Navigate

SI-7(8)

SI-7(8): Auditing Capability for Significant Events

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [one or more of "generate an audit record"/"alert current user"/"alert {{ insert: param, si-07.08_odp.02 }} "/"{{ insert: param, si-07.08_odp.03 }} "].

Supplemental

Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations.

CIA Levels
Confidentiality	unknown
Integrity	moderate
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-7(8).

Control	Description
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-12	a: Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;]; b: Allow [personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;] to select the event types that are to be logged by specific components of the system; and c: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

Enhancements

The controls below (if any) add on to the requirements of SI-7(8).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-7(8).

CCI	Definition
CCI-002721	Defines the personnel or roles that are to be alerted when a potential integrity violation is detected.
CCI-002722	Defines other actions that can be taken when a potential integrity violation is detected.
CCI-002723	Upon detection of a potential integrity violation, provides the capability to audit the event.
CCI-002724	Upon detection of a potential integrity violation, initiate one or more of the following actions: generate an audit record; alert the current user; alert organization-defined personnel or roles; and/or organization-defined other actions.