Canadian Program for Cyber Security Certification: Level 1 criteria
This document explains Level 1 cyber security certification assessment requirements.
The goal of the assessment is to make sure organizations preparing to go after defence contracts with the Government of Canada have their security basics covered to protect against known cyber threats.
The assessment checks if an organization’s information security rules are working. It helps to:
- find problems or gaps in security
- find weaknesses in systems
- decide which risks to fix first
- make sure known security problems are fixed
- support regular checks and improve awareness of security risks
Table of contents
- 1. Introduction
- 2. Fundamentals
- 3. Procedures
1. Introduction
This publication is based on the Canadian version of NIST SP 800-171A Rev. 3 Assessing Security Requirements for Controlled Unclassified Information (PDF, 1.2 MB) (PDF). There are no substantial technical changes between the Canadian document and NIST SP 800-171A Rev. 3. The primary modifications in the Canadian version arise from differences in laws, policies, directives, standards and guidelines. In other words, the changes reflect the distinct Canadian regulatory and compliance landscape; there are no changes to the underlying technical context. This publication focuses solely on the Level 1 assessment criteria.
The security assessment process gathers information and produces evidence to determine the effectiveness of security requirements by:
- identifying potential problems or shortfalls in security and risk management programs
- identifying security weaknesses and deficiencies in systems and the environments in which those systems operate
- prioritizing risk mitigation decisions and activities
- confirming that identified security weaknesses and deficiencies in the system and environment of operation have been addressed
- supporting continuous monitoring activities and providing information security situational awareness
1.01 Purpose
This publication provides a set of procedures to assess the effectiveness of security requirements for protecting the confidentiality of specified information when it resides in non-Government of Canada (GC) systems and organizations. The guidelines apply to the security requirements defined in Protecting specified information in non-GC systems and organizations (ITSP.10.171).
The overarching objective of the assessment is to ensure that the security controls are implemented with sufficient robustness and coverage to address the threat actors that have been identified to be mitigated.
1.02 Audience
This publication is intended for individuals and organizations in the public and private sectors, including those with:
- system development lifecycle responsibilities (for example, program managers, mission/business owners, information custodians, system designers and developers, system/security engineers, system integrators)
- acquisition or procurement responsibilities (for example, contracting officers)
- system, security, privacy or risk management and oversight responsibilities (for example, authorizing officials, chief information officers, chief information security officers, chief privacy officers, system owners, information security managers)
- security or privacy assessment and monitoring responsibilities (for example, auditors, system evaluators, assessors, independent verifiers/validators, analysts)
The above roles and responsibilities can be viewed from 2 perspectives:
- GC perspective: the entity establishing and conveying security assessment requirements in contractual vehicles or other types of agreements
- non-GC perspective: the entity responding to and complying with the security assessment requirements set forth in contracts or agreements
2. Fundamentals
The process used by organizations and assessors to assess the security requirements in ITSP.10.171 includes the following steps:
- Preparing for the assessment
- Developing a security and privacy assessment plan
- Conducting the assessment
- Documenting, analyzing and reporting the assessment results
ITSP.10.033-02 provides additional information on the assessment process and the individual steps listed above.
This section describes the structure and content of the assessment procedures and the importance of assurance cases in providing the evidence necessary to determine compliance with the requirements.
2.01 Assessment procedures
This section explains the structure and content of assessment procedures for the security requirements defined in ITSP.10.171 for Level 1 only. Additional guidance will be released for the entirety of the assessment process in a separate publication.
