10.8.3. Audit Logging Security Standards

Manual Transmittal

April 10, 2017

Purpose

(1) This obsoletes IRM 10.8.3, Information Technology (IT) Security, Audit Logging Security Controls.

Material Changes

(1) This obsoletes all versions of IRM 10.8.3.

(2) All controls from this IRM are obsolete, have been incorporated into, or are already addressed in another IRM (and are still there) as specified, or are located in an Enterprise Security Audit Trails (ESAT) Standard Operating Procedures (SOP). Contact the ESAT Program Management Office (PMO) for information pertaining to the SOP.

(3) IRM 10.8.3.3.1.1, Audit Events: Items 1 through 4 in this section have been incorporated into IRM 10.8.1, subsection 10.8.1.4.3.1, AU-2 Audit Events; all other controls in this section are obsolete.

(4) IRM 10.8.3.3.1.2, Content of Audit Records: The controls in this section are already addressed in IRM 10.8.1, subsections 10.8.1.4.3.2, AU-3 Content of Audit and 10.8.1.4.3.2.1, AU-3 Content of Audit Records - Control Enhancements.

(5) IRM 10.8.3.3.1.2.1, Audit Trails for Systems which Store or Process Taxpayer Data: Items 1 and 5 in this section have been incorporated into IRM 10.8.1, subsection 10.8.1.4.3.1, AU-2 Audit Events; all other controls in this section are obsolete.

(6) IRM 10.8.3.3.1.2.3, User Audit Trails: Item 1 in this section has been incorporated into IRM 10.8.1, subsections 10.8.1.4.3.2, AU-3 Content of Audit and 10.8.1.4.3.2.1, AU-3 Content of Audit Records - Control Enhancements; all other controls in this section are obsolete.

(7) IRM 10.8.3.3.1.3, Audit Storage Capacity: Items 1 through 3 in this section are already addressed in IRM 10.8.1, subsections 10.8.1.4.3.3, AU-4 Audit Storage Capacity, 10.8.1.4.3.4, AU-5 Response to Audit Processing Failures and 10.8.1.4.3.4.1, AU-5 Response to Audit Processing Failures - Control Enhancements; all other controls in this section are obsolete.

(8) IRM 10.8.3.3.1.5, Audit Review, Analysis, and Reporting: The controls in this section are already addressed in IRM 10.8.1, subsection 10.8.1.4.3.5.1, AU-6 Audit Review, Analysis, and Reporting - Control Enhancements.

(9) IRM 10.8.3.3.1.5.1, Security Audit Automatic Response: Item 3 in this section is already addressed in IRM 10.8.1, subsection 10.8.1.4.3.5.1, AU-6 Audit Review, Analysis, and Reporting - Control Enhancements; all other controls in this section are obsolete.

(10) IRM 10.8.3.3.1.7, Time Stamps: Items 1 and 2 in this section are already addressed in IRM 10.8.1, subsections 10.8.1.4.3.7, AU-8 Time Stamps and 10.8.1.4.3.7.1, AU-8 Time Stamps - Control Enhancements; all other controls in this section are obsolete.

(11) IRM 10.8.3.3.1.9, Audit Record Retention: Items 1 and 2 in this section are already addressed in IRM 10.8.1, subsection AU-11 Audit Record Retention; all other controls in this section are obsolete.

(12) IRM 10.8.3.3.2, CA - Security Assessment and Authorization: The controls in this section are already addressed in IRM 10.8.1, subsection 10.8.1.4.4.1, CA-2 Security Assessments.

(13) IRM 10.8.3.3.4, CP - Contingency Planning: The controls in this section are already addressed in IRM 10.8.60, IT Service Continuity Management (ITSCM) Policy and Guidance and IRM 10.8.62, Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Test, Training, and Exercise (TT&E) Process.

(14) IRM 10.8.3.3.5, IR - Incident Response: The controls in this section are already addressed in IRM 10.8.1, subsections 10.8.1.4.8.5, IR-6 Incident Reporting and 10.8.1.4.3.1, AU-2 Audit Events.

(15) IRM 10.8.3.3.6, PL - Planning: Item 1 in this section are already addressed in IRM 10.8.1, subsection 10.8.1.4.3, AU-1 Audit and Accountability Policy and Procedures; all other controls in this section are obsolete.

(16) IRM 10.8.3.3.7, RA - Risk Assessment: Item 3 in this section is already addressed in IRM 10.8.1, subsection 10.8.1.4.14.2, RA-3 Risk Assessment; all other controls in this section are obsolete.

(17) IRM 10.8.3.3.8, SI - System and Information Integrity: The controls in this section are already addressed in IRM 10.8.1, subsection 10.8.1.4.3.8, AU-9 Protection of Audit Information.

(18) Exhibit 10.8.3-2, Audit Events for FIPS 199 Categorized LOW, MODERATE and HIGH Systems: The controls and table in this section have been incorporated into IRM 10.8.1, subsection 10.8.1.4.3.1, AU-2 Audit Events.

(19) Exhibit 10.8.3-3, Required Data for Audited Events: The controls in this section are already addressed in IRM 10.8.1, subsection 10.8.1.4.3.2, AU-3 Content of Audit Records.

Effect on Other Documents

All versions of IRM 10.8.3 are now obsolete.

Audience

All Operating Divisions and Functions, and the Treasury Inspector General for Tax Administration (TIGTA).

Effective Date

(04-10-2017)

S. Gina Garza
Chief Information Officer (CIO)