Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-41

port and i/o device access

assessment objective:

Determine if the organization:

sc-41[1]

defines connection ports or input/output devices to be physically disabled or removed on information systems or information system components;

sc-41[2]

defines information systems or information system components with organization-defined connection ports or input/output devices that are to be physically disabled or removed; and

sc-41[3]

physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.

potential assessment methods and objects:

Examine: [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing port and input/output device access; information system design documentation; information system configuration settings and associated documentation; information system architecture; information systems or information system components list of connection ports or input/output devices to be physically disabled or removed on information systems or information system components; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system].

Test: [select from: Automated mechanisms supporting and/or implementing disabling of connection ports or input/output devices].