Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
SA-10
Developer
configuration
management
The organization requires that
information system developers
create and implement a
configuration management plan
that controls changes to the
system during development,
tracks security flaws, requires
authorization of changes, and
provides documentation of the
plan and its implementation.
SA-11
Developer security
testing
The organization requires that
information system developers
create a security test and
evaluation plan, implement the
plan, and document the results.
SC
System and communications protection
SC-1
System and
communications
protection policy
and procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented system and
communications protection
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the system and communications
protection policy and associated
system and communications
protection controls.
SC-2
Application
partitioning
The information system separates
user functionality (including user
interface services) from
information system management
functionality.
SC-3
Security function
isolation
The information system isolates
security functions from
nonsecurity functions.
SC-4
Information
remnance
The information system prevents
unauthorized and unintended
information transfer via shared
system resources.
