Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

au-6

audit review, analysis, and reporting

assessment objective:

Determine if the organization:

au-6(a)

au-6(a)[1]

defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

au-6(a)[2]

defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

au-6(a)[3]

reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

au-6(b)

au-6(b)[1]

defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

au-6(b)[2]

reports findings to organization-defined personnel or roles.

potential assessment methods and objects:

Examine: [select from: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security responsibilities].