Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-7013 | APP3010 | SV-7372r1_rule | DCFA-1 | Medium |
Description |
---|
The detailed functional architecture must be documented to ensure all risks are assessed and mitigated to the maximum extent practical. Failure to do so may result in unexposed risk, and failure to mitigate the risk leading to failure or compromise of the system. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-3655r1_chk ) |
---|
Ask the application representative for the design document for the application. Review the design document. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Examine the design document and/or the threat model for the application and verify the following information is documented: - All external interfaces. - The nature of information being exchanged. - Any protections on the external interface. - User roles required for access control and the access privileges assigned to each role. - Unique security requirements (e.g., encryption of key data elements at rest). - Categories of sensitive information processed by the application, and their specific protection plans (e.g., PII, HIPAA). - Restoration priority of subsystems, processes, or information. - Verify the organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail. 1) If the design document is incomplete, it is a finding. |
Fix Text (F-16985r1_fix) |
---|
Create and maintain the Design Document for each release of the application and identify the following: - All external interfaces (from the threat model) - The nature of information being exchanged - Categories of sensitive information processed or stored and their specific protection plans - The protection mechanisms associated with each interface - User roles required for access control - Access privileges assigned to each role - Unique application security requirements - Categories of sensitive information processed or stored and specific protection plans (e.g., Privacy Act, HIPAA, etc.) - Restoration priority of subsystems, processes, or information. |