Navigate

SI-4 (22)

SI-4 (22): Unauthorized Network Services

The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]].

Supplemental

Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-4 (22).

Control	Description
AC-6	The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
CM-7	The organization: CM-7a.: Configures the information system to provide only essential capabilities; and CM-7b.: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
SA-5	The organization: SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service; SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service; SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].
SA-9	The organization: SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Enhancements

The controls below (if any) add on to the requirements of SI-4 (22).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-4 (22).

CCI	Definition
CCI-002681	The organization defines the authorization or approval process for network services.
CCI-002682	The organization defines the personnel or roles to be alerted when unauthorized or unapproved network services are detected.
CCI-002683	The information system detects network services that have not been authorized or approved by the organization-defined authorization or approval processes.
CCI-002684	The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected.