Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ra-5(5)

vulnerability scanning  | privileged access

assessment objective:

Determine if:

ra-5(5)[1]

the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;

ra-5(5)[2]

the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and

ra-5(5)[3]

the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities.

potential assessment methods and objects:

Examine: [select from: Risk assessment policy; procedures addressing vulnerability scanning; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system components for vulnerability scanning; personnel access authorization list; authorization credentials; access authorization records; other relevant documents or records].

Interview: [select from: Organizational personnel with vulnerability scanning responsibilities; system/network administrators; organizational personnel responsible for access control to the information system; organizational personnel responsible for configuration management of the information system; system developers; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for vulnerability scanning; organizational processes for access control; automated mechanisms supporting and/or implementing access control; automated mechanisms/tools supporting and/or implementing vulnerability scanning].