CCI-001488

Implementation Guidance

The organization being inspected/assessed defines and documents additional, more detailed information to be included in the audit records. The additional information must include at a minimum, full-text recording of privileged commands or the individual identities of group account users. The additional information must provide sufficient detail to reconstruct events to determine cause of compromise and magnitude of damage, malfunction, or security violation. DoD has determined that additional, more detailed information must include, at a minimum, full-text recording of privileged commands or the individual identities of group account users. DoD has determined that all additional, more detailed information is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented list of additional more detailed information to be included in the audit records to ensure that: 1. The list is defined; and 2. The list includes full-text recording of privileged commands or the individual identities of group account users. DoD has determined that additional, more detailed information must include, at a minimum, full-text recording of privileged commands or the individual identities of group account users. DoD has determined that it is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated audit and accountability policy and/or procedures