SV-18872r2_rule
V-17698
RTS-VTC 2480.00 [IP]
RTS-VTC 2480.00
CAT II
10
[IP]; Perform the following tasks:
- Develop additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented.
- Provide additional appropriate user training to the training requirement noted under RTS-VTC 2460.
- Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation.
- Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures.
- Obtain approval from the responsible DAA in writing for the installation of the additional software to the PC/workstation(s) required to use this method.
- Obtain approval from the responsible DAA in writing for the use and implementation procedures that mitigate the application’s vulnerabilities.
- Maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance
Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.
[IP]; Interview the IAO to validate compliance with the following requirement:
In the event a software based virtual connection between a PC/workstation and a CODEC is to be used for presentation display, file transfer, or collaboration, the IAO will ensure the following:
- Additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented.
- Additional appropriate user training is added to the training requirement noted above.
- Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation.
- Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures.
- The responsible DAA approves, in writing, the installation of the additional software to the PC workstation(s) required to use this method.
- The responsible DAA approves, in writing, the implementation and use procedures that mitigate the application’s vulnerabilities.
Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.
Note: The IAO will maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance.
Verify that additional and appropriate user training is added to the training requirement as noted in RTS-VTC 2460.00 that addresses additional vulnerabilities associated with presentation, application, and desktop sharing to a VTU from a PC.
AND
Verify additional vendor specific procedures and policies have been implemented.
AND
Verify that assessments have been performed and documented to validate additional VTU application(s) has not invalidated the security of the workstation. Verify with the IAO that a risk assessment has been performed and documented.
AND
Verify that DAA has approved in writing the installation of additional VTU software and the DAA is aware and approved the implementation and procedures used to mitigate the VTU application(s) vulnerabilities
This is a finding if deficiencies are found. List these deficiencies in the finding details.
V-17698
False
RTS-VTC 2480.00
[IP]; Interview the IAO to validate compliance with the following requirement:
In the event a software based virtual connection between a PC/workstation and a CODEC is to be used for presentation display, file transfer, or collaboration, the IAO will ensure the following:
- Additional appropriate policy and procedures for this type of connection are added to the required “Presentation/PC workstation display sharing” policy and procedure. These are based on the particular vendor’s solution to be implemented.
- Additional appropriate user training is added to the training requirement noted above.
- Perform and document an assessment of the application to be used to verify that it performs only those functions that are necessary, that the application behaves properly on the platform, and that it does not invalidate the security of the workstation.
- Perform and document a risk assessment regarding the use of the application in light of the application assessment and the defined operational policy/procedures.
- The responsible DAA approves, in writing, the installation of the additional software to the PC workstation(s) required to use this method.
- The responsible DAA approves, in writing, the implementation and use procedures that mitigate the application’s vulnerabilities.
Note: Assessments should be performed and DAA approvals should be obtained prior to purchase.
Note: The IAO will maintain the policy, procedures, assessment documentation, risk assessment, and DAA approvals for inspection by IA auditors as evidence of compliance.
Verify that additional and appropriate user training is added to the training requirement as noted in RTS-VTC 2460.00 that addresses additional vulnerabilities associated with presentation, application, and desktop sharing to a VTU from a PC.
AND
Verify additional vendor specific procedures and policies have been implemented.
AND
Verify that assessments have been performed and documented to validate additional VTU application(s) has not invalidated the security of the workstation. Verify with the IAO that a risk assessment has been performed and documented.
AND
Verify that DAA has approved in writing the installation of additional VTU software and the DAA is aware and approved the implementation and procedures used to mitigate the VTU application(s) vulnerabilities
This is a finding if deficiencies are found. List these deficiencies in the finding details.
I
The inadvertent disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.
Other
1418