Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-4(4)

nonlocal maintenance  | authentication / separation of maintenance sessions

assessment objective:

Determine if the organization protects nonlocal maintenance sessions by:

ma-4(4)(a)  

ma-4(4)(a)[1]

defining replay resistant authenticators to be employed to protect nonlocal maintenance sessions;

ma-4(4)(a)[2]

employing organization-defined authenticators that are replay resistant;

ma-4(4)(b)

separating the maintenance sessions from other network sessions with the information system by either:

ma-4(4)(b)(1)

physically separated communications paths; or

ma-4(4)(b)(2)

logically separated communications paths based upon encryption.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing nonlocal information system maintenance; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; network engineers; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for protecting nonlocal maintenance sessions; automated mechanisms implementing replay resistant authenticators; automated mechanisms implementing logically separated/encrypted communications paths].