User:Shawndouglas/sandbox/sublevel3

From LIMSWiki
Jump to navigationJump to search

SC-1 System and communications protection policy and procedures

This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

SC-5 Denial of service protection

This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.

Additional resources:

  • No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)

SC-7 Boundary protection

This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.

Additional resources:

SC-12 Cryptographic key establishment and management

This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.

Additional resources:

SC-13 Cryptographic protection

This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.

Additional resources:

SC-15 Collaborative computing devices

This control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device.

Additional resources:

SC-20 Secure name-address resolutions service and use of an authoritative source

This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)

Additional resources:

SC-21 Secure name-address resolutions service and use of a recursive or caching resolver

This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)

Additional resources:

SC-22 Architecture and provision for name-address resolution service

This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)

Additional resources:

SC-28 Protection of information at rest

This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. (" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.")

Additional resources:

SC-28 (1) Protection of information at rest: Cryptographic protection

This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).

Additional resources:

SC-39 Process isolation

This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) "so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process."

Additional resources: