SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.
Supplemental Guidance
The system and information integrity policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
LOW
SI-1
MOD
SI-1
HIGH
SI-1
SI-2 FLAW REMEDIATION
Control
The organization identifies, reports, and corrects information system flaws.
Supplemental Guidance
The organization identifies information systems containing proprietary or open source software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). Proprietary software can be found in either commercial/government off-the-shelf information technology component products or in custom-developed applications. The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring (see security controls CA-2, CA-4, or CA-7), or incident response activities (see security control IR-4) should also be addressed expeditiously. NIST Special Publication 800-40 provides guidance on security patch installation.
Control Enhancements
(1) The organization centrally manages the flaw remediation process and installs updates automatically without individual user intervention.
(2) The organization employs automated mechanisms to periodically and upon command determine the state of information system components with regard to flaw remediation.
LOW
SI-2
MOD
HIGH
SI-2
SI-3 MALICIOUS CODE PROTECTION
Control
The information system implements malicious code protection that includes a capability for automatic updates.
Supplemental Guidance
The organization employs virus protection mechanisms at critical information system entry and exit points (e.g., firewalls, electronic mail servers, remote-access servers) and at workstations, servers, or mobile computing devices on the network. The organization uses the virus protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses) transported: (i) by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., diskettes or compact disks), or other common means; or (ii) by exploiting information system vulnerabilities. The organization updates virus protection mechanisms (including the latest virus definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures. Consideration is given to using virus protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations).
Control Enhancements
(1) The organization centrally manages virus protection mechanisms.
(2) The information system automatically updates virus protection mechanisms.
LOW
SI-3
MOD
SI-3 (1)
HIGH
SI-4 INTRUSION DETECTION TOOLS AND TECHNIQUES
Control
The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
Supplemental Guidance
Intrusion detection and information system monitoring capability can be achieved through a variety of tools and techniques (e.g., intrusion detection systems, virus protection software, log monitoring software, network forensic analysis tools).
Control Enhancements
(1) The organization networks individual intrusion detection tools into a systemwide intrusion detection system using common protocols.
(2) The organization employs automated tools to support near-real-time analysis of events in support of detecting system-level attacks.
(3) The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
(4) The information system monitors outbound communications for unusual or unauthorized activities indicating the presence of malware (e.g., malicious code, spyware, adware).
LOW
Not Selected
MOD
SI-4
HIGH
SI-4
SI-5 SECURITY ALERTS AND ADVISORIES
Control
The organization receives information system security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response.
Supplemental Guidance
The organization documents the types of actions to be taken in response to security alerts/advisories.
Control Enhancements
(1) The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed.
LOW
SI-5
MOD
SI-5
HIGH
SI-5
SI-6 SECURITY FUNCTIONALITY VERIFICATION
Control
The information system verifies the correct operation of security functions [Selection (one or more): upon system startup and restart, upon command by user with appropriate privilege, periodically every [Assignment: organization-defined time-period]] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered.
Supplemental Guidance
None.
Control Enhancements
(1) The organization employs automated mechanisms to provide notification of failed security tests.
(2) The organization employs automated mechanisms to support management of distributed security testing.
LOW
Not Selected
MOD
SI-6
HIGH
SI-7 SOFTWARE AND INFORMATION INTEGRITY
Control
The information system detects and protects against unauthorized changes to software and information.
Supplemental Guidance
The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
SI-7
SI-8 SPAM AND SPYWARE PROTECTION
Control
The information system implements spam and spyware protection.
Supplemental Guidance
The organization employs spam and spyware protection mechanisms at critical information system entry points (e.g., firewalls, electronic mail servers, remote-access servers) and at workstations, servers, or mobile computing devices on the network. The organization uses the spam and spyware protection mechanisms to detect and take appropriate action on unsolicited messages and spyware/adware, respectively, transported by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., diskettes or compact disks), or other common means. Consideration is given to using spam and spyware protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations).
Control Enhancements
(1) The organization centrally manages spam and spyware protection mechanisms.
(2) The information system automatically updates spam and spyware protection mechanisms.
LOW
Not Selected
MOD
SI-8
HIGH
SI-8 (1)
SI-9 INFORMATION INPUT RESTRICTIONS
Control
The organization restricts the information input to the information system to authorized personnel only.
Supplemental Guidance
Restrictions on personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-9
HIGH
SI-10 INFORMATION INPUT ACCURACY, COMPLETENESS, AND VALIDITY
Control
The information system checks information inputs for accuracy, completeness, and validity.
Supplemental Guidance
Checks for accuracy, completeness, and validity of information should be accomplished as close to the point of origin as possible. Rules for checking the valid syntax of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to ensure that inputs match specified definitions for format and content. Inputs passed to interpreters should be prescreened to ensure the content is not unintentionally interpreted as commands. The extent to which the information system is able to check the accuracy, completeness, and validity of information inputs should be guided by organizational policy and operational requirements.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-10
HIGH
SI-10
SI-11 ERROR HANDLING
Control
The information system identifies and handles error conditions in an expeditious manner.
Supplemental Guidance
The structure and content of error messages should be carefully considered by the organization. User error messages generated by the information system should provide timely and useful information to users without revealing information that could be exploited by adversaries. System error messages should be revealed only to authorized personnel (e.g., systems administrators, maintenance personnel). Sensitive information (e.g., account numbers, social security numbers, and credit card numbers) should not be listed in error logs or associated administrative messages. The extent to which the information system is able to identify and handle error conditions should be guided by organizational policy and operational requirements.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-11
HIGH
SI-11
SI-12 INFORMATION OUTPUT HANDLING AND RETENTION
Control
The organization handles and retains output from the information system in accordance with organizational policy and operational requirements.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-12
HIGH
