AU-16

AU-16 CROSS-ORGANIZATIONAL AUDITING

Overview

Number	Title	Impact	Priority	Subject Area
AU-16	Cross-Organizational Auditing		P0	Audit And Accountability

Instructions
The organization employs Assignment: organization-defined methods for coordinating Assignment: organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries.

Guidance
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals.

Guidance

When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals.

Enhancements

AU-16 (1) Identity Preservation

This control enhancement applies when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual.

The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

AU-16 (2) Sharing Of Audit Information

Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations.

The organization provides cross-organizational audit information to Assignment: organization-defined organizations based on Assignment: organization-defined cross-organizational sharing agreements.