Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-18(4)

mobile code  | prevent automatic execution

assessment objective:

Determine if:

sc-18(4)[1]

the organization defines software applications in which the automatic execution of mobile code is to be prohibited;

sc-18(4)[2]

the organization defines actions to be enforced by the information system prior to executing mobile code;

sc-18(4)[3]

the information system prevents the automatic execution of mobile code in the organization-defined software applications; and

sc-18(4)[4]

the information system enforces organization-defined actions prior to executing the code.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions; mobile code implementation policy and procedures; information system design documentation; information system configuration settings and associated documentation; list of software applications for which automatic execution of mobile code must be prohibited; list of actions required before execution of mobile code; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing mobile code].

Test: [select from: Automated mechanisms preventing automatic execution of unacceptable mobile code; automated mechanisms enforcing actions to be taken prior to the execution of the mobile code].