Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-42

sensor capability and data

assessment objective:

Determine if:

sc-42(a)

sc-42(a)[1]

the organization defines exceptions where remote activation of sensors is to be allowed;

sc-42(a)[2]

the information system prohibits the remote activation of sensors, except for organization-defined exceptions where remote activation of sensors is to be allowed;

sc-42(b)

sc-42(b)[1]

the organization defines the class of users to whom an explicit indication of sensor use is to be provided; and

sc-42(b)[2]

the information system provides an explicit indication of sensor use to the organization-defined class of users.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing sensor capability and data collection; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for sensor capability].

Test: [select from: Automated mechanisms implementing access controls for remote activation of information system sensor capabilities; automated mechanisms implementing capability to indicate sensor use].