Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SI/Low

From FISMApedia
Jump to: navigation, search

NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls


SYSTEM AND INFORMATION INTEGRITY

SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES


FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL


Security Control Baseline:
SI-1 System and Information Integrity Policy and Procedures P1 LOW SI-1 MOD SI-1 HIGH SI-1


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SI-1


ASSESSMENT PROCEDURE
SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
SI-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents system and information integrity policy;
(ii) the organization system and information integrity policy addresses:
(iii) the organization disseminates formal documented system and information integrity policy to elements within the organization having associated system and information integrity roles and responsibilities;
(iv) the organization develops and formally documents system and information integrity procedures;
(v) the organization system and information integrity procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls; and
(vi) the organization disseminates formal documented system and information integrity procedures to elements within the organization having associated system and information integrity roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].
SI-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of system and information integrity policy reviews/updates;
(ii) the organization reviews/updates system and information integrity policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of system and information integrity procedure reviews/updates; and
(iv) the organization reviews/updates system and information integrity procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].


SI-2 FLAW REMEDIATION


FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL


Security Control Baseline:
SI-2 Flaw Remediation P1 LOW SI-2 MOD SI-2 (2) HIGH SI-2 (1) (2)


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2


ASSESSMENT PROCEDURE
SI-2 FLAW REMEDIATION
SI-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies, reports, and corrects information system flaws;
(ii) the organization tests software updates related to flaw remediation for effectiveness before installation;
(iii) the organization tests software updates related to flaw remediation for potential side effects on organizational information systems before installation; and
(iv) the organization incorporates flaw remediation into the organizational configuration management process.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software to correct information system flaws; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with flaw remediation responsibilities].



SI-3 MALICIOUS CODE PROTECTION


FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL


Security Control Baseline:
SI-3 Malicious Code Protection P1 LOW SI-3 MOD SI-3 (1) (2) (3) HIGH SI-3 (1) (2) (3)


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3


ASSESSMENT PROCEDURE
SI-3 MALICIOUS CODE PROTECTION
SI-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code:
  • transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means; or
  • inserted through the exploitation of information system vulnerabilities;
(ii) the organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code:
  • transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means; or
  • inserted through the exploitation of information system vulnerabilities;
(iii) the organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures defined in CM-1;
(iv) the organization defines the frequency of periodic scans of the information system by malicious code protection mechanisms;
(v) the organization defines one or more of the following actions to be taken in response to malicious code detection:
(vi) the organization configures malicious code protection mechanisms to:
  • perform periodic scans of the information system in accordance with organization-defined frequency;
  • perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and
  • take organization-defined action(s) in response to malicious code detection; and
(vii) the organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with malicious code protection responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].


SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES


FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL


Security Control Baseline:
SI-5 Security Alerts, Advisories, and Directives P1 LOW SI-5 MOD SI-5 HIGH SI-5 (1)


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SI-5


ASSESSMENT PROCEDURE
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
SI-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis;
(ii) the organization generates internal security alerts, advisories, and directives;
(iii) the organization defines personnel (identified by name and/or by role) who should receive security alerts, advisories, and directives;
(iv) the organization disseminates security alerts, advisories, and directives to organization-identified personnel; and
(v) the organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; records of security alerts and advisories; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, administering, and using the information system].



SI-12 INFORMATION OUTPUT HANDLING AND RETENTION


FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL


Security Control Baseline:
SI-12 Information Output Handling and Retention P2 LOW SI-12 MOD SI-12 HIGH SI-12


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SI-12


ASSESSMENT PROCEDURE
SI-12 INFORMATION OUTPUT HANDLING AND RETENTION
SI-12.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization handles both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements; and
(ii) the organization retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system output handling and retention; media protection policy and procedures; information retention records, other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information output handling and retention responsibilities].



Source