Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-42(3)

sensor capability and data  | prohibit use of devices

assessment objective:

Determine if the organization:

sc-42(3)[1]

defines environmental sensing capabilities to be prohibited from use in facilities, areas, or systems;

sc-42(3)[2]

defines facilities, areas, or systems where the use of devices possessing organization-defined environmental sensing capabilities is to be prohibited; and

sc-42(3)[3]

prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems.

potential assessment methods and objects:

Examine: [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing sensor capability and data collection; information system design documentation; wireless network diagrams; information system configuration settings and associated documentation; information system architecture; facilities, areas, or systems where use of devices possessing environmental sensing capabilities is prohibited; list of devices possessing environmental sensing capabilities; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for sensor capability].