Auditing and accountability policy

Auditing and accountability policies establish the rules for how an information system securely alerts, records, stores, and allows access to auditable events important to information security. This policy also provides rules around audit log management that allow the high volume of audit logs that an information system produces to be manageable by the information security professional.

An auditing and accountability policy should address:

• Creating, protecting, and retaining information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity
• Ensuring that the actions of inpidual information system users can be uniquely traced to those users so they can be held accountable for their actions
• Reviewing and updating audited events
• Alerting in the event of an audit process failure
• Correlating audit review, analysis, and reporting of processes for investigation and response to indications of inappropriate, suspicious, or unusual activity
• Providing audit reduction and report generation to support on-demand analysis and reporting
• Providing an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records
• Protecting audit information and audit tools from unauthorized access, modification, and deletion
• Limiting management of audit functionality to a subset of privileged users