Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-18(2)

tamper resistance and detection  | inspection of information systems, components, or devices

assessment objective:

Determine if the organization:

sa-18(2)[1]

defines information systems, system components, or devices to be inspected to detect tampering;

sa-18(2)[2]

defines the frequency to inspect organization-defined information systems, system components, or devices to detect tampering;

sa-18(2)[3]

defines indications of need for inspection of organization-defined information systems, system components, or devices to detect tampering;

sa-18(2)[4]

inspects organization-defined information systems, system components, or devices to detect tampering, selecting one or more of the following:

sa-18(2)[4][a]

at random;

sa-18(2)[4][b]

with the organization-defined frequency; and/or

sa-18(2)[4][c]

upon organization-defined indications of need for inspection.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing tamper resistance and detection; records of random inspections; inspection reports/results; assessment reports/results; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for the tamper protection program].

Test: [select from: Organizational processes for inspecting information systems, system components, or devices to detect tampering; automated mechanisms supporting and/or implementing tampering detection].