System and Information Integrity (SI)

System and information integrity controls provide users with a level of confidence that Office of Personnel Management's (OPM) systems and information are protected by methods that prevent unauthorized users from modifying or destroying data. System and information integrity

controls include provisions for the identification, reporting, and correction of system flaws, security patches, and other fixes. Antivirus, spyware, and other protections are needed to ensure

information systems are secure. Intrusion detection systems and other security monitoring tools must be used to identify and support remediation of security incidents. Health and performance monitoring tools must also be used to identify and support remediation of system problems that may affect availability and other protections. Information systems must also be designed to validate data entered or processed and provide error messages without revealing system information or data.

Policy: OPM’s policy is to:

• Identify, report, and correct information and information system flaws in a timely manner.

• Monitor information system security alerts and advisories and take appropriate actions in response.

• Provide protection from malicious code at appropriate locations within information systems.

6.9.1 System and Information Integrity Policy and Procedures (SI-1)

The policies under this control are implemented with the OPM System and Information Integrity Procedure. System and information integrity procedures may be developed by program offices and operational groups where necessary. System and information integrity procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary.

6.9.2 Flaw Remediation (SI-2)

Information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) shall be identified, reported, and promptly remediated by installing security-relevant software updates (e.g., patches, service packs, and hot fixes) that are tested as part of the configuration management and change control process. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, shall also be addressed expeditiously. OPM System Owners (SO) shall use resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in information systems. United States Computer Emergency Readiness Team (US-CERT), vendor, and other applicable alerts shall be addressed.

SOs shall ensure information system flaws are:

• Identified, reported, and corrected;

• Tested for effectiveness and potential side effects on organizational information systems before installation; and

• Incorporated into the organizational configuration management process (Reference CM-2, CM-3, and CM-4).

The Software Development Manager, and Network Manager shall identify, report, and correct flaws discovered in the information system software or hardware. Software updates, related to flaw remediation, shall be tested for effectiveness and potential side effects on OPM information

systems before installation. Flaw remediation shall be incorporated into OPM configuration management process.

SOs shall ensure automated mechanisms periodically (semi-weekly for servers, monthly for workstations, and quarterly for network resources) and on demand to determine the state of information system components with regard to flaw remediation. (Moderate and High)

SOs shall ensure the flaw remediation process is centrally managed and ensure software updates are automatically installed. Due to information system integrity and availability concerns, SOs shall carefully consider the methodology used to carry out automatic updates. For example, updates may be first pushed to less critical environments (e.g., test environment) or components (e.g., secondary production web server) prior to critical components (e.g., primary production web servers). (High)

6.9.3 Malicious Code Protection (SI-3)

Software is vulnerable to malicious code; therefore, it is essential that OPM provide protection mechanisms and tools to reduce the threat of attacks. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode) or contained within a compressed file. A variety of technologies and methods exist to limit or eliminate the effects of malicious code attacks. Pervasive configuration management and strong software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber attacks that could affect organizational missions and business functions. Traditional malicious code protection mechanisms are not built to detect such code. Organizations must, in these situations, rely instead on other risk mitigation measures to include, secure coding

practices, trusted procurement processes, configuration management and control, and monitoring practices to help ensure that software does not perform functions other than those intended.

SOs shall ensure:

• Malicious Code protection mechanisms at information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers) at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code:

• Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or

• Inserted through the exploitation of information system vulnerabilities;

• Update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with OPM configuration management policy and procedures;

• Configure malicious code protection mechanisms to:

• Perform scans of the information system at least weekly and real-time scans of files from external sources (i.e., USB devices, compact disks, email

attachments, etc.) as the files are downloaded, opened, or executed in accordance with OPM security policy; and

• Send alert to administrator; and quarantine or eradicate malicious code (e.g., viruses, worms, Trojan horses) in response to malicious code detection;

and

• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

SOs shall ensure malicious code protection mechanisms are centrally managed and automatically updated (including virus signature definitions). Information systems shall prevent

non-privileged users from circumventing malicious code protection capabilities. (Moderate and High)

6.9.4 Information System Monitoring (SI-4)

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system (e.g., within internal organizational networks and system components).

Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces.

The Einstein network monitoring device from the Department of Homeland Security is an example of a system monitoring device. The granularity of the information collected is determined based on monitoring objectives and the capability of the information system to support such activities. An example of a specific type of transaction of interest to the organization with regard to monitoring is Hyper Text Transfer Protocol (HTTP) traffic that bypasses organizational HTTP proxies, when use of such proxies is required.

SOs shall ensure:

• Events on the information system are monitored in accordance with risk-based objectives and information system attacks are detected;

• Unauthorized use of the information system is identified;

• Monitoring devices are deployed:

• Strategically within the information system to collect OPM-determined essential information; and

• At ad hoc locations within the system to track specific types of transactions of interest to OPM.

• The level of information system monitoring activity is heightened whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and

• Legal opinion is obtained with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

SOs shall employ automated tools to monitor inbound and outbound communications for unusual or unauthorized activities or conditions, support near real-time analysis of events, and provide real-time alerts of potential compromise such as perimeter router and firewalls generate audit records when network traffic is blocked in accordance to configuration policy and/or ACLs, IDS detects and reports suspicious activity or an attack signature is detected, etc. (Moderate and High)

Unusual/unauthorized activities or conditions include internal traffic that indicates the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, or signaling to an external information system. Alerts may be generated from a variety of sources, audit records or input from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers.

SOs shall ensure information systems are configured to prevent non-privileged users from circumventing intrusion detection and prevention capabilities. (Moderate and High) 6.9.5 Security Alerts, Advisories, and Directives (SI-5)

Security alerts and advisories are generated by the United States Computer Emergency

Readiness Team (US-CERT) to maintain situational awareness across the Federal Government.

Security directives are issued by Office of Personnel Management (OMB) or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse affects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner.

The Chief Information Security Officer (CISO) shall ensure:

• Information system security alerts, advisories, and directives from designated external organizations is received on an ongoing basis;

• Internal security alerts, advisories, and directives are generated as deemed necessary;

• Security alerts, advisories, and directives are disseminated to SOs, Information System Security Officers (ISSO), and Designated Security Officers (DSO), OPM users, etc.; and

• Security directives are implemented in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

The CISO shall employ automated mechanisms to make security alert and advisory information available throughout OPM as needed. (High)

6.9.6 Security Functionality Verification (SI-6)

The need to verify security functionality applies to all security functions. For those security functions that are not able to execute automated self-tests the organization either implements

compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include startup, restart, shutdown, and abort.

SOs shall ensure that information systems verify the correct operation of security functions upon:

• System startup

• Restart and upon command by users with appropriate privilege, system shut-down; and

• System restarting when anomalies are discovered. (High) 6.9.7 Software and Information Integrity (SI-7)

Integrity verification applications are employed on information systems to look for evidence of information tampering, errors, and omissions. Organizations must employ good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes, etc.) and use tools to automatically monitor the integrity of the information system and hosted applications.

SOs shall ensure that information systems detect unauthorized changes to software and information.

SOs shall ensure:

• Integrity of software and information by performing at least annual integrity scans of the information system. (Moderate and High)

• Automated tools are employed that provide notification to designated individuals upon discovering discrepancies during integrity verification. (High)

6.9.8 Spam Protection (SI-8)

Spam presents another mechanism to introduce vulnerabilities into a system as spam is

associated with unsolicited email. Vulnerabilities may be imbedded within spam in the form of executable programs, references to Internet addresses where malicious programs might be downloaded, and requests for personnel data from the recipient. The recipient may or may not know how to respond to spam which introduces additional vulnerabilities to the system.

OPM users shall refrain from e-mail spamming (sending or forwarding chain letters, other junk e-mail or inappropriate messages). In addition, sending global e-mails of any kind shall be restricted to designated officials within Program Offices.

SOs shall ensure:

• Employment of spam protection mechanisms at information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers) and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and

• Spam protection mechanisms (including signature definitions) are updated when new releases are available in accordance with organizational configuration management policy and procedures. (Moderate and High)

SOs shall ensure spam protection mechanisms are centrally managed. (High) 6.9.9 Information Input Restrictions (SI-9)

Restrictions on organizational personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities. Reference AC-5 and AC-6.

SOs shall ensure information systems restrict the capability to input information to authorized personnel. (Medium and High)

6.9.10 Information Input Validation (SI-10)

Information systems are only legitimate if the information the system presents is accurate, complete, and has not been compromised. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) should be used to verify that inputs match specified definitions for format and content. Inputs passed to interpreters must be prescreened to prevent the content from being unintentionally interpreted as commands.

SOs shall ensure the information system checks the validity of information inputs. (Moderate and High)

6.9.11 Error Handling (SI-11)

The structure and content of error messages must be carefully considered. The extent to which the information system is able to identify and handle error conditions must be guided by organizational policy and operational requirements.

SOs shall ensure information systems are configured to:

• Identify potentially security-relevant error conditions;

• Generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information such as account numbers, social security numbers (SSNs), credit card numbers, system

configuration information, etc. in error logs and administrative messages that could be exploited by adversaries; and

• Reveal error messages only to authorized personnel. (Moderate and High) 6.9.12 Information Output Handling and Retention (SI-12)

Information system outputs could be used to compromise the system or expose information that should be protected. Output handling and retention requirements must cover the full life cycle of the information, in some cases extending beyond the disposal of the information system. The National Archives and Records Administration provide guidance on records retention.

Reference MP-2 and MP-4.

The Chief Information Security Officer (CISO), SOs, and Program Supervisors shall ensure OPM users handle and retain both information within and output from the information system in

accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

7. TECHNICAL CONTROLS