Professional Documents
Culture Documents
System and Information Integrity Policy
System and Information Integrity Policy
PURPOSE
_______________________________________________________________
To ensure that Information Technology (IT) resources and information systems are
established with system integrity monitoring to include areas of concern such as
malware, application and source code flaws, industry supplied alerts and remediation of
detected or disclosed integrity issues.
REFERENCE
_______________________________________________________________
National Institute of Standards and Technology (NIST) Special Publications (SP): NIST
SP 800-53a – System and Information Integrity (SI), NIST SP 800-12, NIST SP 800-40,
NIST SP 800-45, NIST SP 800-83, NIST SP 800-61, NIST SP800-83, NIST SP 800-92,
NIST SP 800-100, NIST SP 800-128, NIST SP 800-137, NIST SP 800-147, NIST SP
800-155
POLICY
_______________________________________________________________
This policy is applicable to all departments and users of IT resources and assets.
1. FLAW REMEDIATION
IT Department shall:
iii. Address the receipt of false positives during malicious code detection
and eradication and the resulting potential impact on the availability of
the information system.
2. SYSTEM-GENERATED ALERTS
IT Department shall ensure that:
5. SPAM PROTECTION
IT Department shall:
iii. Restricts the use of the manual override capability to only [entity
defined authorized individuals].
7. ERROR HANDLING
IT Department shall:
a. Handle and retain information within the information system and information
output from the system in accordance with applicable state and federal laws,
directives, policies, regulations, standards, and operational requirements.
9. MEMORY PROTECTION
IT Department shall:
COMPLIANCE
_______________________________________________________________
Employees who violate this policy may be subject to appropriate disciplinary action up
to and including discharge as well as both civil and criminal penalties. Non-employees,
including, without limitation, contractors, may be subject to termination of contractual
agreements, denial of access to IT resources, and other actions as well as both civil and
criminal penalties.
POLICY EXCEPTIONS
_______________________________________________________________
Requests for exceptions to this policy shall be reviewed by the Chief Information
Security Officer (CISO) and the Chief Information Officer (CIO). Departments requesting
exceptions shall provide such requests to the CIO. The request should specifically state
the scope of the exception along with justification for granting the exception, the
potential impact or risk attendant upon granting the exception, risk mitigation measures
to be undertaken by the IT Department, initiatives, actions and a time-frame for
achieving the minimum compliance level with the policies set forth herein. The CIO shall
review such requests; confer with the requesting department.
RESPONSIBLE DEPARTMENT
_______________________________________________________________
Chief Information Office and Information System Owners