9-11.1 Audit Logging Functionality Requirements

Audit logs must be sufficient in detail to facilitate reconstruction of events if a compromise or malfunction is suspected or has occurred. Information resources must implement audit logging functions including, but not limited to, the following:

  1. Providing adequate information for establishing audit trails relating to information security incidents (as part of forensics analysis) and user activity.
  2. Where feasible, consolidate audit records from all sources for automated analysis, alerting, and archiving in support of compliance, accountability, and security.
  3. Supporting administrator-selectable alerts for specified security- related events.
  4. Recording the log-on ID or user ID accountable for the event.
  5. Maintaining the confidentiality of authenticators (e.g., passwords) by excluding them from being recorded.
  6. Maintaining the confidentiality of personally identifiable information (PII) and debit/cardholder data.
  7. Protecting audit logs as sensitive information.
  8. Protecting audit log control mechanisms from modification, deletion, or disabling of the function.
  9. Restricting access to authorized users.
  10. Generating real-time alarms indicating immediate attention is required for operational problems (e.g., running out of storage space) and audit log malfunctions.
  11. Providing authorized individuals with access to enable retrieval, printing, and archiving (copying to long-term storage devices) of audit log contents.
  12. Providing administrators with audit analysis tools to selectively retrieve records from the audit log to produce reports.
  13. Sanitizing audit log storage locations and media prior to reuse.