Joint task force transformation initiative



Download 5.8 Mb.
Page79/186
Date31.01.2017
Size5.8 Mb.
#13082
1   ...   75   76   77   78   79   80   81   82   ...   186

P2

LOW CM-10

MOD CM-10

HIGH CM-10



CM-11 USER-INSTALLED SOFTWARE


Control: The organization:

  1. Establishes [Assignment: organization-defined policies] governing the installation of software by users;

  2. Enforces software installation policies through [Assignment: organization-defined methods]; and

  3. Monitors policy compliance at [Assignment: organization-defined frequency].

Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.

Control Enhancements:

  1. user-installed software | alerts for unauthorized installations

The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.

Supplemental Guidance: Related controls: CA-7, SI-4.

  1. user-installed software | prohibit installation without privileged status

The information system prohibits user installation of software without explicit privileged status.

Supplemental Guidance: Privileged status can be obtained, for example, by serving in the role of system administrator. Related control: AC-6.

References: None.

Priority and Baseline Allocation:

P1

LOW CM-11

MOD CM-11

HIGH CM-11


FAMILY: CONTINGENCY PLANNING

CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES


Control: The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

  1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

  2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

  1. Reviews and updates the current:

  1. Contingency planning policy [Assignment: organization-defined frequency]; and

  2. Contingency planning procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: Federal Continuity Directive 1; NIST Special Publications 800-12, 800-34, 800-100.

Priority and Baseline Allocation:

P1

LOW CP-1

MOD CP-1

HIGH CP-1

Directory: publications
publications -> Acm word Template for sig site
publications ->  Preparation of Papers for ieee transactions on medical imaging
publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law
publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory
publications -> Quantitative skills
publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse
publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada
publications -> 1. 2 Authority 1 3 Planning Area 1
publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson

Download 5.8 Mb.

Share with your friends:
1   ...   75   76   77   78   79   80   81   82   ...   186



The database is protected by copyright ©ininet.org 2024
send message
    Main page
federal government
private sector
national institute
guidance provided