Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SI/High

Template:Doc:NIST SP 800-53r3 Appendix F/SI-1

Determine if: (i) the organization develops and formally documents system and information integrity policy; (ii) the organization system and information integrity policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system and information integrity policy to elements within the organization having associated system and information integrity roles and responsibilities; (iv) the organization develops and formally documents system and information integrity procedures; (v) the organization system and information integrity procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls; and (vi) the organization disseminates formal documented system and information integrity procedures to elements within the organization having associated system and information integrity roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].

Determine if: (i) the organization defines the frequency of system and information integrity policy reviews/updates; (ii) the organization reviews/updates system and information integrity policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of system and information integrity procedure reviews/updates; and (iv) the organization reviews/updates system and information integrity procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2

Determine if: (i) the organization identifies, reports, and corrects information system flaws; (ii) the organization tests software updates related to flaw remediation for effectiveness before installation; (iii) the organization tests software updates related to flaw remediation for potential side effects on organizational information systems before installation; and (iv) the organization incorporates flaw remediation into the organizational configuration management process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software to correct information system flaws; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with flaw remediation responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2/1

Determine if: (i) the organization centrally manages the flaw remediation process; and (ii) the organization installs software updates automatically.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation and automatic software updates; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting centralized management of flaw remediation and automatic software updates].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2/2

Determine if: (i) the organization defines the frequency of employing automated mechanisms to determine the state of information system components with regard to flaw remediation; and (ii) the organization employs automated mechanisms in accordance with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system flaw remediation update status].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3

Determine if: (i) the organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities; (ii) the organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities; (iii) the organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures defined in CM-1; (iv) the organization defines the frequency of periodic scans of the information system by malicious code protection mechanisms; (v) the organization defines one or more of the following actions to be taken in response to malicious code detection: block malicious code; quarantine malicious code; and/or send alert to administrator; (vi) the organization configures malicious code protection mechanisms to: perform periodic scans of the information system in accordance with organization-defined frequency; perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and take organization-defined action(s) in response to malicious code detection; and (vii) the organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with malicious code protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/1

Determine if the organization centrally manages malicious code protection mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/2

Determine if the information system automatically updates malicious code protection mechanisms, including signature definitions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/3

Determine if the information system prevents non-privileged users from circumventing malicious code protection capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4

Determine if: (i) the organization defines objectives for monitoring events on the information system; (ii) the organization monitors events on the information system in accordance with organization-defined objectives and detects information system attacks; (iii) the organization identifies unauthorized use of the information system; (iv) the organization deploys monitoring devices: strategically within the information system to collect organization-determined essential information; and at ad hoc locations within the system to track specific types of transactions of interest to the organization; (v) the organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and (vi) the organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/2

Determine if the organization employs automated tools to support near real-time analysis of events.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting near real-time event analysis].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/4

Determine if the information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting the integration of intrusion detection tools and access/flow control mechanisms].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/5

Determine if: (i) the organization defines indicators of compromise or potential compromise to the security of the information system; and (ii) the information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; security plan; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system monitoring real-time alert capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/6

Determine if the information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Information system-wide intrusion detection and prevention capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-5

Determine if: (i) the organization receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; (ii) the organization generates internal security alerts, advisories, and directives; (iii) the organization defines personnel (identified by name and/or by role) who should receive security alerts, advisories, and directives; (iv) the organization disseminates security alerts, advisories, and directives to organization-identified personnel; and (v) the organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; records of security alerts and advisories; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, administering, and using the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-5/1

Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting the distribution of security alert and advisory information; records of security alerts and advisories; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the distribution of security alert and advisory information].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-6

Determine if: (i) the organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions; (ii) the organization defines for periodic security function verification, the frequency of the verifications; (iii) the organization defines information system responses and alternative action(s) to anomalies discovered during security function verification; (iv) the information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification); and (v) the information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Security function verification capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7

Determine if the information system detects unauthorized changes to software and information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and applications documentation; other relevant documents or records].

Test: [SELECT FROM: Software integrity protection and verification capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7/1

Determine if: (i) the organization defines the frequency of integrity scans to be performed on the information system; and (ii) the organization reassesses the integrity of software and information by performing integrity scans of the information system in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; security plan; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7/2

Determine if the organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; automated tools supporting alerts and notifications for integrity discrepancies; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-8

Determine if: (i) the organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means; (ii) the organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means; and (iii) the organization updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures defined in CM-1.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with spam protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing spam detection and handling capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-8/1

Determine if the organization centrally manages spam protection mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-9

Determine if the organization restricts the capability to input information to the information system to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information input restrictions; access control policy and procedures; separation of duties policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing restrictions on individual authorizations to input information into the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-10

Determine if the information system checks the validity of information inputs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information validity; access control policy and procedures; separation of duties policy and procedures; documentation for automated tools and applications to verify validity of information; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system capability for checking validity of information inputs].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-11

Determine if: (i) the information system identifies potentially security-relevant error conditions; (ii) the organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages; (iii) the information system generates error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited by adversaries; and (iv) the information system reveals error messages only to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system error handling; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system error handling capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-12

Determine if: (i) the organization handles both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements; and (ii) the organization retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system output handling and retention; media protection policy and procedures; information retention records, other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information output handling and retention responsibilities].