Joint task force transformation initiative



Yüklə 5,64 Mb.
səhifə142/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   ...   138   139   140   141   142   143   144   145   ...   186

P1

LOW SC-15

MOD SC-15

HIGH SC-15



SC-16 TRANSMISSION OF SECURITY ATTRIBUTES


Control: The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.

Supplemental Guidance: Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components. Related controls: AC-3, AC-4, AC-16.

Control Enhancements:

  1. transmission of security attributes | integrity validation

The information system validates the integrity of transmitted security attributes.

Supplemental Guidance: This control enhancement ensures that the verification of the integrity of transmitted information includes security attributes. Related controls: AU-10, SC-8.

References: None.

Priority and Baseline Allocation:

P0

LOW Not Selected

MOD Not Selected

HIGH Not Selected



SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES


Control: The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.

Supplemental Guidance: For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services. Related control: SC-12.

Control Enhancements: None.

References: OMB Memorandum 05-24; NIST Special Publications 800-32, 800-63.
Priority and Baseline Allocation:

P1

LOW Not Selected

MOD SC-17

HIGH SC-17



SC-18 MOBILE CODE


Control: The organization:

  1. Defines acceptable and unacceptable mobile code and mobile code technologies;

  2. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and

  3. Authorizes, monitors, and controls the use of mobile code within the information system.

Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3.

Control Enhancements:

  1. mobile code | identify unacceptable code / take corrective actions

The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions].

Supplemental Guidance: Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code.

  1. mobile code | acquisition / development / use

The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements].

  1. mobile code | prevent downloading / execution

The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code].

  1. mobile code | prevent automatic execution

The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code.

Supplemental Guidance: Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices.

  1. mobile code | allow execution only in confined environments

The organization allows execution of permitted mobile code only in confined virtual machine environments.

References: NIST Special Publication 800-28; DoD Instruction 8552.01.

Priority and Baseline Allocation:

Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   ...   138   139   140   141   142   143   144   145   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin