Description

An audit event is the discovery, by the monitoring and analysis of system logs, of any action that potentially impacts the security of data, hardware, or software.

Applicability

  • This Control applies to all Texas A&M University information resources containing essential, controlled, or confidential information.

  • The intended audience is all individuals who are responsible for the installation of new information resources, the operations of existing information resources, and individuals accountable for information resources security.

Implementation

  • 1

    Consistent with Control SI-4 Information System Monitoring, the university shall monitor the use of information systems, maintain security-related system logs, and retain logs in accordance with the university records retention schedule.

  • 2

    Information resource custodians shall ensure that information resources have the ability to audit and establish individual accountability for any action on an information resource that can potentially cause access to, generation of, modification of, or affect the release of confidential and controlled information.

    • 2.1

      Appropriate audit trails shall be maintained to provide accountability for all changes to automated security or access rules.

    • 2.2

      The set of events that are routinely audited should be reviewed periodically to ensure the set is still necessary and sufficient.

  • 3

    Audit logs shall be monitored and/or reviewed as risk management decisions warrant. A sufficiently complete history of transactions shall be maintained to permit an audit of the information resources by logging and tracing the activities of individuals through the system.

    • 3.1

      Alarm and alert functions, as well as audit logging of any firewalls and other network perimeter access control systems, shall be enabled.

    • 3.2

      Audit reports shall be reviewed for indications of intrusive activity.

    • 3.3

      The information resource custodian will furnish any audit logs as requested by appropriate University personnel.

  • 4

    All suspected and/or confirmed instances of successful intrusions shall be immediately reported according to incident management procedures (see IR-6 Incident Reporting).