Computer logs are generated by various sources, including but not limited to security software (such as antivirus), firewalls, intrusion detection and prevention systems, networking equipment, and operating systems on servers and workstations.

Policy 645: Audit and Accountability, is intended to define an enterprise approach for managing system log data. The intended purpose is to clearly define use of audit and accountability logs from information systems for system, network, and information security administrators to foresee and mitigate issues on critical information systems.

To accomplish this, Standard 645S1: Audit Requirements, sets requirements for log management activities, including configuring log sources, log generation, transmission, managing short and long-term storage, performing analysis, initiating responses to identified events, and log disposal.
Risks that are addressed in the audit and accountability policy and standard include maintaining information system log files for audit purposes and to support cyber security incident investigations as needed, and establishing requirements for effective collection of audit logs to mitigate future risk associated with cyber incidents.
Policy 645 and Standard 645S1 address security controls AU-1, AU-2, AU-2 (CE3), AU-3, AU-3 (CE1), AU-4, AU-5, AU-6, AU-7, AU-7 (CE1), AU-8, AU-8 (CE1), AU-9, AU-9 (CE4), AU-11, AU-12, AU-16 from NIST SP800-53 and apply organization-defined time periods that are consistent with IRS Pub. 1075.
Policy 645 and Standard 645S1 will replace the following legacy documents:

  • Policy 677: Log Management
  • Standard 677S1: Log Management


View or Download:

DRAFT Policy 645: Audit and Accountability

DRAFT Standard 645S1: Audit Requirements