HOWTO - NIST 800-171 Auditing and Accountability Software Solution

NIST 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" is a recommendation from the National Institute of Standards and Technology for securing data. It is available at https://doi.org/10.6028/NIST.SP.800-171r2.

Section 3.3 of the document, "AUDIT AND ACCOUNTABILITY", is about auditing access to controlled information. PA File Sight offers powerful auditing power for files stored on Microsoft Windows file servers. See below how PA File Sight can help fulfill the requirements of NIST 800-171 section 3.3.

3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

PA File Sight's Ultra version records all audited file I/O activity to a database. This includes what user account accessed, modified, created or deleted data files. You can configure which file I/O activities are recorded by configuring monitors to meet your needs. Data is kept for a configurable amount of time. Reports can be run for investigation purposes to see what has happened historically.

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions

When PA File Sight records a file I/O operation, it records the user account used and also includes the user's IP address from which they requested file data.

3.3.3 Review and update logged events

As mentioned, PA File Sight's Ultra Edition records monitoring data to a database. Ad hoc reports can be run to view the data. It is also often helpful to schedule daily or weekly reports to be reviewed by personnel. These reports can be viewed via web browser or emailed in PDF form.

3.3.4 Alert in the event of an audit logging process failure

PA File Sight has many built in measure to ensure auditing is proceeding correctly, including automatic perodic internal test procedures, various internal checking mechanisms, and configurable alerting for the occasion that a problem might be found. In addition, the monitoring is done by a Windows service which can be locked to prevent it from being stopped, even by administrator users.

3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity

Reports in PA File Sight make it simple to see who interacted with specific files, or to see all file activity performed my a specific user during a specific time period. This aids in analysis and correlation of unauthorized activity.

In addition, alert thresholds can be created to monitor for unusual activity levels, such as a high level of data file read activity, or a high number of file deletes.

3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting

Besides scheduled reports which can be scheduled for any timeframe, ad-hoc or one-off reports can be quickly run to support on-demand analysis.

3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records

PA File Sight relies on the Windows system clock for timestamps. Windows computers can be configured to use an NTP time source to provide accurate time. In addition, PA File Sight has a built in periodic check to detect if the system time is ever tampered with (moved forward or backwards).

3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion

Access to the PA File Sight software can be configured to require a login, even on the local host where it is installed. The monitoring service can be locked such that it cannot be stopped.

Audit data is stored by default in local database files, and it can also be configured to be stored in a Microsoft SQL Server database with all of the security protection that product provides. In addition, when remote "Satellite" servers are monitored, their auditing data is forwarded to the "Central" server for data storage, so the auditing data is not even necessarily on the target server.

3.3.9 Limit management of audit logging functionality to a subset of privileged users

PA File Sight supports multiple logins for multiple users, and each user can have different rights in the system (just view reports, run reports, and administrative access). In addition, if many servers are monitored, access to specific servers can be locked down to specific personnel.