Joint task force transformation initiative


P1 LOW IA-8 (1) (2) (3) (4)



Yüklə 5,64 Mb.
səhifə92/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   ...   88   89   90   91   92   93   94   95   ...   186

P1

LOW IA-8 (1) (2) (3) (4)

MOD IA-8 (1) (2) (3) (4)

HIGH IA-8 (1) (2) (3) (4)



IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION


Control: The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].

Supplemental Guidance: This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services.

Control Enhancements:

  1. service identification and authentication | information exchange

The organization ensures that service providers receive, validate, and transmit identification and authentication information.

  1. service identification and authentication | transmission of decisions

The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies.

Supplemental Guidance: For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8.

References: None.

Priority and Baseline Allocation:

P0

LOW Not Selected

MOD Not Selected

HIGH Not Selected



IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION


Control: The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].

Supplemental Guidance: Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4.

Control Enhancements: None.

References: None.

Priority and Baseline Allocation:

P0

LOW Not Selected

MOD Not Selected

HIGH Not Selected


Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   ...   88   89   90   91   92   93   94   95   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin