The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data’s sensitivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16783	APP2150	SV-17783r1_rule	PESP-1	Medium

Description
Failure to have proper workplace security procedures can lead to the loss or compromise of classified or sensitive information.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-17759r1_chk )
Determine the sensitivity of the data of the application by reviewing the confidentiality levels for which the system was designed. If a traditional review is being conducted at the same time as the application review, this check is not applicable. For sensitive data, the following security guidelines must be followed: • Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. • Verify system media (e.g., tapes, printouts, etc.) is controlled and the pickup, delivery, receipt, and transfer of system media is restricted to authorized personnel (NIST MP-5). • Verify there is a policy that addresses output handling and retention (NIST SI-12). • Verify policy that addresses output handling and retention is being followed (NIST SI-12). 1) If sensitive data security guidelines do not exist or not followed, it is a finding. For classified data, the following security guidelines must be followed: • Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. (e.g., end-of-day, security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule). • Verify the existence of a system of security checks at the close of each working day to ensure that the area is secure. • An SF 701: Activity Security Checklist, is required to record such checks. • An SF 702: Security Container Check Sheet, is requires to record the use of all vaults, secure rooms, and containers used for the storage of classified material. • Verify system media (e.g. tapes, printouts, etc.) is controlled and the pickup, delivery, receipt and transfer of system media is restricted to authorized personnel (NIST MP-5). • Verify there is a policy that addresses output handling and retention (NIST SI-12). • Verify policy that addresses output handling and retention is being followed (NIST SI-12). 2) If classified data security guidelines do not exist or are not followed, it is a finding.

Check Text ( C-17759r1_chk )

Determine the sensitivity of the data of the application by reviewing the confidentiality levels for which the system was designed.

If a traditional review is being conducted at the same time as the application review, this check is not applicable.

For sensitive data, the following security guidelines must be followed:
• Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site.
• Verify system media (e.g., tapes, printouts, etc.) is controlled and the pickup, delivery, receipt, and transfer of system media is restricted to authorized personnel (NIST MP-5).
• Verify there is a policy that addresses output handling and retention (NIST SI-12).
• Verify policy that addresses output handling and retention is being followed (NIST SI-12).

1) If sensitive data security guidelines do not exist or not followed, it is a finding.

For classified data, the following security guidelines must be followed:
• Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. (e.g., end-of-day, security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule).
• Verify the existence of a system of security checks at the close of each working day to ensure that the area is secure.
• An SF 701: Activity Security Checklist, is required to record such checks.
• An SF 702: Security Container Check Sheet, is requires to record the use of all vaults, secure rooms, and containers used for the storage of classified material.
• Verify system media (e.g. tapes, printouts, etc.) is controlled and the pickup, delivery, receipt and transfer of system media is restricted to authorized personnel (NIST MP-5).
• Verify there is a policy that addresses output handling and retention (NIST SI-12).
• Verify policy that addresses output handling and retention is being followed (NIST SI-12).

2) If classified data security guidelines do not exist or are not followed, it is a finding.

Fix Text (F-16981r1_fix)
Implement policy and procedures to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility. Establish a system of security checks at the close of each working day to ensure that the area is secure. An SF 701: Activity Security Checklist shall be used to record such checks. This form may be modified to suit the individual security (or safety) needs of the organization i.e., entries for STU-III CIK secured or coffee pot turned off. An SF 702: Security Container Check Sheet shall be used to record the use of all vaults, secure rooms, and containers used for the storage of classified material.

Fix Text (F-16981r1_fix)

Implement policy and procedures to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility.
Establish a system of security checks at the close of each working day to ensure that the area is secure. An SF 701: Activity Security Checklist shall be used to record such checks. This form may be modified to suit the individual security (or safety) needs of the organization i.e., entries for STU-III CIK secured or coffee pot turned off. An SF 702: Security Container Check Sheet shall be used to record the use of all vaults, secure rooms, and containers used for the storage of classified material.