SI - System and Information Integrity
- Controls Count: 12
- Controls IDs: SI-2 (2), SI-4 (2), SI-4 (4), SI-4 (5), SI-7, SI-7 (1), SI-7 (7), SI-8, SI-8 (2), SI-10, SI-11, SI-16
Controls
SI-2 (2): Automated Flaw Remediation Status
Determine if system components have applicable security-relevant software and firmware updates installed using automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined; the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;.
Automated mechanisms can track and determine the status of known flaws for system components.
system components have applicable security-relevant software and firmware updates installed the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined; using automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;.
System and information integrity policy
system and information integrity procedures
procedures addressing flaw remediation
automated mechanisms supporting centralized management of flaw remediation
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for flaw remediation
Automated mechanisms used to determine the state of system components with regard to flaw remediation
SI-4 (2): Automated Tools and Mechanisms for Real-time Analysis
Employ automated tools and mechanisms to support near real-time analysis of events.
Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
automated tools and mechanisms are employed to support a near real-time analysis of events.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
privacy program plan
privacy impact assessment
privacy risk management documentation
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
organizational personnel responsible for incident response/management
Organizational processes for the near real-time analysis of events
organizational processes for system monitoring
mechanisms supporting and/or implementing system monitoring
mechanisms/tools supporting and/or implementing an analysis of events
SI-4 (4): Inbound and Outbound Communications Traffic
Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
Monitor inbound and outbound communications traffic organization-defined frequency for organization-defined unusual or unauthorized activities or conditions.
Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.
criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;
criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;
inbound communications traffic is monitored the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined; for unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;;
outbound communications traffic is monitored the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined; for unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system design documentation
system monitoring tools and techniques documentation
system configuration settings and associated documentation
system protocols
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
organizational personnel responsible for the intrusion detection system
Organizational processes for intrusion detection and system monitoring
mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities
mechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic
SI-4 (5): System-generated Alerts
Alert personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined; when the following system-generated indications of compromise or potential compromise occur: compromise indicators are defined;.
Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.
personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined; are alerted when system-generated compromise indicators are defined; occur.
System and information integrity policy
system and information integrity procedures
procedures addressing system monitoring tools and techniques
system monitoring tools and techniques documentation
system configuration settings and associated documentation
list of personnel selected to receive alerts
documentation of alerts generated based on compromise indicators
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
organizational personnel installing, configuring, and/or maintaining the system
organizational personnel responsible for monitoring the system
organizational personnel on the system alert notification list
organizational personnel responsible for the intrusion detection system
Organizational processes for intrusion detection and system monitoring
mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities
mechanisms supporting and/or implementing alerts for compromise indicators
SI-7: Software, Firmware, and Information Integrity
Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: organization-defined software, firmware, and information ; and
Take the following actions when unauthorized changes to the software, firmware, and information are detected: organization-defined actions.
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.
integrity verification tools are employed to detect unauthorized changes to software requiring integrity verification tools to be employed to detect unauthorized changes is defined;;
integrity verification tools are employed to detect unauthorized changes to firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;;
integrity verification tools are employed to detect unauthorized changes to information requiring integrity verification tools to be employed to detect unauthorized changes is defined;;
actions to be taken when unauthorized changes to software are detected are defined; are taken when unauthorized changes to the software, are detected;
actions to be taken when unauthorized changes to firmware are detected are defined; are taken when unauthorized changes to the firmware are detected;
actions to be taken when unauthorized changes to information are detected are defined; are taken when unauthorized changes to the information are detected.
System and information integrity policy
system and information integrity procedures
procedures addressing software, firmware, and information integrity
personally identifiable information processing policy
system design documentation
system configuration settings and associated documentation
integrity verification tools and associated documentation
records generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel responsible for software, firmware, and/or information integrity
organizational personnel with information security and privacy responsibilities
system/network administrators
Software, firmware, and information integrity verification tools
SI-7 (1): Integrity Checks
Perform an integrity check of organization-defined software, firmware, and information at startup, at organization-defined transitional states or security-relevant events , and/or organization-defined frequency.
Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.
an integrity check of software on which an integrity check is to be performed is defined; is performed at startup, at transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected); , and/or frequency with which to perform an integrity check (on software) is defined (if selected);;
an integrity check of firmware on which an integrity check is to be performed is defined; is performed at startup, at transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected); , and/or frequency with which to perform an integrity check (on firmware) is defined (if selected);;
an integrity check of information on which an integrity check is to be performed is defined; is performed at startup, at transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected); , and/or frequency with which to perform an integrity check (of information) is defined (if selected);.
System and information integrity policy
system and information integrity procedures
procedures addressing software, firmware, and information integrity testing
system design documentation
system configuration settings and associated documentation
integrity verification tools and associated documentation
records of integrity scans
system security plan
other relevant documents or records
Organizational personnel responsible for software, firmware, and/or information integrity
organizational personnel with information security responsibilities
system/network administrators
system developer
Software, firmware, and information integrity verification tools
SI-7 (7): Integration of Detection and Response
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: security-relevant changes to the system are defined;.
Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.
the detection of security-relevant changes to the system are defined; are incorporated into the organizational incident response capability.
System and information integrity policy
system and information integrity procedures
procedures addressing software, firmware, and information integrity
procedures addressing incident response
system design documentation
system configuration settings and associated documentation
incident response records
audit records
system security plan
other relevant documents or records
Organizational personnel responsible for software, firmware, and/or information integrity
organizational personnel with information security responsibilities
organizational personnel with incident response responsibilities
Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability
software, firmware, and information integrity verification tools
mechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability
SI-8: Spam Protection
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.
spam protection mechanisms are employed at system entry points to detect unsolicited messages;
spam protection mechanisms are employed at system exit points to detect unsolicited messages;
spam protection mechanisms are employed at system entry points to act on unsolicited messages;
spam protection mechanisms are employed at system exit points to act on unsolicited messages;
spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.
System and information integrity policy
system and information integrity procedures
configuration management policies and procedures (CM-01)
procedures addressing spam protection
spam protection mechanisms
records of spam protection updates
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for spam protection
organizational personnel with information security responsibilities
system/network administrators
system developer
Organizational processes for implementing spam protection
mechanisms supporting and/or implementing spam protection
SI-8 (2): Automatic Updates
Automatically update spam protection mechanisms the frequency at which to automatically update spam protection mechanisms is defined;.
Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities.
spam protection mechanisms are automatically updated the frequency at which to automatically update spam protection mechanisms is defined;.
System and information integrity policy
system and information integrity procedures
procedures addressing spam protection
spam protection mechanisms
records of spam protection updates
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for spam protection
organizational personnel with information security responsibilities
system/network administrators
system developer
Organizational processes for spam protection
mechanisms supporting and/or implementing automatic updates to spam protection mechanisms
SI-10: Information Input Validation
Check the validity of the following information inputs: information inputs to the system requiring validity checks are defined;.
Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.
the validity of the information inputs to the system requiring validity checks are defined; is checked.
System and information integrity policy
system and information integrity procedures
access control policy and procedures
separation of duties policy and procedures
procedures addressing information input validation
documentation for automated tools and applications to verify the validity of information
list of information inputs requiring validity checks
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for information input validation
organizational personnel with information security responsibilities
system/network administrators
system developer
Mechanisms supporting and/or implementing validity checks on information inputs
SI-11: Error Handling
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and
Reveal error messages only to personnel or roles to whom error messages are to be revealed is/are defined;.
Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.
error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;
error messages are revealed only to personnel or roles to whom error messages are to be revealed is/are defined;.
System and information integrity policy
system and information integrity procedures
procedures addressing system error handling
system design documentation
system configuration settings and associated documentation
documentation providing the structure and content of error messages
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for information input validation
organizational personnel with information security responsibilities
system/network administrators
system developer
Organizational processes for error handling
automated mechanisms supporting and/or implementing error handling
automated mechanisms supporting and/or implementing the management of error messages
SI-16: Memory Protection
Implement the following controls to protect the system memory from unauthorized code execution: controls to be implemented to protect the system memory from unauthorized code execution are defined;.
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.
controls to be implemented to protect the system memory from unauthorized code execution are defined; are implemented to protect the system memory from unauthorized code execution.
System and information integrity policy
system and information integrity procedures
procedures addressing memory protection for the system
system design documentation
system configuration settings and associated documentation
list of security safeguards protecting system memory from unauthorized code execution
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for memory protection
organizational personnel with information security responsibilities
system/network administrators
system developer
Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution