Auditing requirements

["King, Gregory" <cxz9 () cdc gov>]

Hello and good day to all...

I currently work in the Federal section performing IT security, which we all know because of FISMA requirements all 
Federal agencies are now required to perform security assessments in accordance with (IAW) NIST 800-26 and blah 
blah...The biggest issue thus far complying to the standards illustrated in the SP is that auditing is too cumbersome 
to enable at the database level due to performance concerns.  Can someone better justify why auditing should not be 
turned on at the database level other than a decrease in performance?  What are the some of the factors I should key on 
besides that it is a requirement and a recommended security control mechanism?

Regards,
 
Gregory A. King Sr.
KMT Security Lead
Strategic National Stockpile
Office: 404-687-6591
Mobile: 678-296-6256
eMail: cxz9 () cdc gov