Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

si-5

security alerts, advisories, and directives

assessment objective:

Determine if the organization:

si-5(a)    

si-5(a)[1]

defines external organizations from whom information system security alerts, advisories and directives are to be received;

si-5(a)[2]

receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

si-5(b)

generates internal security alerts, advisories, and directives as deemed necessary;

si-5(c)

si-5(c)[1]

defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

si-5(c)[2]

defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

si-5(c)[3]

defines external organizations to whom security alerts, advisories, and directives are to be provided;

si-5(c)[4]

disseminates security alerts, advisories, and directives to one or more of the following:

si-5(c)[4][a]

organization-defined personnel or roles;

si-5(c)[4][b]

organization-defined elements within the organization; and/or

si-5(c)[4][c]

organization-defined external organizations; and

si-5(d)

si-5(d)[1]

implements security directives in accordance with established time frames; or

si-5(d)[2]

notifies the issuing organization of the degree of noncompliance.

potential assessment methods and objects:

Examine: [select from: System and information integrity policy; procedures addressing security alerts, advisories, and directives; records of security alerts and advisories; other relevant documents or records].

Interview: [select from: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, and using the information system; organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated; system/network administrators; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives; automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives; automated mechanisms supporting and/or implementing security directives].