Help me understand control tailoring

old.reddit.com / @/u/thehermitcoder, https://old.reddit.com/user/thehermitcoder

I was reading through NIST SP 800-53 R5, and was looking at the example of a control on page 9 of the PDF. I understand the basic structure. However, I don't think I understand how to tailor the control. The base control says:

Control: Allocate audit record storage capacity to accommodate [Assignment: organization-defined audit record retention requirements].

What exactly am I supposed to be filling up within the square brackets? Is it supposed to be in days? Is it supposed to be in TBs? Which of the following is correct?

Allocate audit record storage capacity to accommodate 60 days of logging.

Allocate audit record storage capacity to accommodate 1 TB of logs.

Allocate audit record storage capacity to accommodate 1 TB of logs per day.

Allocate audit record storage capacity to accommodate [something else?]

Also where do I record justifications while tailoring the control?

Should I put it like this: Allocate audit record storage capacity to accommodate 60 days of logging as per our internal policy. Or the justification goes somewhere else?

Also how is AU-4 different from AU-11?

Is there any document that NIST has published which talks about what could be example values for the controls.

Thanks!

submitted by /u/thehermitcoder
[link] [comments]

published 8 months ago




See all items from the same source