proactive auditing
Safeguards Technical Assistance Memorandum
Protecting Federal Tax Information (FTI) By Proactive Auditing
Introduction
The traditional way to audit a system involves identifying issues that have already occurred, then reviewing audit logs to determine which relevant events are of a serious nature. While this "after the fact" or “passive” auditing is an important tool in data security, an auditing program requires significant resources in people, process and technology to effectively identify potential incidents in a timely manner. Auditing management should be taken to the next level through adopting a “proactive” approach. By directly identifying relevant security events prior to, during, or after FTI exposure, the agency can progressively manage risk and identify potential security incidents involving FTI in a timely and near-real time manner.
Typically, auditing entails capturing relevant auditable security events from end-to-end, or from receipt of FTI to its destruction or its return to the original source. The events captured in audit log files contain details of the action performed, result of the action, and the date and time of the action. Audit logs are a primary tool used by administrators to detect and investigate attempted and successful unauthorized activity. However, policies and procedures often do not specify the regular review of audit logs, reviews are too infrequent or not conducted on a routine basis, and/or the audit review is conducted after a security incident has occurred.
The benefit of passive log analysis, while important, fails to realize the proactive benefit of knowing when a security violation is occurring in real-time. Proactive security measures would capture unauthorized activity as it occurs or immediately following the violation and provide proper personnel with the information they need to react to a violation effectively, which can reduce the impact of the attempt or incident.
Currently, IRS
Protecting Federal Tax Information (FTI) By Proactive Auditing
Introduction
The traditional way to audit a system involves identifying issues that have already occurred, then reviewing audit logs to determine which relevant events are of a serious nature. While this "after the fact" or “passive” auditing is an important tool in data security, an auditing program requires significant resources in people, process and technology to effectively identify potential incidents in a timely manner. Auditing management should be taken to the next level through adopting a “proactive” approach. By directly identifying relevant security events prior to, during, or after FTI exposure, the agency can progressively manage risk and identify potential security incidents involving FTI in a timely and near-real time manner.
Typically, auditing entails capturing relevant auditable security events from end-to-end, or from receipt of FTI to its destruction or its return to the original source. The events captured in audit log files contain details of the action performed, result of the action, and the date and time of the action. Audit logs are a primary tool used by administrators to detect and investigate attempted and successful unauthorized activity. However, policies and procedures often do not specify the regular review of audit logs, reviews are too infrequent or not conducted on a routine basis, and/or the audit review is conducted after a security incident has occurred.
The benefit of passive log analysis, while important, fails to realize the proactive benefit of knowing when a security violation is occurring in real-time. Proactive security measures would capture unauthorized activity as it occurs or immediately following the violation and provide proper personnel with the information they need to react to a violation effectively, which can reduce the impact of the attempt or incident.
Currently, IRS
References: 1. IRS Publication 1075, (http://www.irs.gov/pub/irs-pdf/p1075.pdf) 2. NIST Special Publication (SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, (http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf) 3. NIST SP 800-92, Guide to Computer Security Log Management, (http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf) 4. NIST SP 800-123, Guide to General Server Security will serve as the basis for these requirements, (http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf)