CCI-004759
CCI-004759 Definition
| Status | |
| Type | CheckType.technical |
Master Assessment Datasheet
Implementation Guidance
Determine if: - [SA-08(22)_ODP[01]; systems or system components that implement the security design principle of accountability are defined] implement the security design principle of accountability. - [SA-08(22)_ODP[02]; systems or system components that implement the security design principle of traceability are defined] implement the security design principle of traceability.
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; audit and accountability policy; access control policy; procedures addressing least privilege; procedures addressing auditable events; identification and authentication policy; procedures addressing user identification and authentication; procedures addressing the security design principle of accountability and traceability used in the specification, design, development, implementation, and modification of the system; system design documentation; system audit records; system auditable events; system configuration settings and associated documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with audit and accountability responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for applying the security design principle of accountability and traceability in system specification, design, development, implementation, and modification; mechanisms supporting the application of the security design principle of accountability and traceability in system specification, design, development, implementation, and modification; mechanisms implementing information system auditing; mechanisms implementing least privilege functions].