Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-4(19)

information flow enforcement | validation of metadata

assessment objective:

Determine if the information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.

potential assessment methods and objects:

Examine: [select from: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filtering criteria applied to metadata and data payloads; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers].

Test: [select from: Automated mechanisms implementing information flow enforcement functions].