Information Assurance - System Security Operating Procedures (SOPs)
An XCCDF Rule
Description
<VulnDiscussion>Failure to have documented procedures in an SOP could result in a security incident due to lack of knowledge by personnel assigned to the organization. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) NIST Special Publication 800-53 (SP 800-53), Rev 4/5, Controls: MA-1, MA-2, MA-3, MA-4, PL-1, PL-2 and PL-4 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information,, Encl 5, para 3.a.(4), 3.d., 7.a. ; Encl 7, para 5.c., 6, 10, and 11. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) United States Cyber Command Instruction (USCCI) 5200-13, 13 April 2019, SUBJECT: Cyberspace Protection Conditions (CPCON)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-245771r1008538_rule
- Severity
- Low
- Updated
Remediation - Manual Procedure
1. Security Operating Procedures (SOPs) covering all systems, supporting infrastructure and physical facilities must be written.
2. The procedures must be readily available to both the Information Assurance Staff (ISSM, ISSO, SA) and all system users requiring information in the procedures to perform their jobs. Information can be placed in an Information System Users Guide (SFUG) and other applicable documents as appropriate. SOP availability must be on a site intranet, shared folders, WEB page, etc. for ease of reference by all employees - unless classified or otherwise requiring restricted access.
As a minimum the following areas must be documented: