Auditing and Reporting

This chapter has discussed the lifecycle management processes that support performing access control for physical and logical resources within a federal agency. Conducting automated access transactions will result in the logging of transaction event information, which can be used for auditing and reporting. Auditing and reporting, as defined within the ICAM Services Framework addresses the review and examination of records and activities to assess the adequacy of system controls and the presentation of logged data in a meaningful context.

This section discusses the enhanced enterprise auditing and reporting capabilities that are associated with the target state ICAM segment architecture. Additionally, this section seeks to provide answers to several common auditing and reporting questions, including:

 How will auditing and reporting differ in the ICAM target state?

 How can ICAM solutions support security compliance and performance reporting, as

required by the ICAM target state?

 What types of reports should I consider when designing my ICAM solution?

Across the Federal Government, information systems, including PACS solutions, are designed and built to comply with specific accountability requirements, which mandate the capability to review and report on various access events within individual applications. Each application administrator (or his/her designee) is responsible for tracking and reviewing access control events within their applications, and investigating anomalous entries. The processes for completing this task vary widely across agencies, business units, and individual resources. Typically, in order to provide contextual audit information in a meaningful manner, resource owners/administrators have to manually correlate transaction event data from multiple sources that may be paper-based and/or technology-based. Auditing and reporting capabilities are highly dependent on technological constraints such as: network limitations, application setup, application age, network infrastructure, etc. In addition, to the audit and reporting requirements for all IT resources, PACS solutions must be capable of providing additional reporting services for physical access events within the organization, as defined in the ISC‟s Use of Physical Security Performance Measures.47

The target state ICAM segment architecture does not specify particular requirements for auditing and reporting capabilities; however, many of the modernization efforts that agencies will be performing on their physical and logical access control systems present an opportunity to improve and automate their existing capabilities. For PACS, the transition to enterprise level services increases the visibility into logged access event data and increases the ability to correlate that data across individual site PACS, resulting in improved auditing and reporting capabilities. For logical access, many of the commercially available solutions that can be used to provide enterprise LACS services, as discussed in Chapter 11, include native auditing and reporting tools

that can be configured to meet a variety of agency requirements. Agencies that choose not to deploy enterprise level access control services may still be able to perform centralized auditing and reporting; however, the consolidation processes required to do so are complex and time consuming. NIST SP 800-92, Guide to Computer Security Log Management,48 provides a detailed discussion of the processes that are required to consolidate logs from various sources.

ROI

Implementing an enterprise reporting and auditing capability in a centralized fashion allows agencies to achieve transparency across a wider array of resources, detect and resolve inappropriate access, and rapidly detect patterns of unauthorized access

attempts across the organization in a manner not currently possible.



Figure 20 describes several types of access control reports that could be provided by an agency‟s automated auditing and reporting services.

Report Type Description

User Access by Resource Provides an up-to-date account of successful user access attempts to both physical and logical resources, allowing the administrator/reviewer to select which resource they are primarily concerned about. This type of report may contain a large amount of data and its production could degrade solution performance. Agencies should consider when this type of report is necessary and determine when it could be produced with a minimum level of service interruption.

Unsuccessful Access Attempts Provides an account of all unsuccessful access attempts to any resource within the organization. Allows administrators to determine if individual users have a disproportionate number of unsuccessful access attempts across a wide range of resources.

Daily/Weekly/Monthly Activity Provides an account of all access activity for a particular resource within a set time period; typically daily, weekly, or monthly.

Individual User Audit Log Report Provides an audit log for all activities (successful and unsuccessful) attempted by an individual user.

Figure 20: Common Access Control Reports

The auditing and reporting improvements discussed in this section offer agencies significant benefits and ROI for many of the modernization expenditures that are already required in order to align with the target state ICAM segment architecture. These benefits include:

 Ease of compliance with existing audit and accountability requirements. Agencies are currently required to meet a myriad of auditing and accountability requirements associated with program efficiency (OMB A-12349) and access control. For IT systems, these requirements are part of the FISMA reporting process and are outlined in the Audit and Accountability (AU) control family detailed in NIST SP 800-53.50 For PACS

solutions, the ISC defines program efficiency measures to evaluate long-term

achievement of strategic security program goals.51 Additionally, enterprise access control

48_{NIST SP 800-92, Guide to Computer Security Log Management, September 2006.} 49_{OMB 123 Management‟s Responsibility for Internal Control, December 21, 2004.}

50_{NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.} 51 _{Use of Physical Security Performance Measures, The Interagency Security Committee, 2009.}

solutions can support compliance with the continuous monitoring requirements outlined in NIST SP 800-37.52

 Ability to meet security control enhancements for high baseline systems. NIST SP 800-53 specifies additional AU measures for high baseline information systems as a means of ensuring increased levels of security on these highly sensitive resources. For example, AU-3 and AU-653 specify centralized management of audit records and the ability to correlate audit records across IT and physical security domains, respectively. The enhanced audit and reporting capabilities provided by modernized access control systems offer the ability to meet these security enhancements without placing an additional burden on individual resources and administrators.

 Ability to provide security information in new meaningful contexts, not currently available. Access control systems, built in accordance with the target state ICAM segment architecture, offer the ability to correlate and present large amounts of

information from resources across an agency enterprise in a near real-time fashion. As part of reporting progress against the ICAM segment architecture, agencies are required to produce performance metrics and reports in accordance with the ICAM Performance Layer, as discussed in section 3.2.1. Currently, this requires significant manual

correlation and aggregation of information from an array of sources, whereas modernized access control solutions are capable of performing this task in an automated, streamlined manner.

 Increased efficiency with auditing and reporting. Agency resources have historically provided their own auditing and reporting capabilities, requiring resource owners design and build their resources with these capabilities in mind. Building auditing and reporting capabilities into each resource requires additional investment money and results in a significant time commitment to manage at a local level. Providing these capabilities at an enterprise level allows investment money to be reallocated to other mission critical areas and frees resource owners/administrators to focus on their core job duties.

52_{NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,}

February 2010.