Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: SC-FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION

SC-37 OUT-OF-BAND CHANNELS

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

sc-37	out-of-band channels
	assessment objective: Determine if the organization:
	sc-37[1]	defines out-of-band channels to be employed for the physical delivery or electronic transmission of information, information system components, or devices to individuals or information systems;
	sc-37[2]	defines information, information system components, or devices for which physical delivery or electronic transmission of such information, information system components, or devices to individuals or information systems requires employment of organization-defined out-of-band channels;
	sc-37[3]	defines individuals or information systems to which physical delivery or electronic transmission of organization-defined information, information system components, or devices is to be achieved via employment of organization-defined out-of-band channels; and
	sc-37[4]	employs organization-defined out-of-band channels for the physical delivery or electronic transmission of organization-defined information, information system components, or devices to organization-defined individuals or information systems.
	potential assessment methods and objects: Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of out-of-band channels; access control policy and procedures; identification and authentication policy and procedures; information system design documentation; information system architecture; information system configuration settings and associated documentation; list of out-of-band channels; types of information, information system components, or devices requiring use of out-of-band channels for physical delivery or electronic transmission to authorized individuals or information systems; physical delivery records; electronic transmission records; information system audit records; other relevant documents or records]. Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel authorizing, installing, configuring, operating, and/or using out-of-band channels; information system developers/integrators]. Test: [select from: Organizational processes for use of out-of-band channels; automated mechanisms supporting and/or implementing use of out-of-band channels].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056