Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-18

mobile code

assessment objective:

Determine if the organization:

sc-18(a)

defines acceptable and unacceptable mobile code and mobile code technologies;

sc-18(b)

sc-18(b)[1]

establishes usage restrictions for acceptable mobile code and mobile code technologies;

sc-18(b)[2]

establishes  implementation guidance for acceptable mobile code and mobile code technologies;

sc-18(c)

sc-18(c)[1]

authorizes the use of mobile code within the information system;

sc-18(c)[2]

monitors the use of mobile code within the information system; and

sc-18(c)[3]

controls the use of mobile code within the information system.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; list of acceptable mobile code and mobile code technologies; list of unacceptable mobile code and mobile technologies; authorization records; information system monitoring records; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing mobile code].

Test: [select from: Organizational process for controlling, authorizing, monitoring, and restricting mobile code; automated mechanisms supporting and/or implementing the management of mobile code; automated mechanisms supporting and/or implementing the monitoring of mobile code].