AU.L2-3.3.4 Audit Failure Alerting
Alert in the event of an audit logging process failure.
Source: NIST SP 800-171 Rev 2 3.3.4
Discussion: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.
Assessment Objectives:
Determine if:
- [a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
- [b] types of audit logging process failures for which alert will be generated are defined; and
- [c] identified personnel or roles are alerted in the event of an audit logging process failure.
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit logging processing failures; system design documentation; security plan; system configuration settings and associated documentation; list of personnel to be notified in case of an audit logging processing failure; system incident reports; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms implementing system response to audit logging processing failures].
SPRS Score: 1
POA&M Allowed: Yes