Audit and accountability

On this page

• AU-01 Audit and accountability policy and procedures
• AU-02 Event logging
• AU-03 Content of audit records
• AU-04 Audit log storage capacity
• AU-05 Response to audit logging process failures
• AU-06 Audit record review, analysis, and reporting
• AU-07 Audit record reduction and report generation
• AU-08 Time stamps
• AU-09 Protection of audit information
• AU-10 Non-repudiation
• AU-11 Audit record retention
• AU-12 Audit record generation
• AU-13 Monitoring for information disclosure
• AU-14 Session audit
• AU-15 Alternate audit logging capability
• AU-16 Cross-organizational audit logging

The controls and activities in the Audit and accountability (AU) family support the ability to collect, analyze, and store audit records associated with user operations performed within the system.

AU-01 Audit and accountability policy and procedures

Activity

1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
   1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] audit and accountability policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
   2. procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls
2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures
3. Review and update the current audit and accountability
   1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
   2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may remove the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. Users whose activities are monitored by audit logs should be given notice of the activity.

Related controls and activities

AC-08, PM-09, PS-08, SI-02, SI-12.

Enhancements

None.

References

• TBS Policy on Government Security
• TBS Policy on Internal Audit
• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
• Directive for the Control of COMSEC Material in the Government of Canada (ITSD-03A) (upon request to the Cyber Centre)
• Directive for the Control of COMSEC Material in the Canadian Private Sector (ITSD-06A) (upon request to the Cyber Centre)
• CSE-RCMP Harmonized Threat and Risk Assessment Methodology (TRA-1)

AU-02 Event logging

Control

1. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]
2. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged
3. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-02A.) along with the frequency of (or situation requiring) logging for each identified event type]
4. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents
5. Review and update the event types selected for logging [Assignment: organization-defined frequency]

Discussion

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, accessing or viewing personal information, administrative privilege usage, digital credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.

To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.

The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations should consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personal information in the audit trail, especially if the logging event is based on patterns or time of usage.

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-02(04), AC-03(10), AC-06(09), AC-17(01), CM-03F, CM-05(01), IA-03(03)b, MA-04(01), MP-04(02), PE-03, PM-21, PT-07, RA-08, SC-07(09), SC-07(15), SI-03(08), SI-04(22), SI-07(08), and SI-10(01). Organizations include event types that are required by applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

Related controls and activities

AC-02, AC-03, AC-06, AC-07, AC-08, AC-16, AC-17, AU-03, AU-04, AU-05, AU-06, AU-07, AU-11, AU-12, CM-03, CM-05, CM-06, CM-13, IA-03, MA-04, MP-04, PE-03, PM-21, PT-02, PT-07, RA-08, SA-08, SA-15, SC-07, SC-18, SI-02, SI-03, SI-04, SI-07, SI-10, SI-11.

Enhancements

• (01) Event logging: Compilation of audit records from multiple sources
  • Withdrawn: Incorporated into AU-12.
• (02) Event logging: Selection of audit events by component
  • Withdrawn: Incorporated into AU-12.
• (03) Event logging: Reviews and updates
  • Withdrawn: Incorporated into AU-02.
• (04) Event logging: Privileged functions
  • Withdrawn: Incorporated into AC-06(09).

References

• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
• TBS Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN)
• TBS Directive on Service and Digital, Appendix C: Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices
• TBS Policy on Privacy Protection
• TBS Directive on Privacy Practices

AU-03 Content of audit records

Control

Ensure that audit records contain information that establishes the following:

1. what type of event occurred
2. when the event occurred
3. where the event occurred
4. source of the event
5. outcome of the event
6. identity of any individuals, subjects, objects or entities associated with the event

Discussion

Audit record content that may be necessary to support the auditing function includes event descriptions (item A), time stamps (item B), source and destination addresses (item C), user or process identifiers (items D and F), success or fail indications (item E), and file names involved (items A, C, E, and F).

Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personal information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

GC discussion

GC departments and agencies ensure that the content of audit records aligns with the Security Incidents and Privacy Breaches PIBs.

Related controls and activities

AU-02, AU-08, AU-12, AU-14, MA-04, PL-09, SA-08, SA-15, SI-07, SI-11.

Enhancements

• (01) Content of audit records: Additional audit information
  • Generate audit records containing the following additional information: [Assignment: organization-defined additional information].
  • Discussion: The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users.
    Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.
  • Related controls and activities: None.
• (02) Content of audit records: Centralized management of planned audit record content
  • Withdrawn: Incorporated into PL-09.
• (03) Content of audit records: Limit personal information elements
  • Limit personal information contained in audit records to the following elements identified in the PIA: [Assignment: organization-defined elements].
  • Discussion: Limiting personal information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.
  • Related controls and activities: RA-03.

References

• TBS Directive on Service and Digital, Appendix C: Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices
• TBS Directive on Privacy Practices
• TBS Policy on Access to Information
• TBS Directive on Access to Information Requests
• TBS Directive on Personal Information Requests and Correction of Personal Information
• TBS Event Logging Guidance, Appendix A: Recommended Events to Log

AU-04 Audit log storage capacity

Control

Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].

Discussion

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

Related controls and activities

AU-02, AU-05, AU-06, AU-07, AU-09, AU-11, AU-12, AU-14, SI-04.

Enhancements

• (01) Audit log storage capacity: Transfer to alternate storage
  • Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.
  • Discussion: Audit log transfer, also known as offloading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to AU-09(02) in that audit logs are transferred to a different entity. However, the purpose of selecting AU-09(02) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
  • Related controls and activities: None.

References

• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control

AU-05 Response to audit logging process failures

Control

1. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure
2. Take the following additional actions: [Assignment: organization-defined additional actions]

Discussion

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors.

When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

Related controls and activities

AU-02, AU-04, AU-07, AU-09, AU-11, AU-12, AU-14, SI-04, SI-12.

Enhancements

• (01) Response to audit logging process failures: Storage capacity warning
  • Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity.
  • Discussion: Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities.
  • Related controls and activities: None.
• (02) Response to audit logging process failures: Real-time alerts
  • Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts].
  • Discussion: Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
  • Related controls and activities: None.
• (03) Response to audit logging process failures: Configurable traffic volume thresholds
  • Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection (1): reject; delay] network traffic above those thresholds.
  • Discussion: Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity.
  • Related controls and activities: None.
• (04) Response to audit logging process failures: Shutdown on failure
  • Invoke a [Selection (1): full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures] unless an alternate audit logging capability exists.
  • Discussion: Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternative.
  • Related controls and activities: AU-15.
• (05) Response to audit logging process failures: Alternate audit logging capability
  • Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality].
  • Discussion: Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure.
  • Related controls and activities: AU-09.

References

None.

AU-06 Audit record review, analysis, and reporting

Control

1. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity
2. Report findings to [Assignment: organization-defined personnel or roles]
3. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information

Discussion

Audit record review, analysis, and reporting covers information security-related and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP).

Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. Where possible, personal information should be removed from audit logs if the personal information is not required for reporting processes. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

Related controls and activities

AC-02, AC-03, AC-05, AC-06, AC-07, AC-17, AU-07, AU-16, CA-02, CA-07, CM-02, CM-05, CM-06, CM-10, CM-11, IA-02, IA-03, IA-05, IA-08, IR-05, MA-04, MP-04, PE-03, PE-06, RA-05, SA-08, SC-07, SI-03, SI-04, SI-07.

Enhancements

• (01) Audit record review, analysis, and reporting: Automated process integration
  • Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].
  • Discussion: Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Office of the Auditor General audits.
  • Related controls and activities: PM-07.
• (02) Audit record review, analysis, and reporting: Automated security alerts
  • Withdrawn: Incorporated into SI-04.
• (03) Audit record review, analysis, and reporting: Correlate audit record repositories
  • Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
  • Discussion: Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.
  • Related controls and activities: AU-12, IR-04.
• (04) Audit record review, analysis, and reporting: Central review and analysis
  • Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
  • Discussion: Automated mechanisms for centralized reviews and analyses include Security Information and Event Management (SIEM) products.
  • Related controls and activities: AU-02, AU-12.
• (05) Audit record review, analysis, and reporting: Integrated analysis of audit records
  • Integrate analysis of audit records with analysis of [Selection (1 or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
  • Discussion: Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. SIEM tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis.
    The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results.
    Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.
  • Related controls and activities: AU-12, IR-04.
• (06) Audit record review, analysis, and reporting: Correlation with physical monitoring
  • Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
  • Discussion: The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behaviour or supporting evidence of such behaviour. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations.
  • Related controls and activities: None.
• (07) Audit record review, analysis, and reporting: Permitted actions
  • Specify the permitted actions for each [Selection (1 or more): system process; role; user] associated with the review, analysis, and reporting of audit record information.
  • Discussion: Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.
  • Related controls and activities: None.
• (08) Audit record review, analysis, and reporting: Full text analysis of privileged commands
  • Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.
  • Discussion: Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics.
  • Related controls and activities: AU-03, AU-09, AU-11, AU-12.
• (09) Audit record review, analysis, and reporting: Correlation with information from nontechnical sources
  • Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.
  • Discussion: Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of personal information to individuals who do not have a need to know. The correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions.
  • GC discussion: The correlation of information from nontechnical sources with audit record information may be considered to be data matching, as defined in the TBS Policy on Privacy Protection.
  • Related controls and activities: PM-12.
• (10) Audit record review, analysis, and reporting: Audit level adjustment
  • Withdrawn: Incorporated into AU-06.

References

• TBS Policy on Government Security
• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
• TBS Policy on Privacy Protection

AU-07 Audit record reduction and report generation

Control

Provide and implement an audit record reduction and report generation capability that:

1. supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents
2. does not alter the original content or time ordering of audit records

Discussion

Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behaviour in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the time stamp in the record is insufficient.

Related controls and activities

AC-02, AU-02, AU-03, AU-04, AU-05, AU-06, AU-12, AU-16, CM-05, IA-05, IR-04, PM-12, SI-04.

Enhancements

• (01) Audit record reduction and report generation: Automatic processing
  • Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].
  • Discussion: Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. If personal information is captured on an audit log report and is not required for the resolution of the incident, the personal information should be removed from the report or masked appropriately before circulation of the audit record.
  • Related controls and activities: None.
• (02) Audit record reduction and report generation: Automatic sort and search
  • Withdrawn: Incorporated into AU-07(01).

References

None.

AU-08 Time stamps

Control

1. Use internal system clocks to generate time stamps for audit records
2. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or that include the local time offset as part of the time stamp

Discussion

Time stamps generated by the system include date and time. Time is commonly expressed in UTC or in local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

Related controls and activities

AU-03, AU-12, AU-14, SC-45.

Enhancements

• (01) Time stamps: Synchronized with authoritative time source
  • Withdrawn: Moved to SC-45(01).
• (02) Time stamps: Secondary authoritative time source
  • Withdrawn: Moved to SC-45(02).

References

None.

AU-09 Protection of audit information

Control

1. Protect audit information and audit logging tools from unauthorized access, modification, and deletion
2. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information

Discussion

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personal information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

Related controls and activities

AC-03, AC-06, AU-06, AU-11, AU-14, AU-15, MP-02, MP-04, PE-02, PE-03, PE-06, SA-08, SC-08, SI-04.

Enhancements

• (01) Protection of audit information: Hardware write-once media
  • Write audit trails to hardware-enforced, write-once media.
  • Discussion: Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R). In contrast, the use of switchable write-protection media, such as tape cartridges, Universal Serial Bus (USB) drives, Compact Disc Re-Writeable (CD-RW), and Digital Versatile Disc-Read Write (DVD-RW) results in write-protected but not write-once media.
  • Related controls and activities: AU-04, AU-05.
• (02) Protection of audit information: Store on separate physical systems or components
  • Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.
  • Discussion: Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.
  • Related controls and activities: AU-04, AU-05.
• (03) Protection of audit information: Cryptographic protection
  • Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
  • Discussion: Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
  • Related controls and activities: AU-10, SC-12, SC-13.
• (04) Protection of audit information: Access by subset of privileged users
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles].
  • Discussion: Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.
  • Related controls and activities: AC-05.
• (05) Protection of audit information: Dual authorization
  • Enforce dual authorization for [Selection (1 or more): movement; deletion] of [Assignment: organization-defined audit information].
  • Discussion: Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of 2 authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.
  • Related controls and activities: AC-03.
• (06) Protection of audit information: Read-only access
  • Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles].
  • Discussion: Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity.
  • Related controls and activities: None.
• (07) Protection of audit information: Store on component with different operating system
  • Store audit information on a component running a different operating system than the system or component being audited.
  • Discussion: Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system, resulting in a compromise of the audit records.
  • Related controls and activities: AU-04, AU-05, AU-11, SC-29.

References

• Cryptographic algorithms for unclassified, protected A, and protected B information (ITSP.40.111)
• NIST FIPS 140-3 Security Requirements for Cryptographic Modules
• NIST FIPS 180-4 Secure Hash Standard (SHS)
• NIST FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
• Network security auditing (ITSAP.80.086)

AU-10 Non-repudiation

Control

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].

Discussion

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.

Related controls and activities

AU-09, PM-12, SA-08, SC-08, SC-12, SC-13, SC-16, SC-17, SC-23.

Enhancements

• (01) Non-repudiation: Association of identities
  • 1. Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]
    2. Provide the means for authorized individuals to determine the identity of the producer of the information
  • Discussion: Binding identities to the information supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of attribute binding between the information producer and the information based on the security category of the information and other relevant risk factors.
  • Related controls and activities: AC-04, AC-16.
• (02) Non-repudiation: Validate binding of information producer identity
  • 1. Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]
    2. Perform [Assignment: organization-defined actions] in the event of a validation error
  • Discussion: Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved by, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.
  • Related controls and activities: AC-03, AC-04, AC-16.
• (03) Non-repudiation: Chain of custody
  • Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.
  • Discussion: Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each individual who handled the evidence, the date and time the evidence was collected or transferred, and the purpose for the transfer.
    If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the credentials of reviewers or releasers provides the organization with the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used.
  • Related controls and activities: AC-04, AC-16.
• (04) Non-repudiation: Validate binding of information reviewer identity
  • 1. Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between[Assignment: organization-defined security domains]
    2. Perform [Assignment: organization-defined actions] in the event of a validation error
  • Discussion: Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.
  • Related controls and activities: AC-04, AC-16.
• (05) Non-repudiation: Digital signatures
  • Withdrawn: Incorporated into SI-07.

References

• User authentication guidance for information technology systems (ITSP.30.031)
• Implementation guidance: Email domain protection (ITSP.40.065)
• TBS Directive on Identity Management, Appendix A: Standard on Identity and Credential Assurance
• TBS Government of Canada Guidance on Using Electronic Signatures
• NIST FIPS 140-3 Security Requirements for Cryptographic Modules
• NIST FIPS 180-4 Secure Hash Standard (SHS)
• NIST FIPS 186-5 Digital Signature Standard (DSS)
• NIST FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

AU-11 Audit record retention

Control

Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Discussion

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action.

GC discussion

This includes the retention and availability of audit records relative to requests for GC information under the Access to Information Act, requests for personal information under the Privacy Act, subpoenas, and law enforcement actions. When audit records include personal information that is used for administrative decision such as an investigation, they must be retained in accordance with the Privacy Regulations. If audit records contain personal information that is not required for the audit process, that personal information should be removed or redacted prior to retention. If audit records rely on personal information and that information is used to make an administrative decision, the minimum retention standard is at least 2 years following the last time the personal information was used for an administrative purpose unless the individual consents to its disposal. Retention standards for personal information associated with this process should be reflected in the standard PIB for Internal Audit. Library and Archives Canada provides federal policy on records retention.

Related controls and activities

AU-02, AU-04, AU-05, AU-06, AU-09, AU-14, MP-06, RA-05, SI-12.

Enhancements

• (01) Audit record retention: Long-term retrieval capability
  • Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.
  • Discussion: Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records.
  • Related controls and activities: None.

References

• TBS Policy on Service and Digital
• TBS Directive on Service and Digital
• TBS Directive on Privacy Practices
• TBS Policy on Access to Information
• TBS Directive on Access to Information Requests
• TBS Directive on Personal Information Requests and Correction of Personal Information

AU-12 Audit record generation

Control

1. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-02A on [Assignment: organization-defined system components]
2. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system
3. Generate audit records for the event types defined in AU-02C that include the audit record content defined in AU-03

Discussion

Audit records can be generated from many different system components. The event types specified in AU-02D are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records. If records generated for the audit process contain personal information that is not required for the audit process, that personal information should be removed or redacted.

Related controls and activities

AC-06, AC-17, AU-02, AU-03, AU-04, AU-05, AU-06, AU-07, AU-14, CM-05, MA-04, MP-04, PM-12, SA-08, SC-18, SI-03, SI-04, SI-07, SI-10.

Enhancements

• (01) Audit record generation: System-wide and time-correlated audit trail
  • Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
  • Discussion: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.
  • Related controls and activities: AU-08, SC-45.
• (02) Audit record generation: Standardized formats
  • Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
  • Discussion: Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails.
  • Related controls and activities: None.
• (03) Audit record generation: Changes by authorized individuals
  • Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
  • Discussion: Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).
  • Related controls and activities: AC-03.
• (04) Audit record generation: Query parameter audits of personal information
  • Provide and implement the capability for auditing the parameters of user query events for data sets containing personal information.
  • Discussion: Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personal information augments the capability of an organization to track and understand the access, usage, or sharing of personal information by authorized personnel.
  • GC discussion: The use of personal information for the audit purpose is authorized without consent of the individual pursuant to 8(2)(h) of the Privacy Act.
  • Related controls and activities: None.

