Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-37(1)

out-of-band channels    |   ensure delivery / transmission

assessment objective:

Determine if the organization:

sc-37(1)[1]

defines security safeguards to be employed to ensure that only designated individuals or information systems receive specific information, information system components, or devices;

sc-37(1)[2]

defines individuals or information systems designated to receive specific information, information system components, or devices;

sc-37(1)[3]

defines information, information system components, or devices that only organization-defined individuals or information systems are designated to receive; and

sc-37(1)[4]

employs organization-defined security safeguards to ensure that only organization-defined individuals or information systems receive the organization-defined information, information system components, or devices.

potential assessment methods and objects:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of out-of-band channels; access control policy and procedures; identification and authentication policy and procedures; information system design documentation; information system architecture; information system configuration settings and associated documentation; list of security safeguards to be employed to ensure designated individuals or information systems receive organization-defined information, information system components, or devices; list of security safeguards for delivering designated information, information system components, or devices to designated individuals or information systems; list of information, information system components, or devices to be delivered to designated individuals or information systems; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel authorizing, installing, configuring, operating, and/or using out-of-band channels; information system developers/integrators].

Test: [select from: Organizational processes for use of out-of-band channels; automated mechanisms supporting and/or implementing use of out-of-band channels; automated mechanisms supporting/implementing safeguards to ensure delivery of designated information, system components, or devices].