Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

cm-10

software usage restrictions

assessment objective:

Determine if the organization:

cm-10(a)

uses software and associated documentation in accordance with contract agreements and copyright laws;

cm-10(b)

tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

cm-10(c)

controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

potential assessment methods and objects:

Examine: [select from: Configuration management policy; procedures addressing software usage restrictions; configuration management plan; security plan; software contract agreements and copyright laws; site license documentation; list of software usage restrictions; software license tracking reports; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators; organizational personnel operating, using, and/or maintaining the information system; organizational personnel with software license management responsibilities].

Test: [select from: Organizational process for tracking the use of software protected by quantity licenses; organization process for controlling/documenting the use of peer-to-peer file sharing technology; automated mechanisms implementing software license tracking; automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology].