Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

si-7(1)

software, firmware, and information integrity  | integrity checks

assessment objective:

Determine if:

si-7(1)[1]

the organization defines:

si-7(1)[1][a]

software requiring integrity checks to be performed;

si-7(1)[1][b]

firmware requiring integrity checks to be performed;

si-7(1)[1][c]

information requiring integrity checks to be performed;

si-7(1)[2]

the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:

si-7(1)[2][a]

software;

si-7(1)[2][b]

firmware;

si-7(1)[2][c]

information;

si-7(1)[3]

the organization defines a frequency with which to perform an integrity check of organization-defined:

si-7(1)[3][a]

software;

si-7(1)[3][b]

firmware;

si-7(1)[3][c]

information;

si-7(1)[4]

the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:

si-7(1)[4][a]

at startup;

si-7(1)[4][b]

at organization-defined transitional states or security-relevant events; and/or

si-7(1)[4][c]

with the organization-defined frequency.

potential assessment methods and objects:

Examine: [select from: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer].

Test: [select from: Software, firmware, and information integrity verification tools].