Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: SI-FAMILY: SYSTEM AND INFORMATION INTEGRITY

SI-2 FLAW REMEDIATION

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

si-2	flaw remediation
	assessment objective: Determine if the organization:
	si-2(a)	si-2(a)[1]	identifies information system flaws;
		si-2(a)[2]	reports information system flaws;
		si-2(a)[3]	corrects information system flaws;
	si-2(b)	si-2(b)[1]	tests software updates related to flaw remediation for effectiveness and potential side effects before installation;
	si-2(b)	si-2(b)[2]	tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
	si-2(c)	si-2(c)[1]	defines the time period within which to install security-relevant software updates after the release of the updates;
		si-2(c)[2]	defines the time period within which to install security-relevant firmware updates after the release of the updates;
		si-2(c)[3]	installs software updates within the organization-defined time period of the release of the updates;
		si-2(c)[4]	installs firmware updates within the organization-defined time period of the release of the updates; and
	si-2(d)	incorporates flaw remediation into the organizational configuration management process.
	potential assessment methods and objects: Examine: [select from: System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software and firmware updates to correct information system flaws; installation/change control records for security-relevant software and firmware updates; other relevant documents or records]. Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation; organizational personnel with configuration management responsibility]. Test: [select from: Organizational processes for identifying, reporting, and correcting information system flaws; organizational process for installing software and firmware updates; automated mechanisms supporting and/or implementing reporting, and correcting information system flaws; automated mechanisms supporting and/or implementing testing software and firmware updates].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056