Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SC/Low

From FISMApedia
Jump to: navigation, search

NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls


SYSTEM AND COMMUNICATIONS PROTECTION

SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-1 System and Communications Protection Policy and Procedures P1 LOW SC-1 MOD SC-1 HIGH SC-1


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-1


ASSESSMENT PROCEDURE
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents system and communications protection policy;
(ii) the organization system and communications protection policy addresses:
(iii) the organization disseminates formal documented system and communications protection policy to elements within the organization having associated system and communications protection roles and responsibilities;
(iv) the organization develops and formally documents system and communications protection procedures;
(v) the organization system and communications protection procedures facilitate implementation of the system and communications protection policy and associated system and communications protection controls; and
(vi) the organization disseminates formal documented system and communications protection procedures to elements within the organization having associated system and communications protection roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].
SC-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of system and communications protection policy reviews/updates;
(ii) the organization reviews/updates system and communications protection policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of system and communications protection procedure reviews/updates;
(iv) the organization reviews/updates system and communications protection procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].


SC-5 DENIAL OF SERVICE PROTECTION

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-5 Denial of Service Protection P1 LOW SC-5 MOD SC-5 HIGH SC-5


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-5


ASSESSMENT PROCEDURE
SC-5 DENIAL OF SERVICE PROTECTION
SC-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system; and
(ii) the information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Information system for protection against or limitation of the effects of denial of service attacks].


SC-7 BOUNDARY PROTECTION

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-7 Boundary Protection P1 LOW SC-7 MOD SC-7 (1) (2) (3) (4) (5) (7) HIGH SC-7 (1) (2) (3) (4) (5) (6) (7) (8)


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7


ASSESSMENT PROCEDURE
SC-7 BOUNDARY PROTECTION
SC-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the external boundary of the information system;
(ii) the organization defines key internal boundaries of the information system;
(iii) the information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system; and
(iv) the information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; enterprise security architecture documentation; other relevant documents or records].
Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing boundary protection capability within the information system].


SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-12 Cryptographic Key Establishment and Management P1 LOW SC-12 MOD SC-12 HIGH SC-12 (1)


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-12


ASSESSMENT PROCEDURE
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12.1 ASSESSMENT OBJECTIVE:
Determine if the organization establishes and manages cryptographic keys for required cryptography employed within the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management and establishment; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
Test: [SELECT FROM: Automated mechanisms implementing cryptographic key management and establishment within the information system].


SC-13 USE OF CRYPTOGRAPHY

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-13 Use of Cryptography P1 LOW SC-13 MOD SC-13 HIGH SC-13


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-13


ASSESSMENT PROCEDURE
SC-13 USE OF CRYPTOGRAPHY
SC-13.1 ASSESSMENT OBJECTIVE:
Determine if the information system implements cryptographic protections using cryptographic modules that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].



SC-14 PUBLIC ACCESS PROTECTIONS

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-14 Public Access Protections P1 LOW SC-14 MOD SC-14 HIGH SC-14


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-14


ASSESSMENT PROCEDURE
SC-14 PUBLIC ACCESS PROTECTIONS
SC-14.1 ASSESSMENT OBJECTIVE:
Determine if the information system protects the integrity and availability of publicly available information and applications.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing public access protections; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms protecting the integrity and availability of publicly available information and applications within the information system].


SC-15 COLLABORATIVE COMPUTING DEVICES

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-15 Collaborative Computing Devices P1 LOW SC-15 MOD SC-15 HIGH SC-15


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-15


ASSESSMENT PROCEDURE
SC-15 COLLABORATIVE COMPUTING DEVICES
SC-15.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines exceptions to the prohibiting of collaborative computing devices where remote activation is to be allowed;
(ii) the organization prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed; and
(iii) the organization provides an explicit indication of use to users physically present at the devices.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access controls for collaborative computing environments; alert notification for local users].


SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION CLASS: TECHNICAL


Security Control Baseline:
SC-20 Secure Name /Address Resolution Service (Authoritative Source) P1 LOW SC-20 (1) MOD SC-20 (1) HIGH SC-20 (1)


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/SC-20


ASSESSMENT PROCEDURE
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-20.1 ASSESSMENT OBJECTIVE:
Determine if the information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing secure name/address resolution service (authoritative source)].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/SC-20/1


SC-20(1) SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-20(1).1 ASSESSMENT OBJECTIVE:
Determine if
(i) the information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces; and
(ii) the information system, when operating as part of a distributed, hierarchical namespace, enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing child subspace security status indicators and chain of trust verification for resolution services].


Source

Retrieved from "http://fismapedia.org/index.php?title=Doc:NIST_SP_800-53Ar1_Appendix_F/Enhanced/SC/Low&oldid=52932"