AU-12(4)—Query Parameter Audits Of Personally Identifiable Information
>Control Description
Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.
>Cross-Framework Mappings
>Supplemental Guidance
Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AU-12(4) (Query Parameter Audits Of Personally Identifiable Information)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AU-12(4)?
- •How frequently is the AU-12(4) policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AU-12(4)?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AU-12(4) requirements.
- •What automated tools, systems, or technologies are deployed to implement AU-12(4)?
- •How is AU-12(4) integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AU-12(4) requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AU-12(4)?
- •What audit logs, records, reports, or monitoring data validate AU-12(4) compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AU-12(4) effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AU-12(4) compliance?
Ask AI
Configure your API key to use AI features.