AU-2 Audit Events

Description

An event is any observable occurrence in an organizational information system.

Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs.

Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage.

In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this Control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.

Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, executive orders, directives, policies, regulations, and standards.

Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems.

Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

Applicability

This Control applies to all TAMU-CC University information resources containing essential, controlled, or confidential information.

The intended audience is all individuals who are responsible for the installation of new information resources, the operations of existing information resources, and individuals accountable for information resources security.

Implementation

TAMU-CC Chief Information Security and Privacy Officer (CISPO) shall:

1. Determines that the information system is capable of performing an audit. Information resources systems shall provide the means whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or affect the release of confidential information.
2. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
3. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
4. Determines that the following events are to be audited annually, or when the situation of auditing requires, within the information system:
   1. All logins, successful or unsuccessful;
   2. All logouts;
   3. Changes to automated security rules (e.g., firewall settings, anti-virus settings, intrusion detection parameters);
   4. Changes to audit and logging settings;
   5. Privilege escalations (e.g., sudo);
   6. Establishing system accounts;
   7. Configuring access authorizations (i.e., permissions; privileges).
5. Appropriate audit trails shall be maintained to provide accountability for updates to mission critical information, hardware, and software and for all changes to automated security or access rules.
6. Based on the risk assessment, a sufficiently complete history of transactions shall be maintained to permit an audit of the information resources system by logging and tracing the activities of individuals through the system.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019