Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-42(2)

sensor capability and data  | authorized use

assessment objective:

Determine if the organization:

sc-42(2)[1]

defines measures to be employed so that data or information collected by sensors is only used for authorized purposes;

sc-42(2)[2]

defines sensors to be used to collect data or information for authorized purposes only; and

sc-42(2)[3]

employs organization-defined measures so that data or information collected by organization-defined sensors is only used for authorized purposes.

potential assessment methods and objects:

Examine: [SELECT FROM: System and communications protection policy; access control policy and procedures; sensor capability and data collection; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of measures to be employed to ensure data or information collected by sensors is only used for authorized purposes; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for sensor capability].

Test: [select from: Automated mechanisms supporting and/or implementing measures to ensure sensor information is only used for authorized purposes; sensor information collection capability for the information system].