Navigate

SI-4(22)

SI-4(22): Unauthorized Network Services

The information system detects network services that have not been authorized or approved by [organization-defined authorization or approval processes] and [one or more of audits/alerts {{ insert: param, si-4.22_prm_3 }} ].

Supplemental

Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

CIA Levels
Confidentiality	high
Integrity	high
Availability	high

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-4(22).

Control	Description
AC-6	The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
CM-7	The organization: a: Configures the information system to provide only essential capabilities; and b: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [organization-defined prohibited or restricted functions, ports, protocols, and/or services].
SA-5	The organization: a: Obtains administrator documentation for the information system, system component, or information system service that describes: 1: Secure configuration, installation, and operation of the system, component, or service; 2: Effective use and maintenance of security functions/mechanisms; and 3: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; b: Obtains user documentation for the information system, system component, or information system service that describes: 1: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; 2: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and 3: User responsibilities in maintaining the security of the system, component, or service; c: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [organization-defined actions] in response; d: Protects documentation as required, in accordance with the risk management strategy; and e: Distributes documentation to [organization-defined personnel or roles].
SA-9	The organization: a: Requires that providers of external information system services comply with organizational information security requirements and employ [organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c: Employs [organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Enhancements

The controls below (if any) add on to the requirements of SI-4(22).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-4(22).

CCI	Definition
CCI-002681	Defines the authorization or approval process for network services.
CCI-002682	Defines the personnel or roles to be alerted when unauthorized or unapproved network services are detected.
CCI-002683	Detect network services that have not been authorized or approved by the organization-defined authorization or approval processes.
CCI-002684	Audit and/or alert organization-defined personnel when unauthorized network services are detected.