Navigate

AU-3(3)

AU-3(3): Limit Personally Identifiable Information Elements

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [elements identified in the privacy risk assessment are defined;].

Supplemental

Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AU-3(3).

Control	Description
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Control

Description

RA-3

a: Conduct a risk assessment, including:
- 1: Identifying threats to and vulnerabilities in the system;
- 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
- 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "];

d: Review risk assessment results [the frequency to review risk assessment results is defined;];

e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and

f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Enhancements

The controls below (if any) add on to the requirements of AU-3(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AU-3(3).

CCI	Definition
CCI-003812	Limit personally identifiable information contained in audit records to organization-defined elements identified in the privacy risk assessment.
CCI-003813	Defines the elements identified in the privacy risk assessment for limiting personally identifiable information contained in audit records.