The security requirements families are:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment and monitoring
- System and communications protection
- System and information integrity
- Planning
- System and services acquisition
- Supply chain risk management
An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and objects. The assessment procedures in Section 3: Procedures have been derived from the assessment procedures in ITSP.10.033-02. Security requirement assessments comprise several key elements:
- Assessment objects identify the specific items being assessed as part of a given control or activity and include specifications, mechanisms, procedures and individuals
- Specifications are the document-based artifacts associated with a system-specific or common control or activity. These artifacts include:
- policies
- procedures
- plans
- system security and privacy requirements
- functional specifications
- architectural designs
- Mechanisms are the specific hardware, software or firmware, including physical protection devices, that comprise safeguards and countermeasures employed within a system or common control or activity
- Procedures are the specific protection-related actions supporting a system or common control or activity that involve people (for example, conducting system backup operations, monitoring network traffic, exercising a contingency plan)
- Assessment methods define the nature of the assessor’s actions and include the following:
- Examine: the process of reviewing, inspecting, observing, studying or analyzing 1 or more assessment objects (that is, specifications, mechanisms or procedures) to facilitate assessor understanding, achieve clarification, or obtain evidence
- Interview: the process of holding discussions with individuals or groups of individuals within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence
- Test: the process of exercising 1 or more assessment objects (that is, procedures or mechanisms) under specified conditions to compare the actual state of the object to the desired state or expected behaviour of the object
- Assessment methods have a set of associated attributes—scope and depth—that help define the level of effort for the assessment. The attributes are hierarchical, providing the means to define the scope, depth and rigour of the assessment for the increased assurances that may be needed for some systems
- The depth attribute addresses the rigour of and level of detail in the assessment efforts
- The scope attribute addresses the breadth of the assessment efforts, including the number and types of specifications, mechanisms and procedures to be examined or tested, and individuals to be interviewed
- The level of effort for the assessment is primarily determined by the privacy risk assessment or security categorization of the system or common control or activity being assessed, as described in ITSP.10.036. The values for these attributes range from security assurance level (SAL) 1 to SAL 5 (the SALs are defined in ITSP.10.037)
- The appropriate attribute values for a particular assessment method are based on the assurance requirements specified by the organization and are an important component of protecting information commensurate with risk—this is known as risk management
The structure and content of assessment procedures include the following elements:
- Determination statements have alphanumeric identifiers. Each determination statement begins with the letter "A" to indicate that it is part of an assessment procedure
- The next sequence of numbers or letters (for example, 03.01.01.e or 03.01.01.f.02) indicates the security requirement identifier from ITSP.10.171 (and the specific control item if it is a multi-part requirement) that is the target of the assessment
- Organization-defined parameters are indicated by the letters "ODP." If there are multiple ODPs in the determination statement, the ODP number is indicated in a square bracket (for example, A.03.01.08.ODP[01])
- Square brackets are also used to denote when an assessment procedure further decomposes a requirement into more granular determination statements (for example, A.03.01.12.a[01], A.03.01.12.a[02], A.03.01.12.a[03])
- Applying an assessment procedure to a security requirement produces assessment results or findings. Findings are compiled and used as evidence to determine whether the security requirement has been satisfied or other than satisfied
- A finding of satisfied indicates that the assessment objective has been met, producing a fully acceptable result
- A finding of other than satisfied indicates that there are potential anomalies that may need to be addressed by the organization. A finding of other than satisfied may also indicate that the assessor was unable to obtain sufficient information to make the determination called for in the determination statement
2.02 Assurance cases
Building an effective assurance case for control effectiveness and quality of activity execution involves compiling evidence from various assurance procedures conducted during the system lifecycle. The evidence comes from the implementation of the security and privacy controls and activities in the system and inherited by the system (common controls) and from the assessment of that implementation.
Assurance activities can be performed at 2 different levels:
- they can be related to a specific control, in support of a specific product or security mechanism
- they can support the system as a whole to assess its development and the integration of the controls in the system
Assurance activities that support system development are intended to improve the design, architecture, and engineering outcomes. The assurance activities that were labelled as "activities" in ITSP.10.033 function as such.
Assessing a control or an activity is an assurance procedure. When evaluating an assurance activity, as defined in ITSP.10.033, the focus is on assessing the quality of its execution. This process is described in detail in ITSP.10.037.
Together, strength and assurance define the requirements that must be met in the implementation of a control to satisfy the control’s security or privacy objective.
