NIST System and Information Integrity Risk Controls (si)

Policy and Procedures (si-1)

Develop, document, and disseminate to organization-defined personnel or roles:

one or more,Organization-level,Mission/business process-level,System-level system and information integrity policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

Designate an organization-defined official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

Review and update the current system and information integrity:

Policy organization-defined frequency and following organization-defined events; and

Procedures organization-defined frequency and following organization-defined events.

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Flaw Remediation (si-2)

Identify, report, and correct system flaws;

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

Install security-relevant software and firmware updates within organization-defined time period of the release of the updates; and

Incorporate flaw remediation into the organizational configuration management process.

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

Automated Flaw Remediation Status (si-2.2)

Malicious Code Protection (si-3)

Implement one or more,signature based,non-signature based malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

Configure malicious code protection mechanisms to:

Perform periodic scans of the system organization-defined frequency and real-time scans of files from external sources at one or more,endpoint,network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy; and

one or more,block malicious code,quarantine malicious code,take organization-defined action ; and send alert to organization-defined personnel or roles in response to malicious code detection; and

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

System Monitoring (si-4)

Monitor the system to detect:

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: organization-defined monitoring objectives; and

Unauthorized local, network, and remote connections;

Identify unauthorized use of the system through the following techniques and methods: organization-defined techniques and methods;

Invoke internal monitoring capabilities or deploy monitoring devices:

Strategically within the system to collect organization-determined essential information; and

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

Analyze detected events and anomalies;

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

Obtain legal opinion regarding system monitoring activities; and

Provide organization-defined system monitoring information to organization-defined personnel or roles one or more,as needed, organization-defined frequency .

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls #sc-7(#sc-7) and #ac-17(#ac-17). The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), #au-13(#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b)). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Automated Tools and Mechanisms for Real-time Analysis (si-4.2)

Inbound and Outbound Communications Traffic (si-4.4)

System-generated Alerts (si-4.5)

Security Alerts, Advisories, and Directives (si-5)

Receive system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

Generate internal security alerts, advisories, and directives as deemed necessary;

Disseminate security alerts, advisories, and directives to: one or more, organization-defined personnel or roles , organization-defined elements within the organization , organization-defined external organizations ; and

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

Software, Firmware, and Information Integrity (si-7)

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: organization-defined software, firmware, and information; and

Take the following actions when unauthorized changes to the software, firmware, and information are detected: organization-defined actions.

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms?including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools?can automatically monitor the integrity of systems and hosted applications.

Integrity Checks (si-7.1)

Integration of Detection and Response (si-7.7)

Spam Protection (si-8)

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

Automatic Updates (si-8.2)

Information Input Validation (si-10)

Check the validity of the following information inputs: organization-defined information inputs to the system.

Checking the valid syntax and semantics of system inputs?including character set, length, numerical range, and acceptable values?verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

Error Handling (si-11)

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

Reveal error messages only to organization-defined personnel or roles.

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

Information Management and Retention (si-12)

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), #at-4(#at-4), #au-12(#au-12), #ca-2(#ca-2), #ca-3(#ca-3), #ca-5(#ca-5), #ca-6(#ca-6), #ca-7(#ca-7), #ca-8(#ca-8), #ca-9(#ca-9), #cm-2(#cm-2), #cm-3(#cm-3), #cm-4(#cm-4), #cm-6(#cm-6), #cm-8(#cm-8), #cm-9(#cm-9), #cm-12(#cm-12), #cm-13(#cm-13), #cp-2(#cp-2), #ir-6(#ir-6), #ir-8(#ir-8), #ma-2(#ma-2), #ma-4(#ma-4), #pe-2(#pe-2), #pe-8(#pe-8), #pe-16(#pe-16), #pe-17(#pe-17), #pl-2(#pl-2), #pl-4(#pl-4), #pl-7(#pl-7), #pl-8(#pl-8), #pm-5(#pm-5), #pm-8(#pm-8), #pm-9(#pm-9), #pm-18(#pm-18), #pm-21(#pm-21), #pm-27(#pm-27), #pm-28(#pm-28), #pm-30(#pm-30), #pm-31(#pm-31), #ps-2(#ps-2), #ps-6(#ps-6), #ps-7(#ps-7), #pt-2(#pt-2), #pt-3(#pt-3), #pt-7(#pt-7), #ra-2(#ra-2), #ra-3(#ra-3), #ra-5(#ra-5), #ra-8(#ra-8), #sa-4(#sa-4), #sa-5(#sa-5), #sa-8(#sa-8), #sa-10(#sa-10), #si-4(#si-4), #sr-2(#sr-2), #sr-4(#sr-4), #sr-8(#sr-8).

Memory Protection (si-16)

Implement the following controls to protect the system memory from unauthorized code execution: organization-defined controls.

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

Free security assessment Application