Trust but Verify (Accountability) ◾ 187
reads the record. If these records are misordered in the audit collection system, it would appear as
if Bob was the one making the change. Possible actions supporting this objective include:
Reviewing existing audit functions and collection technology to ensure that records are ◾
ordered the same as the events. e ability to index records by the date and time stamp is
suffi cient to meet this requirement.
Updating procedures and development standards to refl ect sequential auditing requirements ◾
supporting accountability.
Correlated
When multiple records from the same or diff erent sources are used to support a fact or claim, the
relationship between the information in these records must be obvious. is is one of the driving
forces behind a common taxonomy. It is important to keep the “average person” scenario in mind;
labeling the same piece of information with two diff erent names will make it more diffi cult for the
average person to understand the evidence being presented and may cause them to come to the
wrong conclusion. Possible actions supporting this objective include:
Reviewing existing audit functions across all platforms to ensure that records contain infor- ◾
mation that is consistent in content and format so that it can be easily correlated with
records from other platforms
Updating procedures and development standards to refl ect correlation auditing require- ◾
ments supporting accountability
Tamperproof
is attribute, together with the next two, are related to the admissibility of records. A tamper-
proof record is one that cannot be altered from its original state without the alteration being
detected. If a record can be tampered with, it can be argued that the information contained
therein is not reliable. Two mechanisms are commonly used to ensure tamperproof records: access
controls and integrity controls. Privileged use creates issues with the access control approach; that
is, a person with suffi cient privilege can tamper with the records. Sending events to a centralized
log server can resolve this issue provided the privileged use does not extend to this server as well.
However, integrity controls such as digital signatures or record hashing is much more diffi cult to
defeat. e records can be erased, but they cannot be altered without detection. Possible actions
supporting this objective include:
Ensuring that security standards require audit records to be tamperproof ◾
Reviewing existing audit functions and identifying all instances of audit facilities that do ◾
not meet the above requirement
Updating procedures and development standards to refl ect the tamperproof auditing attri- ◾
bute supporting accountability
Traceable
It is also necessary to ensure that a verifi able chain of custody is maintained for each record.
Traceable means that looking backward we can account for all entities that have control over or
TAF-K11348-10-0301-C010.indd 187TAF-K11348-10-0301-C010.indd 187 8/18/10 3:10:35 PM8/18/10 3:10:35 PM