References

• TBS Directive on Privacy Practices
• TBS Policy on Privacy Protection
• Privacy Act
• Privacy Regulations SOR/83-508
• TBS Directive on Service and Digital, Appendix L: Standard for Managing Metadata

AU-13 Monitoring for information disclosure

Control

1. Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information
2. If an information disclosure is discovered
   1. notify [Assignment: organization-defined personnel or roles]
   2. take the following additional actions: [Assignment: organization-defined additional actions]

Discussion

Unauthorized disclosure of information is a form of data leakage.

GC discussion

Federal departments and agencies may engage in proactive review of open-source information for the presence of classified information, related to national security. This process may reveal or require the collection of personal information and requires lawful authority. Where possible, personal identifiers should be redacted, removed, or masked and not stored in organization information holdings. Information may be obtained from Internet sites such as social networking sites, and code-sharing platforms and repositories.

Related controls and activities

AC-22, PE-03, PM-12, RA-05, SC-07, SI-20.

Enhancements

• (01) Monitoring for information disclosure: Use of automated tools
  • Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms].
  • Discussion: Automated mechanisms include commercial services that provide notifications and alerts to organizations and automated scripts to monitor new posts on websites.
  • GC discussion: Federal organizations should take care to ensure that these commercial organizations are compliant with jurisdictional privacy laws regarding the collection of personal information.
  • Related controls and activities: None.
• (02) Monitoring for information disclosure: Review of monitored sites
  • Review the list of open-source information sites being monitored [Assignment: organization-defined frequency].
  • Discussion: Reviewing the current list of open-source information sites being monitored on a regular basis helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open-source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information.
  • Related controls and activities: None.
• (03) Monitoring for information disclosure: Unauthorized replication of information
  • Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.
  • Discussion: The unauthorized use or replication of organizational information by external entities can cause adverse impacts on organizational operations and assets, including damage to reputation. Such activity can include the replication of an organizational website by an adversary or hostile threat actor who attempts to impersonate the web-hosting organization. Discovery tools, techniques, and processes used to determine if external entities are replicating organizational information in an unauthorized manner include scanning external websites, monitoring social media, and training staff to recognize the unauthorized use of organizational information.
  • Related controls and activities: None.

References

• TBS Privacy Implementation Notice 2023-03: Guidance pertaining to the collection, use, retention, and disclosure of personal information that is publicly available online

AU-14 Session audit

Control

1. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (1 or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]
2. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines

Discussion

Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel and privacy officials to ensure that any legal, privacy, or Charter rights, including the use of personal information, are appropriately addressed.

GC discussion

Collecting personal information associated with session audits require lawful authority, in accordance with the Privacy Act.

Related controls and activities

AC-03, AC-08, AU-02, AU-03, AU-04, AU-05, AU-08, AU-09, AU-11, AU-12.

Enhancements

• (01) Session audit: System start-up
  • Initiate session audits automatically at system start-up.
  • Discussion: The automatic initiation of session audits at startup helps to ensure that the information being captured on selected individuals is complete and not subject to compromise through tampering by malicious threat actors.
  • Related controls and activities: None.
• (02) Session audit: Capture and record content
  • Withdrawn: Incorporated into AU-14.
• (03) Session audit: Remote viewing and listening
  • Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.
  • Discussion: None.
  • Related controls and activities: AC-17.

References

• TBS Directive on Service and Digital, Appendix C: Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices
• Privacy Act

AU-15 Alternate audit logging capability

Withdrawn: Moved to AU-05(05).

AU-16 Cross-organizational audit logging

Control

Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

Discussion

When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, cross-organizational audit logging often simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations should consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements.

GC discussion

Users whose activities are monitored by audit logs should be given notice of the activity. In addition, consideration should be given to documenting the cross-organizational information sharing in an Information Sharing Agreement or Information Sharing Arrangement.

Related controls and activities

AC-08, AC-21(400), AC-21(401), AU-03, AU-06, AU-07, CA-03, PT-07.

Enhancements

• (01) Cross-organizational audit logging: Identity preservation
  • Preserve the identity of individuals in cross-organizational audit trails.
  • Discussion: Identity preservation is applied when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual.
  • Related controls and activities: IA-02, IA-04, IA-05, IA-08.
• (02) Cross-organizational audit logging: Sharing of audit information
  • Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
  • Discussion: Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations.
  • Related controls and activities: IR-04, SI-04.
• (03) Cross-organizational audit logging: Disassociability
  • Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries.
  • Discussion: Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking and profiling of individuals, but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Implementing privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability.
  • Related controls and activities: None.

References

None.