Safeguards Technical Assistance Memorandum STAX Audit Logs

 

Request for Technical Assistance

Please provide guidance pertaining to STAX audit logs. The two questions are:

  1. Is it a specific safeguarding requirement to have a paper copy and a CD version of the STAX log?
  2. Regarding the preparation / running of the federal programs audit logs, does this need to be completed by an independent agent (separate from the disclosure office)?

Response

IRS Publication 1075 outlines the requirements and guidelines to ensure that FTI is properly audited. Specifically see section 5.6.2 and exhibit 9.

There is no specific Publication 1075 requirement that states the logs must be stored in paper and CD format. Because of the nature of the logs they contain records of system and network security and may contain sensitive information regarding transactions with FTI, and need to be protected with the same level of security as the FTI is afforded. With that in mind, it is recommended that audit logs not be stored in paper format to minimize the potential for the audit data being compromised. CD is an acceptable storage format for audit logs, but it is recommended that write-once media be used to ensure that log files are not inadvertently erased and integrity of the files is maintained. If CDs are used for storage of audit logs, the CDs are subject to the Publication 1075 Minimum Protection Standards for physical security of two barrier rule for access to FTI under normal security:

  • Secured perimeter/locked container,
  • Locked perimeter/secured interior, or
  • Locked perimeter/security container.

Locked means an area or container that has a lock and the keys or combinations are  controlled. A security container is a lockable metal container with a resistance to forced penetration, with a security lock and keys or combinations are controlled.

Ideally, the audit logs would be archived and stored on a central log server where access can be restricted through system permissions and larger volumes of logs can be stored in a central location. If logs are configured to automatically archive and transmit to a central server for storage, the risk of exceeding audit log storage capacity and overwriting logs on the STAX system is mitigated. 

Additionally, IRS Publication 1075 requires all agencies ensure that audit information is archived for six years to enable the recreation of computer-related accesses to both the operating system and to the application wherever FTI is stored.

The management of audit logs should be handled by individuals that are not users/administrators of the systems for which the logs are kept. This may be an issue if the agency’s Disclosure and Security Offices have consolidated. Ideally, there would be an agency security office performing the audit log activities to provide an “independence” or “separation of duties”. However, since this may not be possible with the agency then it should designate someone in the newly consolidated office with the responsibility of managing the system audit logs. Furthermore, it is vital that this newly assigned individual/s does not have administrator rights on the system/s being audited.

References/Related Topics

  • NIST SP 800-92, Guide to Computer Security Log Management
  • NIST SP 800-53, Recommended Security Controls for Federal Information Systems