AU.L2-3.3.5 Audit Correlation
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Source: NIST SP 800-171 Rev 2 3.3.5
Discussion: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.
Assessment Objectives:
Determine if:
- [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
- [b] defined audit record review, analysis, and reporting processes are correlated.
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record review, analysis, and reporting; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records across different repositories; other relevant documents or records].
Interview: [SELECT FROM: Personnel with audit record review, analysis, and reporting responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting analysis and correlation of audit records].
SPRS Score: 5
POA&M Allowed: No