compliance controls are associated with this Policy definition 'Provide capability to process customer-controlled audit records' (21633c09-804e-7fcd-78e3-635c6bfe2be7)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AU-7(1) |
FedRAMP_High_R4_AU-7(1) |
FedRAMP High AU-7 (1) |
Audit And Accountability |
Automatic Processing |
Shared |
n/a |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
link |
1 |
| FedRAMP_Moderate_R4 |
AU-7(1) |
FedRAMP_Moderate_R4_AU-7(1) |
FedRAMP Moderate AU-7 (1) |
Audit And Accountability |
Automatic Processing |
Shared |
n/a |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
link |
1 |
| hipaa |
1205.09aa2System.1-09.aa |
hipaa-1205.09aa2System.1-09.aa |
1205.09aa2System.1-09.aa |
12 Audit Logging & Monitoring |
1205.09aa2System.1-09.aa 09.10 Monitoring |
Shared |
n/a |
Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. |
|
6 |
| hipaa |
1215.09ab2System.7-09.ab |
hipaa-1215.09ab2System.7-09.ab |
1215.09ab2System.7-09.ab |
12 Audit Logging & Monitoring |
1215.09ab2System.7-09.ab 09.10 Monitoring |
Shared |
n/a |
Auditing and monitoring systems employed by the organization support audit reduction and report generation. |
|
4 |
| hipaa |
1219.09ab3System.10-09.ab |
hipaa-1219.09ab3System.10-09.ab |
1219.09ab3System.10-09.ab |
12 Audit Logging & Monitoring |
1219.09ab3System.10-09.ab 09.10 Monitoring |
Shared |
n/a |
The information system is able to automatically process audit records for events of interest based on selectable criteria. |
|
4 |
| hipaa |
1222.09ab3System.8-09.ab |
hipaa-1222.09ab3System.8-09.ab |
1222.09ab3System.8-09.ab |
12 Audit Logging & Monitoring |
1222.09ab3System.8-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems/machines/devices, and correlates this information with input from non-technical sources to gain and enhance organization-wide situational awareness. Using the SIEM tool, the organization devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. |
|
10 |
| hipaa |
1519.11c2Organizational.2-11.c |
hipaa-1519.11c2Organizational.2-11.c |
1519.11c2Organizational.2-11.c |
15 Incident Management |
1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
For unauthorized disclosures of covered information, a log is maintained and annually submitted to the appropriate parties (e.g., a state, regional or national regulatory agency). |
|
14 |
| NIST_SP_800-171_R2_3 |
.3.6 |
NIST_SP_800-171_R2_3.3.6 |
NIST SP 800-171 R2 3.3.6 |
Audit and Accountability |
Provide audit record reduction and report generation to support on-demand analysis and reporting. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or organizational entities conducting auditing activities. Audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can help generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient. |
link |
7 |
| NIST_SP_800-53_R4 |
AU-7(1) |
NIST_SP_800-53_R4_AU-7(1) |
NIST SP 800-53 Rev. 4 AU-7 (1) |
Audit And Accountability |
Automatic Processing |
Shared |
n/a |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
link |
1 |
| NIST_SP_800-53_R5 |
AU-7(1) |
NIST_SP_800-53_R5_AU-7(1) |
NIST SP 800-53 Rev. 5 AU-7 (1) |
Audit and Accountability |
Automatic Processing |
Shared |
n/a |
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. |
link |
1 |