FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards



Similar documents
Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.00

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

FISMA / NIST REVISION 3 COMPLIANCE

Security Control Standards Catalog

Security and Privacy Controls for Federal Information Systems and Organizations

Security Standards Compliance CSEC ITSG-33 Trend Micro Products (Deep Security and SecureCloud) - Version 1.0

CTR System Report FISMA

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Looking at the SANS 20 Critical Security Controls

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Security Self-Assessment Tool

Compliance Overview: FISMA / NIST SP800 53

Bellingham Control System Cyber Security Case Study

FISMA NIST (Rev 4) Shared Public Cloud Infrastructure Standards

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Security Compliance In a Post-ACA World

Altius IT Policy Collection Compliance and Standards Matrix

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) An Assessment of Cyber-Ark's Solutions

Guideline on Auditing and Log Management

Security Controls Assessment for Federal Information Systems

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

Get Confidence in Mission Security with IV&V Information Assurance

Security Control Standard

Enterprise Audit Management Instruction for National Security Systems (NSS)

CONTINUOUS MONITORING

Meeting RMF Requirements around Audit Log Management

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

UTILIZING CLOUDCHECKR FOR SECURITY

HHS Information System Security Controls Catalog V 1.0

IT Security Management Risk Analysis and Controls

Audit Logging. Overall Goals

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

INFORMATION TECHNOLOGY SECURITY POLICY Table of Contents

The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Data Management Policies. Sage ERP Online

ISO COMPLIANCE WITH OBSERVEIT

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

USM IT Security Council Guide for Security Event Logging. Version 1.1

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Requirements For Computer Security

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Security Standards Compliance NIST SP Revision 4. Trend Micro Products (Deep Discovery Inspector, Deep Security and SecureCloud) - Version 2.

FairWarning Mapping to PCI DSS 3.0, Requirement 10

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Cloud Security for Federal Agencies

CRR-NIST CSF Crosswalk 1

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

A Draft List of Software Assurance (SwA) Related NIST SP Revision 4 Controls*

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud

Industrial Security Field Operations

Deriving Software Security Measures from Information Security Standards of Practice

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

THE UNIVERSITY OF IOWA INFORMATION SECURITY PLAN

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Standard: Event Monitoring

FISMA: Securing National Infrastructure

Privacy Impact Assessment

Security Features in Password Manager

Service Organization Controls 3 Report

ur skills.com

Security Control Standard

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

privileged identities management best practices

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

The CIO s Guide to HIPAA Compliant Text Messaging

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

TECHNOLOGY WHITE PAPER Jun 2012

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

How To Manage Security On A Networked Computer System

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

LogRhythm and PCI Compliance

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Full Compliance Contents

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Information Security Program Management Standard

Transcription:

FISMA NIST 800-53 (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards Standard Requirement per NIST 800-53 (Rev. 4) CloudCheckr Action AU-3/ AU3(1) AU-3 CONTENT OF AUDIT RECORDS Control: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and eventspecific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. Change Monitoring integrates CloudTrail to track changes on daily, weekly, and monthly basis EC2 Security Groups Security Group Rules Key Pairs AMIs Spot Instances Reserved Instance Instances Volumes Snapshots Placement Groups Elastic Load Balancers (including attaching or detaching instances to them) Network Interfaces Elastic IPs IAM Account Aliases Account Summaries Access Keys MFA Devices Policies Password Policies Groups Users S3 Bucket Logging Logging Target Bucket Bucket Logging Prefix Bucket Website Enabled Bucket Website Index Document Bucket Website Error Document Bucket Notifications Enabled Public Buckets Bucket Notifications Bucket Lifecycle Rules Bucket Permissions

Control Enhancements: (1) CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION Supplemental Guidance: Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. ElastiCache ElastiCache Clusters Cache Nodes Security Groups Parameter Groups Reserved Nodes AU-4/ AU- 4(1) AU-4 AUDIT STORAGE CAPACITY Historical records and environment changes are stored for the life of service

Control: The organization allocates audit record storage capacity. Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU- 11, SI-4. Control Enhancements: (1) AUDIT STORAGE CAPACITY TRANSFER TO ALTERNATE STORAGE Supplemental Guidance: Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred. All records of service usage are available through Trending Analysis reporting. All records of deployments changes are available through Change Monitoring and CloudTrail. CloudCheckr storage retains sufficient capacity to maintain the integrity of the records. SLA guarantees confidentiality of records. AU-5 RESPONSE TO AUDIT PROCESSING FAILURES Automated audit collection features with failure alerts Control: The information system: a. Alerts in the event of an audit processing failure; and Automated notifications for failures to correctly process collection procedures. b. Takes the following additional actions: [organizationdefined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. Ability to automatically recollect and reprocess information if failure occurs.

Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. AU-6/ AU- 6(1)(3) AUDIT REVIEW, ANALYSIS, AND REPORTING Control: The organization: a. Reviews and analyzes information system audit records with organization-defined frequency for indications of organization-defined inappropriate or unusual activity; and b. Reports findings to organization-defined personnel or roles. Information is available on a regular and asrequested basis. Delivery can be pre-set and automated. Account and information access controls are available. All reporting is fully automated.

Supplemental Guidance: Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA- 3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. Control Enhancements: (1) AUDIT REVIEW, ANALYSIS, AND REPORTING PROCESS INTEGRATION The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

Supplemental Guidance: Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. (3) AUDIT REVIEW, ANALYSIS, AND REPORTING CORRELATE AUDIT REPOSITORIES The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. Supplemental Guidance: Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports crossorganization awareness. Related controls: AU-12, IR-4. AU-7/ AU- 7(1) AUDIT REDUCTION AND REPORT GENERATION Control: The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and b. Does not alter the original content or time ordering of audit records. User-defined detailed and summary reporting Reporting across multiple cloud resource groups available on service and granular levels Filtering, sorting, and export capabilities. Automated controls are available. Reporting is fully customizable.

Supplemental Guidance: Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. Control Enhancements: (1) AUDIT REDUCTION AND REPORT GENERATION AUTOMATIC PROCESSING The information system provides the capability to process audit records for events of interest based on organizationdefined audit fields within audit records. Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) Audit records contain unalterable information, time stamp, and sequencing.

AU-8/ AU- 8(1) TIME STAMPS Control: The information system: a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. Supplemental Guidance: Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. Control Enhancements: (1) TIME STAMPS SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE: The information system: All reports are time stamped to UTC. Single internal clock used for logging changes. Reporting is also customizable to local time zones.

(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. Supplemental Guidance: This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. AU-9/ AU- 9(4) PROTECTION OF AUDIT INFORMATION Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. Control Enhancements: All reporting securely stored Users do not have ability to modify, alter, or delete data. Individual permissioning and access control is available.

(4) PROTECTION OF AUDIT INFORMATION ACCESS BY SUBSET OF PRIVILEGED USERS: The organization authorizes access to management of audit functionality to only organization-defined subset of privileged users. Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with auditrelated privileges. Related control: AC-5. AU-11 AUDIT RECORD RETENTION Automated report retention for life of service is standard Control: The organization retains audit records for organization-defined time period consistent with records retention policy to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP- 6. AU-12 AUDIT GENERATION Provides complete monitoring and reporting of the Control: The information system: infrastructure layer and its associated changes. a. Provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components; Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Automated Change Monitoring and CloudTrail alerts provide notice and records of all auditable events. b. Allows organization-defined personnel to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information