Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16783 | APP2150 | SV-17783r1_rule | PESP-1 | Medium |
Description |
---|
Failure to have proper workplace security procedures can lead to the loss or compromise of classified or sensitive information. |
STIG | Date |
---|---|
Application Security and Development STIG | 2014-04-03 |
Check Text ( C-17759r1_chk ) |
---|
Determine the sensitivity of the data of the application by reviewing the confidentiality levels for which the system was designed. If a traditional review is being conducted at the same time as the application review, this check is not applicable. For sensitive data, the following security guidelines must be followed: • Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. • Verify system media (e.g., tapes, printouts, etc.) is controlled and the pickup, delivery, receipt, and transfer of system media is restricted to authorized personnel (NIST MP-5). • Verify there is a policy that addresses output handling and retention (NIST SI-12). • Verify policy that addresses output handling and retention is being followed (NIST SI-12). 1) If sensitive data security guidelines do not exist or not followed, it is a finding. For classified data, the following security guidelines must be followed: • Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. (e.g., end-of-day, security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule). • Verify the existence of a system of security checks at the close of each working day to ensure that the area is secure. • An SF 701: Activity Security Checklist, is required to record such checks. • An SF 702: Security Container Check Sheet, is requires to record the use of all vaults, secure rooms, and containers used for the storage of classified material. • Verify system media (e.g. tapes, printouts, etc.) is controlled and the pickup, delivery, receipt and transfer of system media is restricted to authorized personnel (NIST MP-5). • Verify there is a policy that addresses output handling and retention (NIST SI-12). • Verify policy that addresses output handling and retention is being followed (NIST SI-12). 2) If classified data security guidelines do not exist or are not followed, it is a finding. |
Fix Text (F-16981r1_fix) |
---|
Implement policy and procedures to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility. Establish a system of security checks at the close of each working day to ensure that the area is secure. An SF 701: Activity Security Checklist shall be used to record such checks. This form may be modified to suit the individual security (or safety) needs of the organization i.e., entries for STU-III CIK secured or coffee pot turned off. An SF 702: Security Container Check Sheet shall be used to record the use of all vaults, secure rooms, and containers used for the storage of classified material. |