>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AU-6Audit Record Review, Analysis, And Reporting

>Control Description

The enterprise should ensure that both supply chain and information security auditable events are appropriately filtered and correlated for analysis and reporting. For example, if new maintenance or a patch upgrade is recognized to have an invalid digital signature, the identification of the patch arrival qualifies as a supply chain auditable event, while an invalid signature is an information security auditable event. The combination of these two events may provide information valuable to CSCRM. The enterprise should adjust the level of audit record review based on the risk changes (e.g., active threat intel, risk profile) on a specific vendor. Contracts should explicitly address how audit findings will be reported and adjudicated.

>Cross-Framework Mappings

SCF

MON-02
Compare
MON-02.6
Compare

Ask AI

Configure your API key to use AI features.