different repositories; other relevant documents or records].
2
Interview: Personnel with audit record review, analysis, and reporting responsibilities; personnel with information security responsibilities].
3
Test: Mechanisms supporting analysis and correlation of audit records; mechanisms integrating audit review, analysis and reporting].
Related Documents (document name and content will vary by organization):
1) Audit and accountability policy
2) procedures addressing audit record review, analysis, and reporting
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) procedures addressing investigation of and response to suspicious activities
7) system audit logs and records across different repositories
8) other relevant documents or records
Additional Guidance:
Correlating these processes helps to ensure that they do not operate independently but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.
Article ID: 135
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-automated-event-correlation-3-3-5-135.html