{ "ConformanceCriteria": [{ "Description": "The organization must document its rationale for why the auditable events it has identified and documented are deemed to be adequate to support after-the-fact investigations of security incidents.", "Number": 1, "Citations": [{ "Description": "Appendix F, AU-2<\/em>", "Source": {"$ref": "#source-2112165102"} }], "$id": "criterion1", "Name": "C1" }], "AssessmentSteps": [{ "ConformanceCriteria": [{"$ref": "#criterion1"}], "Artifacts": [{ "Description": "Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.", "Name": "A1" }], "Description": "Has the organization documented its rationale for why the auditable events it has identified and documented are deemed to be adequate to support after-the-fact investigations of security incidents?", "Number": 1, "$id": "DocumentedRationaleforAuditedEvents", "Name": "Documented Rationale for Audited Events" }], "$TMF_VERSION": "1.4", "AssessmentStepsPreface": "If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.

Similarly, if a \"Selection\" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.\n

\nThe assessment step shall not be marked as satisfied without this evidence.", "IssuanceCriteria": "yes(ALL)", "Metadata": { "PublicationDateTime": "2018-10-24T00:00:00.000Z", "TargetRecipientDescription": "Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with widely accepted information security standards and practices such as NIST Special Publication 800-53.", "Description": "Defines conformance and assessment criteria for compliance with minimum security requirements for documented rationale for audited events as related to overall audit and accountability requirements.", "Keywords": [ "Audit and Accountability", "Security", "Information Assurance", "NIST", "800-53" ], "ExtensionDescription": "This Trustmark Definition requires no extension data.", "Name": "Documented Rationale for Audited Events", "Identifier": "https://artifacts.trustmarkinitiative.org/lib/tds/documented-rationale-for-audited-events/1.0/", "TargetProviderDescription": "Organizations that audit or evaluate other organizations for compliance with widely accepted information security standards and practices such as NIST Special Publication 800-53.", "ProviderEligibilityCriteria": "Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.", "Version": "1.0", "TrustmarkRevocationCriteria": "For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.", "LegalNotice": "This document and the information contained herein is provided on an \"AS IS\" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.", "TargetRelyingPartyDescription": "Organizations and individuals that require their trusted partners' computer and information systems to comply with widely accepted information security standards and practices such as NIST Special Publication 800-53.", "TargetStakeholderDescription": "Organizations that are interested in implementing or making use of digital information systems in a manner that complies with widely accepted information security standards and practices such as NIST Special Publication 800-53.", "AssessorQualificationsDescription": "Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.", "TrustmarkDefiningOrganization": { "Identifier": "https://trustmarkinitiative.org/", "PrimaryContact": { "Email": "help@trustmarkinitiative.org", "Telephone": "404-407-8956", "Kind": "PRIMARY", "MailingAddress": "75 5th Street NW, Suite 900, Atlanta, GA 30308" }, "Name": "Trustmark Initiative" }, "Notes": "" }, "Terms": [ { "Definition": "The official management decision given by a senior organization official to authorize operation of an information system and to explicitly accept the risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls.", "Name": "Accreditation" }, { "Definition": "Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.", "Name": "Authentication" }, { "Definition": "Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals. Synonymous with Accreditation Authority.", "Name": "Authorizing Official" }, { "Definition": "Ensuring timely and reliable access to and use of information.", "Name": "Availability" }, { "Definition": "A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.", "Name": "Certification" }, { "Definition": "Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.", "Name": "Confidentiality" }, { "Definition": "Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system.", "Name": "Environment" }, { "Definition": "An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.", "Name": "Incident" }, { "Definition": "An instance of an information type; data.", "Name": "Information" }, { "Definition": "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.", "Name": "Information Security" }, { "Definition": "A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.", "Name": "Information System" }, { "Definition": "Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the organization. For purposes of the preceding sentence, equipment is used by an organization if the equipment is used by the organization directly or is used by a contractor under a contract with the organization which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.", "Name": "Information Technology" }, { "Definition": "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.", "Name": "Integrity" }, { "Definition": "The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.", "Name": "Management Controls" }, { "Definition": "Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.", "Name": "Media" }, { "Definition": "An organized body of people with a particular purpose, especially a business, society, association, government agency, etc.", "Name": "Organization" }, { "Definition": "The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.", "Name": "Potential Impact" }, { "Definition": "All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an organization in connection with the transaction of business and preserved or appropriate for preservation by that organization or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities such as legal requirements or because of the informational value of the data in them.", "Name": "Records" }, { "Definition": "The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.", "Name": "Risk" }, { "Definition": "The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.", "Name": "Risk Management" }, { "Definition": "Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.", "Name": "Safeguards" }, { "Definition": "Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.", "Name": "Sanitization" }, { "Definition": "The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.", "Name": "Security Category" }, { "Definition": "The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.", "Name": "Security Controls" }, { "Definition": "See System Security Plan.", "Name": "Security Plan" }, { "Definition": "Requirements levied on an information system that are derived from applicable laws, orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.", "Name": "Security Requirements" }, { "Definition": "See information system.", "Name": "System" }, { "Definition": "Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.", "Name": "System Security Plan" }, { "Definition": "Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.", "Name": "Threat" }, { "Definition": "Individual or (system) process authorized to access an information system.", "Name": "User" }, { "Definition": "Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.", "Name": "Vulnerability" } ], "ConformanceCriteriaPreface": "If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.

Similarly, if the criteria specify a \"Selection\" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.", "$Type": "TrustmarkDefinition", "Sources": [{ "Identifier": "SP800-53R4", "Reference": "NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Includes updates as of 01-15-2014). Available at http://dx.doi.org/10.6028/NIST.SP.800-53r4<\/a>.", "$id": "source-2112165102" }] }