Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

si-14

non-persistence

assessment objective:

Determine if the organization:

si-14[1]    

defines non-persistent information system components and services to be implemented;

si-14[2]

si-14[2][a]

defines a frequency to terminate non-persistent organization-defined components and services that are initiated in a known state;

si-14[2][b]

implements non-persistent organization-defined information system components and services that are initiated in a known state and terminated one or more of the following:

si-14[2][b][1]

upon end of session of use; and/or

si-14[2][b][2]

periodically at the organization-defined frequency.

potential assessment methods and objects:

Examine: [select from: System and information integrity policy; procedures addressing non-persistence for information system components; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for non-persistence; organizational personnel with information security responsibilities; system/network administrators; system developer].

Test: [select from: Automated mechanisms supporting and/or implementing initiation and termination of non-persistent components].