Common use of Automated Audit Trail Clause in Contracts

Automated Audit Trail. (Audit and Accountability (AU) Family, NIST SP 800-53 rev. 4) SSA requires EIEPs, and other STCs or agencies that provide audit trail services to other state agencies that receive information electronically from SSA, to implement and maintain a fully automated audit trail system (ATS). The system must be capable of creating, storing, protecting, and (efficiently) retrieving and collecting records identifying the individual user who initiates a request for information from SSA or accesses SSA-provided information. At a minimum, individual audit trail records must contain the data needed (including date and time stamps) to associate each query transaction or access to SSA-provided information with its initiator, their action, if any, and the relevant business purpose/process (e.g., SSN verification for Medicaid). Each entry in the audit file must be stored as a separate record, not overlaid by subsequent records. The ATS must create transaction files to capture all input from interactive internet applications that access or query SSA-provided information. SSA requires that the agency’s ATS create an audit record when users view screens that contain SSA-provided information. If an STC handles and audits the EIEP’s transactions with SSA, the EIEP is responsible for ensuring that the STC’s audit capabilities meet NIST’s guidelines for an automated audit trail system. The EIEP must also establish a process to obtain specific audit information from the STC regarding the EIEP’s SSA transactions. SSA requires that EIEPs have automated retrieval and collection of audit records. Such automated functions can be via online queries, automated reports, batch processing, or any other logical means of delivering audit records in an expeditious manner. Information in the audit file must be retrievable by an automated method and must allow the EIEP the capability to make them available to SSA upon request. Access to the audit file must be restricted to authorized users with a “need to know,” audit file data must be unalterable (read-only), and maintained for a minimum of three (3) (preferably seven (7)) years. Information in the audit file must be retrievable by an automated method and must allow the EIEP the capability to make them available to SSA upon request. The EIEP must backup audit trail records on a regular basis to ensure its availability. EIEPs must apply the same level of protection to backup audit files that apply to the original files to ensure the integrity of the data. If the EIEP retains SSA-provided information in a database (e.g., Access database, SharePoint, etc.), or if certain data elements within the EIEP’s system indicates to users that SSA verified the information, the EIEP’s system must also capture an audit trail record of users who view SSA-provided information stored within the EIEP’s system. The retrieval requirements for SSA-provided information at rest and the retrieval requirements for regular transactions are identical. Similar to the Permission Module requirement above, the only acceptable compensating control for a system that lacks an Automated Audit Trail System (ATS) is a 100% review of all transactions that involve SSA-provided information. (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY)

Automated Audit Trail. (Audit and Accountability (AU) Family, NIST SP 800-53 rev. 4) SSA requires EIEPs, and other STCs or agencies that provide audit trail services to other state agencies that receive information electronically from SSA, EIEPs to implement and maintain a fully automated audit trail system (ATS). The system must be capable of creating, storing, protecting, and (efficiently) efficiently retrieving and collecting records identifying the individual user who initiates a request for information from SSA or accesses SSA-provided information. At a minimum, individual audit trail records must contain the data needed (including date and time stamps) to associate each query transaction or access to SSA-provided information with its initiator, their action, if any, and the relevant business purpose/process (e.g., SSN verification for Medicaid). Each entry in the audit file must be stored as a separate record, not overlaid by subsequent records. The ATS Audit Trail System must create transaction files to capture all input from interactive internet applications that which access or query SSA-provided information. SSA requires that the agency’s ATS create an audit record when users view screens that contain SSA-provided information. If an STC a State Transmission Component (STC) handles and audits the EIEP’s transactions with SSA, the EIEP is responsible for ensuring that the STC’s audit capabilities meet NISTSSA’s guidelines requirements for an automated audit trail system. The EIEP must also establish a process to obtain specific audit information from the STC regarding the EIEP’s SSA transactions. SSA requires that EIEPs have automated retrieval and collection of audit records. Such automated functions can be via online queries, automated reports, batch processing, or any other logical means of delivering audit records in an expeditious manner. Information in the audit file must be retrievable by an automated method and must allow the EIEP the capability to make them available to SSA upon request. Access to the audit file must be restricted to authorized users with a “need to know,.” audit Audit file data must be unalterable (read-only), ) and maintained for a minimum of three (3) (preferably seven (7)seven) years. Information in the audit file must be retrievable by an automated method and method. EIEPs must allow the EIEP have the capability to make them audit file information available to SSA upon request. The EIEP EIEPs must backup back-up audit trail records on a regular basis to ensure its their availability. EIEPs must apply the same level of protection to backup audit files that apply to the original files to ensure the integrity of the datafiles. If the EIEP retains SSA-provided information in a database (e.g., Access database, SharePoint, etc.), or if certain data elements within the EIEP’s system indicates indicate to users that SSA verified the information, the EIEP’s system must also capture an audit trail record of users who view viewed SSA-provided information stored within the EIEP’s system. The retrieval requirements for SSA-provided information at rest and the retrieval requirements for regular transactions are identical. Similar to the Permission Module requirement above, the only acceptable compensating control for a system that lacks an Automated Audit Trail System (ATS) is a 100% review of all transactions that involve SSA-provided information. (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY).