AU.L2-3.3.5 Audit Correlation

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

Source: NIST SP 800-171 Rev 2 3.3.5

Discussion: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record review, analysis, and reporting; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records across different repositories; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit record review, analysis, and reporting responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Mechanisms supporting analysis and correlation of audit records].

SPRS Score: 5

POA&M Allowed: No