Navigate

CCI-002338

CCI-002338 Definition

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using organization-defined restrictions.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the use of non-Organizationally owned systems or system components to process, store, or transmit Organizational information is restricted using [AC-20(03)_ODP; restrictions on the use of non-Organizationally owned systems or system components to process, store, or transmit Organizational information are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; account management documents; system audit records, other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices; system/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002338.

Control	Description
AC-20(3)	Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;].