Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

cm-7(2)

least functionality  | prevent program execution

assessment objective:

Determine if:

cm-7(2)[1]

the organization defines policies regarding software program usage and restrictions;

cm-7(2)[2]

the information system prevents program execution in accordance with one or more of the following:

cm-7(2)[2][a]

organization-defined policies regarding program usage and restrictions; and/or

cm-7(2)[2][b]

rules authorizing the terms and conditions of software program usage.

potential assessment methods and objects:

Examine: [select from: Configuration management policy; procedures addressing least functionality in the information system; configuration management plan; security plan; information system design documentation; specifications for preventing software program execution; information system configuration settings and associated documentation; change control records; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with information security responsibilities; system/network administrators; system developers].

Test: [select from: Organizational processes preventing program execution on the information system; organizational processes for software program usage and restrictions; automated mechanisms preventing program execution on the information system; automated mechanisms supporting and/or implementing software program usage and restrictions].