The security or privacy strength is related to the implemented control’s potential ability to protect the confidentiality, integrity or availability of assets. As the strength increases, so does the effort or cost required by the threat actor to defeat the implemented control.
The protective potential of a control can be fulfilled only when it is implemented with adequate assurance.
Assurance consists of confidence-building tasks aimed at ensuring that a control is designed and implemented correctly and is operating as intended, or that an assurance activity is properly executed. Assurance also includes tasks that ensure that all controls in system design, implementation and operation satisfy the business needs for security and privacy.
Assurance is provided through tasks completed by system developers, implementers, operators, maintainers, and security and privacy assessors. Assurance is increased through additional efforts in the scope and depth of these tasks by contributing to the efficacy of the evidence and measures of confidence. Rigour and depth usually follow the same trajectory: when one is increased, the other should also be increased.
Robustness is a characterization of the strength and assurance of a security or privacy control. The strength is related to the control’s potential ability to protect the confidentiality, integrity or availability of assets. Assurance activities, as outlined in the catalogue, are assigned an assurance level only, not a robustness level.
A control incorporates a strength element when it mitigates a specific tradecraft. Since assurance activities do not directly counter tradecraft, the concept of strength is not applicable. The assurance of a control is related to the confidence that the control is designed and implemented correctly, is operating as intended, and is achieving the intended results in fulfilling the system and organizational security and privacy requirements.
For example, a security control that is conceptually strong (such as a multi-factor authentication [MFA] mechanism) but comes with no assurance (such as where there is no evidence like a security review or vulnerability testing to demonstrate the quality of its implementation) will have a lower effective robustness than a similar system that has higher assurance (like when a mechanism has been validated by undergoing rigorous testing and validation to confirm its security).
Controls that protect more sensitive or critical assets, or that are exposed to more significant threats will generally require stronger security or privacy solutions, more assurance in their implementation, and higher levels of robustness.
The robustness model defines a hierarchy of robustness levels that are based on expected injury and threat levels. ITSP.10.037 and ITSP.80.032 provide more information on the robustness model.
The coverage assessment of a control answers the following questions:
- Does the control adequately safeguard the desired assets or other related controls that it supports?
- Is the control properly applied throughout the system?
For example, if an organization has a perimeter and builds a fence (control) to secure only three-quarters of the perimeter, leaving one-quarter unprotected, the security provided by the fence is incomplete. The unprotected quarter undermines the effectiveness of the secured sections, rendering the overall perimeter vulnerable.
An assessment must consider more than just the presence of a control. While the response to a question about whether a control exists is "Yes, there is a fence," the critical question is, "Does the control provide appropriate coverage?" In this case, the answer is no, as the coverage is insufficient. This illustrates the importance of evaluating the adequacy and effectiveness of the control’s implementation.
3. Procedures
This section provides assessment procedures for the security requirements defined in ITSP.10.171 for Level 1 only. Organizations that conduct security requirement assessments can develop their security assessment plans by using the information provided in the assessment procedures and selecting the specific assessment methods and objects that meet the organization’s needs. Organizations also have flexibility in defining the level of rigour and detail associated with the assessment based on the assurance requirements of the organization.
3.01 Access control
The controls in the Access control family support the ability to permit or deny user access to resources within the system.
03.01.01 Account management
ODPs:
A.03.01.01.ODP[01]: the time period for account inactivity before disabling is defined
A.03.01.01.ODP[02]: the time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined
A.03.01.01.ODP[03]: the time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined
A.03.01.01.ODP[04]: the time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined
A.03.01.01.ODP[05]: the time period of expected inactivity requiring users to log out of the system is defined
A.03.01.01.ODP[06]: circumstances requiring users to log out of the system are defined
Determine if:
A.03.01.01.a[01]: system account types allowed are defined
A.03.01.01.a[02]: system account types prohibited are defined
A.03.01.01.b[01]: system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria
A.03.01.01.b[02]: system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria
A.03.01.01.b[03]: system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria
A.03.01.01.b[04]: system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria
A.03.01.01.b[05]: system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria
A.03.01.01.c.01: authorized users of the system are specified
A.03.01.01.c.02: group and role memberships are specified
A.03.01.01.c.03: access authorizations (in other words, privileges) for each account are specified
A.03.01.01.d.01: access to the system is authorized based on a valid access authorization
A.03.01.01.d.02: access to the system is authorized based on intended system usage
A.03.01.01.e: the use of system accounts is monitored
A.03.01.01.f.01: system accounts are disabled when the accounts have expired
A.03.01.01.f.02: system accounts are disabled when the accounts have been inactive for <A.03.01.01.ODP[01]: time period>
A.03.01.01.f.03: system accounts are disabled when the accounts are no longer associated with a user or individual
A.03.01.01.f.04: system accounts are disabled when the accounts violate organizational policy
A.03.01.01.f.05: system accounts are disabled when significant risks associated with individuals are discovered
A.03.01.01.g.01: account managers and designated personnel or roles are notified within <A.03.01.01.ODP[02]: time period> when accounts are no longer required
A.03.01.01.g.02: account managers and designated personnel or roles are notified within <A.03.01.01.ODP[03]: time period> when users are terminated or transferred
A.03.01.01.g.03: account managers and designated personnel or roles are notified within <A.03.01.01.ODP[04]: time period> when system usage or the need-to-know changes for an individual
A.03.01.01.h: users are required to log out of the system after <A.03.01.01.ODP[05]: time period> of expected inactivity or when the following circumstances occur: <A.03.01.01.ODP[06]: circumstances>
Potential assessment methods and objects
Examine
[Select from: access control policy and procedures; personnel termination or transfer policies and procedures; procedures for account management; list of active system accounts and the name of the individual associated with each account; system design documentation; list of conditions for group and role membership; system configuration settings; notifications of recent transfers, separations, or terminations of employees; list of recently disabled system accounts and the name of the individual associated with each account; list of user activities that pose significant organizational risks; access authorization records; account management compliance reviews; system monitoring and audit records; system security plan; privacy plan; system-generated list of accounts removed; system-generated list of emergency accounts disabled; system-generated list of disabled accounts; other relevant documents and records]
Interview
[Select from: personnel with account management responsibilities; system administrators; personnel with information security and privacy responsibilities; system developers]
Test
[Select from: processes for account management on the system; mechanisms for implementing account management]
References
Source assessment procedures: AC-02, AC-02(03), AC-02(05), AC-02(13)
03.01.02 Access enforcement
Determine if:
A.03.01.02[01]: approved authorizations for logical access to specified information are enforced in accordance with applicable access control policies
A.03.01.02[02]: approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies
Potential assessment methods and objects
Examine
[Select from: access control policy and procedures; procedures for access enforcement; system design documentation; system configuration settings; list of approved authorizations (in other words, user privileges); system audit records; system security plan; other relevant documents or records]
Interview
[Select from: personnel with access enforcement responsibilities; system administrators; personnel with information security responsibilities; system developers]
Test
[Select from: mechanisms for implementing the access control policy]
References
Source assessment procedure: AC-03
03.01.20 Use of external systems
ODP:
A.03.01.20.ODP: security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are defined
Determine if:
A.03.01.20.a: the use of external systems is prohibited unless the systems are specifically authorized
A.03.01.20.b: the following security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are established: <A.03.01.20.ODP: security requirements>
A.03.01.20.c.01: authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit specified information only after verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied
A.03.01.20.c.02: authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit specified information only after retaining approved system connection or processing agreements with the organizational entity hosting the external systems
A.03.01.20.d: the use of organization-controlled portable storage devices by authorized individuals on external systems is restricted
