Navigate

CCI-001490

CCI-001490 Definition

Defines the actions to be taken by the system upon audit failure, including shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed will define and document actions to be taken by the information system upon audit failure. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions. Unless availability is an overriding concern, the default action should be to shut down the information system. DoD has determined that the actions are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed has defined the actions to be taken by the information system upon audit failure. DoD has determined that the actions are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated audit and accountability policy 2.) Applicable STIG/SRG checks

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001490.

Control	Description
AU-5	The information system: a: Alerts [organization-defined personnel or roles] in the event of an audit processing failure; and b: Takes the following additional actions: [organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].