System Security Plan (ssp) Categorization: Moderate-Low-Low

AC-3 – Access Enforcement

Yüklə 1,92 Mb.

səhifə	7/29
tarix	16.05.2018
ölçüsü	1,92 Mb.
	#50588

1 2 3 4 5 6 7 8 9 10 ... 29

10.2.3.1AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE
10.2.3.2AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay)

10.2.3AC-3 – Access Enforcement

Recommended Continuous Monitoring Frequency: Semi-Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All information systems shall enforce approved authorizations for logical access to information and information system resources in accordance with approved access control policies. Additionally, all information systems shall, at a minimum, enforce a Discretionary Access Control (DAC) policy that:
Allows users to specify and control sharing by named individuals or groups of individuals, or by both	Click here to enter text.
Limits propagation of access rights	Click here to enter text.
Includes or excludes access to the granularity of a single user	Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.2.3.1AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE

Recommended Continuous Monitoring Frequency: Quarterly		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization enforces dual authorization for all transfers of data from a classified computer network to removable media. This includes the technical separation of roles (e.g., DTA and ISSM or designated representative etc.). Only trained Data Transfer Agents (DTAs) are authorized to transfer data from a IS to removable media. Only ISSM and/or designated representatives are authorized to enable permissions to transfer data to removable media. This control supports insider threat mitigation. Data transfer authorization enforcement can be performed by the organization, but should have technical separation of roles to support the organization’s implemented dual authorization process. Example of implementation meeting the spirit of AC-3(2): The organization policy states that appropriately trained Data Transfer/Trusted Download Agents are the only individuals authorized to transfer data from a classified system to removable media and only the ISSM and/or designated representatives are authorized to enable permissions to transfer removable media.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.2.3.2AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay)

After a relevance determination, this control can be tailored out for standalone IS with a single user.

Recommended Continuous Monitoring Frequency: Semi-Annual		Program Frequency:	Choose an item.
Implementation Status: Implemented Planned Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS enforces discretionary access control to include or exclude access to the granularity of a single user who may be granted authorization to Pass information to other subjects or objects; Grant privileges to other subjects; Change security attributes; Choose security attributes for newly created or revised objects; and Change rule governing access control when authorized. The assumption is that some user data/information in organizational information systems is not shareable with other users who have authorized access to the same systems. Address at a minimum: allow uses to specify and control sharing by named individuals or groups; limit propagation of access rights; include or exclude access to the granularity of a single user.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY	Click here to enter text.

10.2.3.3AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and SC-28

Yüklə 1,92 Mb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8 9 10 ... 29

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç