SI-07 Software And Information Integrity

Control: The information system detects and protects against unauthorized changes to software and information.

Supplemental Guidance: The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

Control Enhancements:

(1) The organization reassesses the integrity of software and information by performing [Assignment: organization-defined frequency] integrity scans of the system.

(2) The organization employs automated tools that provide notification to appropriate individuals upon discovering discrepancies during integrity verification.

(3) The organization employs centrally managed integrity verification tools.

Baseline: LOW Not Selected MOD Not Selected HIGH SI-7 (1) (2)

Family: System And Information Integrity

Class: Operational

ISO 17799 mapping: 12.2.1, 12.2.2, 12.2.4

COBIT 4.1 mapping: PO2.4, AI2.4, DS5.9

PCI-DSS v2 mapping: 11.5