Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

si-10(1)

information input validation  | manual override capability

assessment objective:

Determine if:

si-10(1)(a)

si-10(1)(a)[1]

the organization defines information inputs for which the information system provides a manual override capability for input validation;

si-10(1)(a)[2]

the information system provides a manual override capability for input validation of organization-defined inputs;

si-10(1)(b)

si-10(1)(b)[1]

the organization defines authorized individuals who can use the manual override capability;

si-10(1)(b)[2]

the information system restricts the use of manual override capability to organization-defined authorized individuals; and

si-10(1)(c)

the information system audits the use of the manual override capability.

potential assessment methods and objects:

Examine: [select from: System and information integrity policy; access control policy and procedures; separation of duties policy and procedures; procedures addressing information input validation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer].

Test: [select from: Organizational processes for use of manual override capability; automated mechanisms supporting and/or implementing manual override capability for input validation; automated mechanisms supporting and/or implementing auditing of the use of manual override capability].