AU-4: AUDIT STORAGE CAPACITY
TAILORED FOR INDUSTRIAL CONTROL SYSTEMS
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.
ICS SUPPLEMENTAL GUIDANCE
No ICS Supplemental Guidance.
RELATED CONTROLS: AU-4
AU-4 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
ICS Control Baselines:
- Low (ADDED)
- Moderate (ADDED)
- High (ADDED)
The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.
Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred.
ICS Supplemental Guidance:
Legacy ICS are typically configured with remote storage on a separate information system (e.g., the historian accumulates historical operational ICS data and is backed up for storage at a different site). ICS are currently using online backup services and increasingly moving to Cloud based and Virtualized services. Retention of some data (e.g., SCADA telemetry) may be required by regulatory authorities.
Rationale for adding AU-4 (1) to all baselines: Legacy ICS components typically do not have capacity to store or analyze audit data. The retention periods for some data, particularly compliance data, may require large volumes of storage.
- NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY