Discussion:

Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.

Upon assessment, assessors must determine if-

3.3.4[a] personnel or roles to be alerted in the event of an audit logging process failure
are identified.
3.3.4[b] types of audit logging process failures for which alert will be generated are
defined.
3.3.4[c] identified personnel or roles are alerted in the event of an audit logging process
failure.

Assessors are instructed to-

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit logging processing failures; system design documentation; system security plan; system configuration settings and associated documentation; list of personnel to be notified in case of an audit logging processing failure; system incident reports; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators; system developers].

Test: [SELECT FROM: Mechanisms implementing system response to audit logging processing failures].