Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-32

information system partitioning

assessment objective:

Determine if the organization:

sc-32[1]

defines circumstances for physical separation of information system components into information system partitions;

sc-32[2]

defines information system components to reside in separate physical domains or environments based on organization-defined circumstances for physical separation of components; and

sc-32[3]

partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing information system partitioning; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of information system physical domains (or environments); information system facility diagrams; information system network diagrams; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; information system developers/integrators].

Test: [select from: Automated mechanisms supporting and/or implementing physical separation of information system components].