Navigate

SI-3(4)

SI-3(4): Updates Only by Privileged Users

The information system updates malicious code protection mechanisms only when directed by a privileged user.

Supplemental

This control enhancement may be appropriate for situations where for reasons of security or operational continuity, updates are only applied when selected/approved by designated organizational personnel.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-3(4).

Control	Description
AC-6	The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
CM-5	The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Enhancements

The controls below (if any) add on to the requirements of SI-3(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-3(4).

CCI	Definition
CCI-001249	Update malicious code protection mechanisms only when directed by a privileged user.