Potential assessment methods and objects
Examine
[Select from: access control policy and procedures; procedures for the use of external systems; terms and conditions for the use of external systems; external systems security requirements; list of types of applications accessible from external systems; system configuration settings; system security plan; other relevant documents or records]
Interview
[Select from: personnel with responsibilities for defining terms, conditions, and security requirements for the use of external systems; personnel with information security responsibilities; system administrators]
Test
[Select from: mechanisms for implementing or enforcing terms, conditions, and security requirements for the use of external systems]
References
Source assessment procedures: AC-20, AC-20(01), AC-20(02)
03.01.22 Publicly accessible content
Determine if:
A.03.01.22.a: authorized individuals are trained to ensure that publicly accessible information does not contain specified information
A.03.01.22.b[01]: the content on publicly accessible systems is reviewed for specified information
A.03.01.22.b[02]: specified information is removed from publicly accessible systems, if discovered
Potential assessment methods and objects
Examine
[Select from: access control policy and procedures; procedures for publicly accessible content; list of users authorized to post publicly accessible content on organizational systems; training materials or records; records of publicly accessible information reviews; records of response to specified information discovered on public websites; system audit logs; security awareness training records; system security plan; other relevant documents or records]
Interview
[Select from: personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities]
Test
[Select from: mechanisms for implementing the management of publicly accessible content]
References
Source assessment procedure: AC-22
3.05 Identification and authentication
The Identification and authentication controls support the unique identification of users, processes acting on behalf of users and devices. They also support the authentication or verification of the identities of those users, processes or devices as a prerequisite to allowing access to organizational systems.
03.05.01 User identification, authentication, and re-authentication
ODP:
A.03.05.01.ODP: circumstances or situations that require re-authentication are defined
Determine if:
A.03.05.01.a[01]: system users are uniquely identified
A.03.05.01.a[02]: system users are authenticated
A.03.05.01.a[03]: processes acting on behalf of users are associated with uniquely identified and authenticated system users
A.03.05.01.b: users are re-authenticated when <A.03.05.01.ODP: circumstances or situations>
Potential assessment methods and objects
Examine
[Select from: identification and authentication policy and procedures; list of circumstances or situations requiring re-authentication; system design documentation; system configuration settings; system audit records; list of system accounts; system security plan; other relevant documents or records]
Interview
[Select from: personnel with identification and authentication responsibilities; personnel with system operations responsibilities; personnel with account management responsibilities; system developers; personnel with information security responsibilities; system administrators]
Test
[Select from: processes for uniquely identifying and authenticating users; mechanisms for supporting or implementing identification and authentication capabilities]
References
Source assessment procedures: IA-02, IA-11
03.05.02 Device identification and authentication
ODP:
A.03.05.02.ODP: devices or types of devices to be uniquely identified and authenticated before establishing a connection are defined
Determine if:
A.03.05.02[01]: <A.03.05.02.ODP: devices or types of devices> are uniquely identified before establishing a system connection
A.03.05.02[02]: <A.03.05.02.ODP: devices or types of devices> are authenticated before establishing a system connection
Potential assessment methods and objects:
Examine
[Select from: identification and authentication policy and procedures; procedures for device identification and authentication; system design documentation; list of devices requiring unique identification and authentication; device connection reports; system configuration settings; system security plan; other relevant documents or records]
Interview
[Select from: personnel with responsibilities for device identification and authentication; personnel with information security responsibilities; system developers; system administrators]
Test
[Select from: mechanisms for supporting or implementing device identification and authentication capabilities]
References
Source assessment procedure: IA-03
03.05.03 Multi-factor authentication
Determine if:
A.03.05.03[01]: strong multi-factor authentication for access to privileged accounts is implemented
A.03.05.03[02]: strong multi-factor authentication for access to non-privileged accounts is implemented
Potential assessment methods and objects
Examine
[Select from: identification and authentication policy and procedures; system design documentation; list of system accounts; system configuration settings; system audit records; system security plan; other relevant documents or records]
Interview
[Select from: personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system developers; system administrators]
Test
[Select from: mechanisms for supporting or implementing a multi-factor authentication capability]
References
Source assessment procedures: IA-02(01), IA-02(02)
3.08 Media protection
The Media protection controls support the protection of system media throughout their lifecycle. They help limit access to information on system media to authorized users and sanitize or destroy system media before disposal or release for reuse.
03.08.03 Media sanitization
Determine if:
A.03.08.03: system media that contain specified information are sanitized prior to disposal, release out of organizational control, or release for reuse
Potential assessment methods and objects
Examine
[Select from: media protection policy and procedures; procedures for media sanitization and disposal; applicable standards and policies that address media sanitization policy; system audit records; media sanitization records; system design documentation; system configuration settings; records retention and disposition policy; records retention and disposition procedures; system security plan; privacy plan; other relevant documents or records]
Interview
[Select from: personnel with media sanitization responsibilities; personnel with records retention and disposition responsibilities; personnel with information security and privacy responsibilities; system administrators]
Test
[Select from: processes for media sanitization; mechanisms for supporting or implementing media sanitization]
References
Source assessment procedure: MP-06
3.10 Physical protection
The Physical protection controls support the control of physical access to systems, equipment, and the respective operating environments to authorized individuals. They facilitate the protection of the physical plant and support infrastructure for systems, the protection of systems against environmental hazards, and provide appropriate environmental controls in facilities containing systems.
03.10.01 Physical access authorizations
ODP:
A.03.10.01.ODP: the frequency at which to review the access list detailing authorized physical access by individuals is defined
Determine if:
A.03.10.01.a[01]: a list of individuals with authorized access to the facility where the system resides is developed
A.03.10.01.a[02]: a list of individuals with authorized access to the facility where the system resides is approved
A.03.10.01.a[03]: a list of individuals with authorized access to the facility where the system resides is maintained
A.03.10.01.b: authorization credentials for facility access are issued
A.03.10.01.c: the physical access list is reviewed <A.03.10.01.ODP: frequency>
A.03.10.01.d: individuals from the physical access list are removed when access is no longer required
Potential assessment methods and objects
Examine
[Select from: physical protection policy and procedures; procedures for physical access authorizations; authorized personnel access list; physical access list reviews; physical access termination records; authorization credentials; system security plan; other relevant documents or records]
Interview
[Select from: personnel with physical access authorization responsibilities; personnel with physical access to the facility where the system resides; personnel with information security responsibilities]
Test
[Select from: processes for physical access authorizations; mechanisms for supporting or implementing physical access authorizations]
References
Source assessment procedure: PE-02
03.10.07 Physical access control
Determine if:
A.03.10.07.a.01: physical access authorizations are enforced at entry and exit points to the facility where the system resides by verifying individual physical access authorizations before granting access
A.03.10.07.a.02: physical access authorizations are enforced at entry and exit points to the facility where the system resides by controlling ingress and egress with physical access control systems, devices, or guards
A.03.10.07.b: physical access audit logs for entry or exit points are maintained
A.03.10.07.c[01]: visitors are escorted
A.03.10.07.c[02]: visitor activity is controlled
A.03.10.07.d: keys, combinations, and other physical access devices are secured
A.03.10.07.e: physical access to output devices is controlled to prevent unauthorized individuals from obtaining access to specified information
Potential assessment methods and objects
Examine
[Select from: physical protection policy and procedures; procedures for physical access control; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; system security plan; other relevant documents or records]
Interview
[Select from: personnel with physical access control responsibilities; personnel with information security responsibilities]
Test
[Select from: processes for physical access control; mechanisms for supporting or implementing physical access control; physical access control devices]
References
Source assessment procedure: PE-03, PE-05
3.13 System and communications protection
The System and communications protection controls support the monitoring, control and protection of the systems themselves and of the communications between and within the systems.
03.13.01 Boundary protection
Determine if:
A.03.13.01.a[01]: communications at external managed interfaces to the system are monitored
A.03.13.01.a[02]: communications at external managed interfaces to the system are controlled
A.03.13.01.a[03]: communications at key internal managed interfaces within the system are monitored
A.03.13.01.a[04]: communications at key internal managed interfaces within the system are controlled
A.03.13.01.b: subnetworks are implemented for publicly accessible system components that are physically or logically separated from internal networks
A.03.13.01.c: external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture
Potential assessment methods and objects
Examine
[Select from: system and communications protection policy and procedures; procedures for boundary protection; list of key internal boundaries within the system; boundary protection hardware and software; system configuration settings; security architecture; system audit records; system design documentation; enterprise security architecture documentation; system security plan; other relevant documents or records]
Interview
[Select from: personnel with boundary protection responsibilities; personnel with information security responsibilities; system developers; system administrators]
Test
[Select from: mechanisms for implementing boundary protection capabilities]
References
Source assessment procedure: SC-07
3.14 System and information integrity
The System and information integrity controls support the protection of the integrity of the system components and the data that it processes. They allow an organization to identify, report and correct data and system flaws in a timely manner, to provide protection against malicious code, and to monitor system security alerts and advisories, and to take appropriate actions in response.
03.14.01 Flaw remediation
ODPs:
A.03.14.01.ODP[01]: the time period within which to install security-relevant software updates after the release of the updates is defined
A.03.14.01.ODP[02]: the time period within which to install security-relevant firmware updates after the release of the updates is defined
Determine if:
A.03.14.01.a[01]: system flaws are identified
A.03.14.01.a[02]: system flaws are reported
A.03.14.01.a[03]: system flaws are corrected
A.03.14.01.b[01]: security-relevant software updates are installed within <A.03.14.01.ODP[01]: time period> of the release of the updates
A.03.14.01.b[02]: security-relevant firmware updates are installed within <A.03.14.01.ODP[02]: time period> of the release of the updates
Potential assessment methods and objects
Examine
[Select from: system and information integrity policy and procedures; procedures for flaw remediation; procedures for configuration management; list of recent security flaw remediation actions performed on the system; list of flaws and vulnerabilities that may potentially affect the system; test results from the installation of software and firmware updates to correct system flaws; installation and change control records for security-relevant software and firmware updates; system security plan; privacy plan; other relevant documents or records]
Interview
[Select from: personnel responsible for installing, configuring, or maintaining the system; personnel responsible for flaw remediation; personnel with configuration management responsibilities; personnel with information security and privacy responsibilities; system administrators]
Test
[Select from: processes for identifying, reporting, and correcting system flaws; processes for installing software and firmware updates; mechanisms for supporting or implementing the reporting and correction of system flaws; mechanisms for supporting or implementing the testing software and firmware updates]
References
Source assessment procedure: SI-02
03.14.02 Malicious code protection
ODP:
A.03.14.02.ODP: the frequency at which malicious code protection mechanisms perform scans is defined
Determine if:
A.03.14.02.a[01]: malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code
A.03.14.02.a[02]: malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code
A.03.14.02.b: malicious code protection mechanisms are updated as new releases are available in accordance with configuration management policy and procedures
A.03.14.02.c.01[01]: malicious code protection mechanisms are configured to perform scans of the system <A.03.14.02.ODP: frequency>
A.03.14.02.c.01[02]: malicious code protection mechanisms are configured to perform real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed
A.03.14.02.c.02: malicious code protection mechanisms are configured to block or quarantine malicious code, or take other mitigation actions in response to malicious code detection
Potential assessment methods and objects
Examine
[Select from: system and information integrity policy and procedures; configuration management policy and procedures; procedures for malicious code protection; records of malicious code protection updates; system design documentation; system configuration settings; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]
Interview
[Select from: personnel responsible for malicious code protection; personnel with system installation, configuration, or maintenance responsibilities; personnel with information security responsibilities; system administrators]
Test
[Select from: processes for employing, updating, and configuring malicious code protection mechanisms; processes for addressing the detection of false positives and resulting potential impacts; mechanisms for supporting or implementing, employing, updating, and configuring malicious code protection mechanisms; mechanisms for supporting or implementing malicious code scanning and the execution of subsequent actions]
References
Source assessment procedure: SI-03