NSTSSI Security Education Standards
6. Ensure audit trails are reviewed periodically (e.g., weekly, daily), and audit records are archived for future reference, if required a. Auditing Tools (1) Audit Trail and Logging E - follow audit policy and procedures; E - activate required audit features; E - review audit trail/log, as required; I - monitor the use of audit trails and logging; I - analyze audit trail/log for anomalies; I - report audit anomalies; A - develop policy and procedures on the use of audit trails and logging; and A - define required audit features. (2) Error Logs/System Logs E - follow policy and procedures; E - follow policy and procedures; E - review error logs/system logs, as required; I - monitor the use of error logs/system logs; I - analyze error logs/system logs for anomalies; I - report anomalies; and A - develop policy and procedures on the use of error logs/system logs. (3) Monitoring (a) Electronic Monitoring (EM) E - outline known means of electronic monitoring; and I - use results of EM reports. (b) Keystroke Monitoring E - outline keystroke monitoring policy and procedures; E - comply with keystroke monitoring policy and procedures; I - enforce the use of keystroke monitoring in compliance with policy; and A - develop keystroke monitoring policy and procedures in compliance with legal requirements. (4) Protective Technology (Note: not applicable to entry or intermediate level and must be monitored for events by the advanced level when applicable.) A - integrate the use of protective technology; and A - monitor the use of protective technology. (5) Automated Security Tools E - list and be able to identify by name various tools; I - integrate the use of automated security tools; and I - monitor the use of automated security tools. E - use expert system tools (i.e., audit reduction and intrusion detection) available; I - analyze results from expert systems and make recommendations for improvement; and A - evaluate products and recommend acquisition of expert systems tools to management. b. Configuration Management I - integrate IS security requirements into the configuration management program; I - review proposed changes to the configuration and recommend change based on security requirements; I - perform security testing prior to implementation ensuring changes made to the systems do not violate security policy; and I - require accountability of copyrighted software in accordance with software licensing agreements. c. Audit (1) Reconciliation E - monitor the reconciliation of audit logs. (2) Security Reviews E - monitor the use of security reviews; and I - prepare security reviews. (3) Metrics E - monitor the use of metrics. (4) Conformance Testing E - monitor conformance testing. (5) Contingency Plan Testing E - develop contingency plan testing procedures; and E - monitor contingency plan testing. (6) Disaster Recovery Plan Testing E - develop disaster recovery plan testing; and E - monitor disaster recovery plan testing. (7) Alarms, Signals, & Reports E - monitor the use of alarms, signals, and reports. (8) Periodic Review of Audit Trails I - direct the use of periodic reviews of audit trails. d. Policies (1) Change Control Policies E - develop change control policies; E - monitor change control policies; E - revise change control policies; and E - upgrade change control policies. (2) Agency Specific Security Policies E - monitor agency specific security policies; and E - develop agency specific security policies.