Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pl-4

rules of behavior

assessment objective:

Determine if the organization:  

pl-4(a)  

pl-4(a)[1]

establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

pl-4(a)[2]

makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

pl-4(b)  

receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

pl-4(c)

pl-4(c)[1]

defines the frequency to review and update the rules of behavior;

pl-4(c)[2]

reviews and updates the rules of behavior with the organization-defined frequency; and

pl-4(d)

requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

potential assessment methods and objects:

Examine: [select from: Security planning policy; procedures addressing rules of behavior for information system users; rules of behavior; signed acknowledgements; records for rules of behavior reviews and updates; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior; organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior; automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior].