Security Control Review of the Audit Logging Provided by the Information Technology General Support System

Consistent with the Federal Information Security Management Act of 2002 (FISMA), we completed a security control review of the audit logging controls provided by the General Support System supported by the Division of Information Technology (IT GSS). Our audit objectives were to evaluate the adequacy of the audit logging provided by the IT GSS and to ensure that the Board identified, at the infrastructure level, important events which are required to be audited as significant and relevant to the security of its information systems. Our objectives were based on the methodology set forth in the Audit and Accountability family of security controls identified in the National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems.

Audit logging is the recording and reviewing of system, application, and user activities. The IT GSS maintains audit log records that include the date and time of selected events, type of event, user identity, and the outcome (success or failure) of the event. These logs are used for monitoring any suspicious or unusual activities, investigating security incidents, identifying system anomalies, troubleshooting, and for diagnostic purposes. We selected the IT GSS for review because it provides the audit logging for the Board's infrastructure components, including network devices, operating systems, and databases. The IT GSS infrastructure components provide network and general computing capabilities for the Board user community, including platforms for hosting applications; enforcing security policies and authentication into the Board's network; and providing the infrastructures for web-enabled applications, databases, and e-mail.

Overall, our restricted audit found that the IT GSS components had audit logging enabled, and that events were recorded, reviewed, and archived. However, for those control families where control objectives were not met, we identified the deficient aspect of the control, suggested where improvements can be made, and highlighted the recommended action. The Director of IT generally agreed with our recommendations and indicated that corrective action has either been taken or is under way to enhance the specific controls highlighted in the report. We will follow-up on the implementation of the recommendations as part of our future audit activities related to the Board's continuing implementation of FISMA. Given the sensitivity of information security review work, our reports in this area are generally restricted.