STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

DISA Rule

SV-222428r508029_rule

Vulnerability Number

V-222428

Group Title

SRG-APP-000039

Rule Version

APSC-DV-000490

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the application to enforce data flow control in accordance with data flow control policies.

Check Contents

Review the application documentation and interview the application and system administrators.

Identify application features and functions to determine if the application is designed to control the flow of information between interconnected systems.

Identify:

- rulesets,
- data labels
- policies
- systems

to determine if the application is designed to control the flow of data between interconnected systems.

If the application does not provide data flow control capabilities, the requirement is not applicable.

Access the system as a user with access rights allowing the creation of test data or use of existing test data.

Create a test data set and label the data with a data label provided with or by the application (for example, a Personally Identifiable Information (PII) data label).

Review the policy settings to determine where the PII labeled data is allowed and is not allowed.

Using application features and functions, attempt to transmit the labeled data to an interconnected system that is prohibited by policy.

Verify the flow control policy was enforced and the data was not transmitted.

If the application does not enforce the approved authorizations for controlling data flow, this is a finding.

Vulnerability Number

V-222428

Documentable

False

Rule Version

APSC-DV-000490

Severity Override Guidance

Review the application documentation and interview the application and system administrators.

Identify application features and functions to determine if the application is designed to control the flow of information between interconnected systems.

Identify:

- rulesets,
- data labels
- policies
- systems

to determine if the application is designed to control the flow of data between interconnected systems.

If the application does not provide data flow control capabilities, the requirement is not applicable.

Access the system as a user with access rights allowing the creation of test data or use of existing test data.

Create a test data set and label the data with a data label provided with or by the application (for example, a Personally Identifiable Information (PII) data label).

Review the policy settings to determine where the PII labeled data is allowed and is not allowed.

Using application features and functions, attempt to transmit the labeled data to an interconnected system that is prohibited by policy.

Verify the flow control policy was enforced and the data was not transmitted.

If the application does not enforce the approved authorizations for controlling data flow, this is a finding.

Check Content Reference

M

Target Key

4093

Comments