Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “𝐀𝐥𝐞𝐫𝐭 𝐢𝐧 𝐭𝐡𝐞 𝐞𝐯𝐞𝐧𝐭 𝐨𝐟 𝐚𝐧 𝐚𝐮𝐝𝐢𝐭 𝐥𝐨𝐠𝐠𝐢𝐧𝐠 𝐩𝐫𝐨𝐜𝐞𝐬𝐬 𝐟𝐚𝐢𝐥𝐮𝐫𝐞.”
Sit with me while I tell a story…
𝘈𝘯 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯 𝘥𝘪𝘴𝘤𝘰𝘷𝘦𝘳𝘴 𝘵𝘩𝘢𝘵 𝘵𝘩𝘦𝘺 𝘸𝘦𝘳𝘦 𝘣𝘳𝘦𝘢𝘤𝘩𝘦𝘥 𝘣𝘦𝘤𝘢𝘶𝘴𝘦 𝘨𝘰𝘷𝘦𝘳𝘯𝘮𝘦𝘯𝘵 𝘴𝘦𝘤𝘳𝘦𝘵𝘴 𝘢𝘳𝘦 𝘣𝘦𝘪𝘯𝘨 𝘴𝘰𝘭𝘥 𝘰𝘯 𝘵𝘩𝘦 𝘥𝘢𝘳𝘬 𝘸𝘦𝘣.
𝘋𝘊3 𝘪𝘯𝘤𝘪𝘥𝘦𝘯𝘵 𝘳𝘦𝘴𝘱𝘰𝘯𝘴𝘦 𝘵𝘦𝘢𝘮𝘴 𝘢𝘳𝘦 𝘤𝘢𝘭𝘭𝘦𝘥; 𝘵𝘩𝘦𝘺 𝘴𝘵𝘢𝘳𝘵 𝘥𝘪𝘨𝘨𝘪𝘯𝘨 𝘪𝘯𝘵𝘰 𝘵𝘩𝘦 𝘭𝘰𝘨𝘴 𝘵𝘰 𝘧𝘪𝘯𝘥 𝘰𝘶𝘵 𝘸𝘩𝘢𝘵 𝘩𝘢𝘱𝘱𝘦𝘯𝘦𝘥. 𝘉𝘶𝘵 𝘵𝘩𝘦𝘺 𝘢𝘳𝘦 𝘪𝘮𝘮𝘦𝘥𝘪𝘢𝘵𝘦𝘭𝘺 𝘴𝘵𝘺𝘮𝘪𝘦𝘥 – 𝘵𝘩𝘦𝘳𝘦 𝘢𝘳𝘦 𝘯𝘰 𝘭𝘰𝘨𝘴 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘧𝘪𝘳𝘦𝘸𝘢𝘭𝘭 𝘰𝘳 𝘴𝘦𝘳𝘷𝘦𝘳𝘴.
𝘛𝘩𝘦 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯’𝘴 𝘴𝘺𝘴𝘵𝘦𝘮 𝘢𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘰𝘳𝘴 𝘤𝘭𝘢𝘪𝘮 𝘵𝘩𝘢𝘵 𝘵𝘩𝘦𝘺 𝘴𝘦𝘵 𝘶𝘱 𝘭𝘰𝘨𝘴 𝘪𝘯 𝘵𝘩𝘦 𝘱𝘢𝘴𝘵. 𝘕𝘰 𝘰𝘯𝘦 𝘬𝘯𝘰𝘸𝘴 𝘸𝘩𝘦𝘵𝘩𝘦𝘳 𝘵𝘩𝘦 𝘣𝘢𝘥 𝘨𝘶𝘺𝘴 𝘵𝘶𝘳𝘯𝘦𝘥 𝘰𝘧𝘧 𝘵𝘩𝘦 𝘭𝘰𝘨𝘴, 𝘰𝘳 𝘪𝘧 𝘵𝘩𝘦𝘺 𝘣𝘳𝘰𝘬𝘦 𝘰𝘯 𝘵𝘩𝘦𝘪𝘳 𝘰𝘸𝘯. 𝘌𝘪𝘵𝘩𝘦𝘳 𝘸𝘢𝘺, 𝘵𝘩𝘦𝘺 𝘩𝘢𝘷𝘦 𝘯𝘰 𝘭𝘰𝘨𝘴.
And that is how new requirements are born. (sigh)
𝐅𝐨𝐫 3.3.4, 𝐰𝐞 𝐞𝐱𝐩𝐞𝐜𝐭 𝐚𝐧 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐭𝐨 𝐬𝐞𝐭 𝐮𝐩 𝐩𝐮𝐬𝐡 𝐚𝐥𝐞𝐫𝐭𝐬 𝐰𝐡𝐢𝐜𝐡 𝐠𝐨 𝐭𝐨 𝐭𝐡𝐞 𝐜𝐨𝐫𝐫𝐞𝐜𝐭 𝐩𝐞𝐨𝐩𝐥𝐞 𝐰𝐡𝐞𝐧 𝐚𝐮𝐝𝐢𝐭 𝐥𝐨𝐠𝐬 𝐝𝐫𝐨𝐩 𝐛𝐞𝐥𝐨𝐰 𝐚𝐧 𝐞𝐱𝐩𝐞𝐜𝐭𝐞𝐝 𝐥𝐞𝐯𝐞𝐥.
Let’s dissect this.
Push alerts: You can’t go manually check if logs came in. An alert, email, notification, text, ticket, etc, must be generated and sent to a responsible person or team.
Go to the correct people: When being assessed, a great piece of evidence is showing an alert for audit log failure coming in to the person who is identified as responsible for fixing audit log issues.
Drop below an expected level: Assessors understand that some of your systems are 24×7 and some of them are 8×5. For the systems that are 24×7, you should absolutely have individual alerts for each system set up. Think firewalls and servers. For systems that are part-time (laptops), you may need to get inventive. For both situations, you should identify thresholds for what is “normal” log generation.
For example, you could create a logic rule: your firewall should generate at least 10,000 events per day. If it drops below that level, send an alert to the security team.
Inheritance: This requirement is hard to prove with cloud systems, particularly SaaS clouds. We know there are servers and firewalls and networking equipment in the cloud but they aren’t visible to you as the customer. You need to verify that the cloud admins are performing this requirement in-house. This is where FedRAMP is useful – FedRAMP moderate baseline includes this requirement (so if a cloud is FedRAMP authorized, they are doing this internally). If you store, process, or transmit CUI in an SaaS cloud, you should discuss how you verified that the cloud is performing 3.3.4.