Handbook for Trustworthy Information Systems: Section 9
Criteria Group 3: Audit Trails
Questions to Ask
- Who can access audit data? Alter? Delete? Add?
- How can the audit logs be read? Who can do this?
- What tools are available to output audit information? What are the formats? Who can do this?
- What mechanisms are available to designate which activities are audited? Who can do this?
- How are audit logs protected?
Criteria Group 3: System administrators should establish audit trails that are maintained separately and independently from the operating system.
3A. General characteristics of audit trails include:
1. Audit trail software and mechanisms should be subject to strict access controls and protected from unauthorized modification or circumvention.
2. Audit trails should be backed up onto removable media periodically to ensure minimal data loss in case of system failure.
3. System should automatically notify system administrators when audit storage media is nearing capacity and response should be documented. When the storage media containing the audit trail is physically removed from the system, the media should be physically secured as required by the highest sensitivity level of data it holds.
- If audit trails are encoded to conserve space, the decode mechanism must always accompany the data.
3B. A system should be in place to track password usage and changes. Recorded events and information should include:
1. user identifier
2. successful and unsuccessful log-ins
3. use of password changing procedures
4. user ID lock-out record
7. physical location
3C. A system should be in place to log and track users and their online actions. Audit information might include:
1. details of log-in (date, time, physical location, etc.)
2. creation of files/records
3. accessed file/record identifiers and accompanying activity (deletion, modification, change of sensitivity/security level)
4. accessed device identifiers
5. software use
6. production of printed output
7. overriding of human-readable output markings (including overwrite of sensitivity label markings and turning off of labeling mechanisms) on printed output
8. output to storage devices
Did You Know:
- “The agency head shall ensure that users are aware that their use of computerized information resources is traceable.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.
- “Agencies shall ensure that computer access points to systems connected to the state network require and access control process that can be audited.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.
- “Where appropriate, agencies shall log access to data in such a way as to permit an agency to audit its access to computerized information resources.” (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.
- Users must be supplied with the Tennessen Warning when collecting confidential, private data by any means. (Minnesota. Chapter 13 (Government Data Practices, 13.04, subdivision 2). Statutes. 1998.) Refer to Bibliography.
3D. For each record, audit trails should log, at a minimum, the following information:
1. record identifier
2. user identifier
5. usage (e.g., creation, capture, retrieval, modification, deletion)
‹ ‹back: Section 9
TIS Handbook last updated July 2002, Version 4.