SI: System And Information Integrity

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and Reviews and…

The organization: Identifies, reports, and corrects information system flaws; Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and Incorporates flaw remediation into the organizational configuration management process.

The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency]…

The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections; Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and…

The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; Generates internal security alerts, advisories, and directives as deemed necessary; Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]];…

The information system: Verifies the correct operation of [Assignment: organization-defined security functions]; Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and [Selection (one or more): shuts the information system down;…

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

The information system checks the validity of [Assignment: organization-defined information inputs].

The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and Reveals error messages only to [Assignment: organization-defined personnel or roles].

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

The organization: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].

The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].

The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content.

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].