SI - System and Information Integrity
- Controls Count: 10
- Controls IDs: SI-4 (10), SI-4 (12), SI-4 (14), SI-4 (20), SI-4 (22), SI-5 (1), SI-6, SI-7 (2), SI-7 (5), SI-7 (15)
Controls
SI-4 (10): Visibility of Encrypted Communications
Make provisions so that encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined; is visible to system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;.
Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.
provisions are made so that encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined; is visible to system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
system protocols
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
organizational personnel responsible for the intrusion detection system
Organizational processes for intrusion detection and system monitoring
mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities
mechanisms supporting and/or implementing the visibility of encrypted communications traffic to monitoring tools
SI-4 (12): Automated Organization-generated Alerts
Alert personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined; using automated mechanisms used to alert personnel or roles are defined; when the following indications of inappropriate or unusual activities with security or privacy implications occur: activities that trigger alerts to personnel or are defined;.
Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in SI-4(5) focus on information sources that are internal to the systems, such as audit records.
personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined; is/are alerted using automated mechanisms used to alert personnel or roles are defined; when activities that trigger alerts to personnel or are defined; indicate inappropriate or unusual activities with security or privacy implications.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
list of inappropriate or unusual activities with security and privacy implications that trigger alerts
suspicious activity reports
alerts provided to security and privacy personnel
system monitoring logs or records
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
organizational personnel responsible for the intrusion detection system
Organizational processes for intrusion detection and system monitoring
automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities
automated mechanisms supporting and/or implementing automated alerts to security personnel
SI-4 (14): Wireless Intrusion Detection
Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.
Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems.
a wireless intrusion detection system is employed to identify rogue wireless devices;
a wireless intrusion detection system is employed to detect attack attempts on the system;
a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
system protocols
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
organizational personnel responsible for the intrusion detection system
Organizational processes for intrusion detection
mechanisms supporting and/or implementing a wireless intrusion detection capability
SI-4 (20): Privileged Users
Implement the following additional monitoring of privileged users: additional monitoring of privileged users is defined;.
Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.
additional monitoring of privileged users is defined; of privileged users is implemented.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
system monitoring logs or records
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
Organizational processes for system monitoring
mechanisms supporting and/or implementing a system monitoring capability
SI-4 (22): Unauthorized Network Services
Detect network services that have not been authorized or approved by authorization or approval processes for network services are defined; ; and
auditand/oralert personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected); when detected.
Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services.
network services that have not been authorized or approved by authorization or approval processes for network services are defined; are detected;
auditand/oralert personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected); is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
documented authorization/approval of network services
notifications or alerts of unauthorized network services
system monitoring logs or records
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developer
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
Organizational processes for system monitoring
mechanisms supporting and/or implementing a system monitoring capability
mechanisms for auditing network services
mechanisms for providing alerts
SI-5 (1): Automated Alerts and Advisories
Broadcast security alert and advisory information throughout the organization using automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;.
The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level.
automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined; are used to broadcast security alert and advisory information throughout the organization.
System and information integrity policy
system and information integrity procedures
procedures addressing security alerts, advisories, and directives
system design documentation
system configuration settings and associated documentation
automated mechanisms supporting the distribution of security alert and advisory information
records of security alerts and advisories
system audit records
system security plan
other relevant documents or records
Organizational personnel with security alert and advisory responsibilities
organizational personnel implementing, operating, maintaining, and using the system
organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated
system/network administrators
organizational personnel with information security responsibilities
Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories
automated mechanisms supporting and/or implementing the dissemination of security alerts and advisories
SI-6: Security and Privacy Function Verification
Verify the correct operation of organization-defined security and privacy functions;
Perform the verification of the functions specified in SI-6a system transitional states requiring the verification of security and privacy functions are defined; (if selected) , upon command by user with appropriate privilege, and/or frequency at which to verify the correct operation of security and privacy functions is defined; (if selected);
Alert personnel or roles to be alerted of failed security and privacy verification tests is/are defined; to failed security and privacy verification tests; and
shut the system down, restart the system, and/or alternative action(s) to be performed when anomalies are discovered are defined (if selected); when anomalies are discovered.
Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.
security functions to be verified for correct operation are defined; are verified to be operating correctly;
privacy functions to be verified for correct operation are defined; are verified to be operating correctly;
security functions to be verified for correct operation are defined; are verified system transitional states requiring the verification of security and privacy functions are defined; (if selected) , upon command by user with appropriate privilege, and/or frequency at which to verify the correct operation of security and privacy functions is defined; (if selected);
privacy functions to be verified for correct operation are defined; are verified system transitional states requiring the verification of security and privacy functions are defined; (if selected) , upon command by user with appropriate privilege, and/or frequency at which to verify the correct operation of security and privacy functions is defined; (if selected);
personnel or roles to be alerted of failed security and privacy verification tests is/are defined; is/are alerted to failed security verification tests;
personnel or roles to be alerted of failed security and privacy verification tests is/are defined; is/are alerted to failed privacy verification tests;
shut the system down, restart the system, and/or alternative action(s) to be performed when anomalies are discovered are defined (if selected); is/are initiated when anomalies are discovered.
System and information integrity policy
system and information integrity procedures
procedures addressing security and privacy function verification
system design documentation
system configuration settings and associated documentation
alerts/notifications of failed security verification tests
list of system transition states requiring security functionality verification
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with security and privacy function verification responsibilities
organizational personnel implementing, operating, and maintaining the system
system/network administrators
organizational personnel with information security and privacy responsibilities
system developer
Organizational processes for security and privacy function verification
mechanisms supporting and/or implementing the security and privacy function verification capability
SI-7 (2): Automated Notifications of Integrity Violations
Employ automated tools that provide notification to personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined; upon discovering discrepancies during integrity verification.
The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers.
automated tools that provide notification to personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined; upon discovering discrepancies during integrity verification are employed.
System and information integrity policy
system and information integrity procedures
procedures addressing software, firmware, and information integrity
personally identifiable information processing policy
system design documentation
system configuration settings and associated documentation
integrity verification tools and associated documentation
records of integrity scans
automated tools supporting alerts and notifications for integrity discrepancies
notifications provided upon discovering discrepancies during integrity verifications
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel responsible for software, firmware, and/or information integrity
organizational personnel with information security and privacy responsibilities
system administrators
software developers
Software, firmware, and information integrity verification tools
mechanisms providing integrity discrepancy notifications
SI-7 (5): Automated Response to Integrity Violations
Automatically shut down the system, restart the system, and/or implement controls to be implemented automatically when integrity violations are discovered are defined (if selected); when integrity violations are discovered.
Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur.
shut down the system, restart the system, and/or implement controls to be implemented automatically when integrity violations are discovered are defined (if selected); are automatically performed when integrity violations are discovered.
System and information integrity policy
system and information integrity procedures
procedures addressing software, firmware, and information integrity
system design documentation
system configuration settings and associated documentation
integrity verification tools and associated documentation
records of integrity scans
records of integrity checks and responses to integrity violations
audit records
system security plan
other relevant documents or records
Organizational personnel responsible for software, firmware, and/or information integrity
organizational personnel with information security responsibilities
system/network administrators
system developer
Software, firmware, and information integrity verification tools
mechanisms providing an automated response to integrity violations
mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered
SI-7 (15): Code Authentication
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;.
Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.
cryptographic mechanisms are implemented to authenticate software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined; prior to installation.
System and information integrity policy
system and information integrity procedures
procedures addressing software, firmware, and information integrity
system design documentation
system configuration settings and associated documentation
cryptographic mechanisms and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for software, firmware, and/or information integrity
organizational personnel with information security responsibilities
system/network administrators
system developer
Cryptographic mechanisms authenticating software and firmware prior to installation