With 205 Controls, 423 enhancements and 1,394 definitions, it's overwhelming! Lucky for you, ISL's Cyber Security Professionals are here to help.

Contact us so we can discuss what Cyber Security controls mean to your organization.


FAMILY: System and Services AcquisitionCLASS: Management


The organization:

a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes:

- Secure configuration, installation, and operation of the information system;

- Effective use and maintenance of security features/functions; and

- Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and

b. Obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes:

- User-accessible security features/functions and how to effectively use those security features/functions;

- Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and

- User responsibilities in maintaining the security of the information and information system; and

c. Documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.

The inability of the organization to obtain necessary information system documentation may occur, for example, due to the age of the system and/or lack of support from the vendor/contractor. In those situations, organizations may need to recreate selected information system documentation if such documentation is essential to the effective implementation and/or operation of security controls.
Control Enhancements:
(1) The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned.
(2) The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency] or when new vulnerabilities are identified and reported.
(3) The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
(4) The organization attempts to discern what information about the information system is discoverable by adversaries.
(5) The organization includes privileged access authorization to [Assignment: organization-identified information system components] for selected vulnerability scanning activities to facilitate more thorough scanning.
(6) The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
(7) The organization employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials.
(8) The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
(9) The organization employs an independent penetration agent or penetration team to: (a) Conduct a vulnerability analysis on the information system; and (b) Perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.
Enhancement Supplemental Guidance: A standard method for penetration testing includes: (i) pre-test analysis based on full knowledge of the target information system; (ii) pre-test identification of potential vulnerabilities based on pre-test analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. Detailed rules of engagement are agreed upon by all parties before the commencement of any penetration testing scenario.
References: None.
Priority and Baseline Allocation:
P2 LOW SA-5 MOD SA-5 (1) (3) HIGH SA-5 (1) (2) (3)