CCI-002307

Provide authorized individuals the capability to define or change the value of security attributes available for association with subjects.

Implementation Guidance

Determine if: - authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects. - authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing configuration of security and privacy attributes by authorized individuals; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for defining or changing security and privacy attributes associated with information; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing capability for defining or changing security and privacy attributes].

The controls below (if any) were marked by NIST as being related to CCI-002307.