>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AU-9 (02)Protection of Audit Information | Store on Separate Physical Systems or Components

High

>Control Description

Store audit records organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited.

>FedRAMP Baseline Requirements

Parameter Values

>Discussion

Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AU-9(2) (Store On Separate Physical Systems Or Components)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AU-9(2)?
  • How frequently is the AU-9(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AU-9(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AU-9(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement AU-9(2)?
  • How is AU-9(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AU-9(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AU-9(2)?
  • What audit logs, records, reports, or monitoring data validate AU-9(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AU-9(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AU-9(2) compliance?

Ask AI

Configure your API key to use AI features.