CCI-000148

Review and analyze system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to review and analyze information system audit records every seven days or more frequently if required by an alarm event or anomaly for indications of activity defined in AU-6, CCI 1862. The organization must maintain an audit trail of the reviews. DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process for audit trail reviews as well as the audit trail showing the reviews to ensure the organization being inspected/assessed reviews and analyzes information system audit records every seven days or more frequently if required by an alarm event or anomaly for indications of activity defined in AU-6, CCI 1862. DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly.

Compelling Evidence

1.) Signed and dated audit and accountability policy and/or procedures 2.) Sample of generated audit records

The controls below (if any) were marked by NIST as being related to CCI-000148.