ECAT-1 Audit Trail, Monitoring, Analysis and Reporting
Overview
Audit trail records from all available sources are regularly reviewed for indications of inappropriate or unusual activity. Suspected violations of IA policies are analyzed and reported in accordance with DoD information system IA procedures.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| SENSITIVE PUBLIC MACIII | Low | Enclave Computing Environment |
Details
| Threat |
|---|
| If audit trails that record security events are not reviewed regularly, security violations of the system cannot be detected and prevented in a timely manner. This implementation guide is aimed to help system administrators detect security violations in a timely manner. |
| Guidance |
|---|
| 1. The project manager shall designate authorized personnel (IAM/IAO) in writing who can review audit trails regularly (e.g., daily, weekly) to monitor and detect any anomalies and unusual user activities. 2. The system administrator shall generate audit trails and distribute them as planned to the ISSO for review. 3. The system administrator also shall review the online audit trails and analyze the security violations and report minor and/or major security incident to ISSO in accordance with the system’s Incident Response Plan and the Standard Operating Procedures. |
References
- CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
- System or Organization-specific Standard Operating Procedures and Incident Response Plan