PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

CSF v1.1 References:

Threats Addressed:

Description

[csf.tools Note: Subcategories do not have detailed descriptions.]

Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.

Related Controls

NIST Special Publication 800-53 Revision 5

SI-7: Software, Firmware, and Information Integrity

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].

Cloud Controls Matrix v3.0.1

AIS-03: Data Integrity

Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse.

AIS-04: Data Security / Integrity

Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity, and availability) across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.

DSI-03: Ecommerce Transactions

Data related to electronic commerce (ecommerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data.

IVS-02: Change Detection

The provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image’s…

MOS-09: Device Inventory

An inventory of all mobile devices used to store and access company data shall be kept and maintained. All changes to the status of these devices (i.e., operating system and patch levels, lost or decommissioned status, and to whom the device is assigned or approved for usage (BYOD)) will be included for each device in…

Critical Security Controls Version 8

11: Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

NIST Special Publication 800-53 Revision 4

SC-16: Transmission Of Security Attributes

The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.

Critical Security Controls Version 7.1

2: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

10: Data Recovery Capabilities

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.