AU-02 (03) Audit Events Reviews And Updates
Introduction
This document describes how Private Mendix Platform fulfills the AU-02 (03) control.
| Control ID | AU-02 (03) |
|---|---|
| Control category | AU - Audit and Accountability |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Mendix - Studio Pro/Runtime, Customer - Infra |
Control
For the AU-02 (03) control, the organization reviews and updates the audited events at an organization-defined frequency.
Supplemental Guidance
Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.
Responsibility
Customer Responsibility
The customer is responsible for reviewing and updating the audited events.
The infrastructure operator and app operator are responsible for updating the audited events, as required by the customer.
Guidance
Customer Responsibility
The customer should identify the audit events that are significant and relevant to the security of information systems, including logins, password changes, administrative privilege usage, personal credential usage, third-party credential usage, and so on.
The customer should review and update the set of audited events periodically to ensure that the latest set is always necessary and sufficient.
Proof and Remarks
Mendix is not responsible for this task. The customer must review and update the audited events.