Security Control Review of the Audit Logging Provided by the Information Technology General Support System

To evaluate security controls and techniques of the Board's information systems, the Office of Inspector General (OIG) reviews controls over Board applications on an ongoing basis. Consistent with Federal Information Security Management Act (FISMA) requirements, we evaluated the adequacy of the audit logging controls provided by the General Support System supported by the Division of Information Technology (IT GSS). Our objectives, consistent with FISMA's requirements, were to evaluate the adequacy of the controls and ensure that the Board has identified important events at the infrastructure level, which need to be audited as significant and relevant to the security of its information system.  To accomplish our objectives, we developed a control assessment methodology based on the Audit and Accountability (AU) family of security controls identified in the National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This document provides a baseline of security controls for organizations to use in protecting their information systems. Given the sensitivity of information security review work, our reports in this area are generally restricted

Audit logging is the recording and reviewing of system, application, and user activities. The IT GSS maintains audit log records that include the date and time of selected events, type of event, user identity, and the outcome (success or failure) of the event. These logs are used for monitoring suspicious and unusual activities, investigating security incidents, identifying system anomalies, troubleshooting, and diagnostic purposes. We selected the IT GSS for review because it provides the audit logging for the Board's infrastructure components, including network devices, operating systems, and databases. The IT GSS infrastructure components provide network and general computing capabilities for the Board user community, including platforms for hosting applications; enforcing security policies and authentication into the Board's network; and providing the infrastructures for web-enabled applications, databases, and e-mail. Overall, our restricted audit found that the IT GSS components had audit logging enabled, and that events were recorded, reviewed, and archived. However, for those control families where control objectives were not met, we identified the deficient aspect of the control, suggested where improvements can be made, and highlighted the recommended action. The Director of Information Technology generally agreed with our recommendations and indicated that corrective action has either been taken or is under way to enhance the specific controls highlighted in the report. We will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board's continuing implementation of FISMA.