Title

The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks. (Cat III impact)

Discussion

Requirement: The IAO will ensure that self-inspections of the telephone components, are conducted and documented for security risks at least semi annually. If periodic security self-inspections are not conducted, vulnerabilities could go unnoticed during day to day operations resulting in an unacceptable level of risk that could lead to possible compromise. By conducting security self-inspections, security risks can be identified, analyzed, and if not mitigated, appropriately addressed.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix Text

Establish policy and procedures to ensure that, at a minimum, semi-annual security self-inspections are conducted.

Additional Identifiers

Rule ID: SV-8407r1_rule

Vulnerability ID: V-7921

Group Title: The IAO does not conduct self-inspections

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.