AU-5 - Response to Audit Processing Failures

Control requirements

The information system:

AU-5 (a)

Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and

AU-5 (b)

Takes the following additional actions: [IBM Assignment: organization-defined actions to be taken (overwrite oldest record)].

Additional IBM Cloud for Financial Services specifications

• The status of all security audit log sources must be monitored for integrity and functionality as designed, at least hourly, and following policy changes, patch updates, and changes.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Audit logging of application provider events and SIEM
• Audit logging of IBM Cloud events
• IBM Cloud account setup

NIST supplemental guidance

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.