This Control directly supports the implied Control(s):
Use strong data encryption to transmit in scope data or in scope information, as necessary., CC ID: 00564
This Control has the following implementation support Control(s):
Treat data messages that do not receive an acknowledgment as never been sent., CC ID: 14416
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
T23: The organization shall limit transactions at the file or account level.
T23.1: The organization should provide transaction limiting functions to isolate transactions to localize the impact of failures.
T33: The organization should implement measures to detect tampered data under transmission. (T23, T23.1, T33, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
The organization should implement cryptographic techniques to verify the authenticity of data and information or transactions. (Attach F ¶ 1(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
(§ 4.2, OGC ITIL: Security Management)
The integrity of critical information should be protected by using 'digital signatures' so that transactions and communications cannot be repudiated (i.e., non-repudiation). (CF.05.03.05b, The Standard of Good Practice for Information Security)
The integrity of critical information should be protected by using 'digital signatures' so that transactions and communications cannot be repudiated (i.e., non-repudiation). (CF.05.03.05b, The Standard of Good Practice for Information Security, 2013)
¶ 8.2.5(3) Cryptography. An organization should implement safeguards to assure cryptography procedures are in place. Cryptography is a mathematical means of transforming data to provide security. It can be used for many different purposes in IT security, for example, cryptography can help to provid… (¶ 8.2.5(3), ¶ 9.2 Table Row "Non-Repudiation", ¶ 10.3.6, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Non-Repudiation. Where there is a requirement to ensure that substantive proof can be provided that information was carried by a network, safeguards such as the following should be considered:
⢠communication protocols that provide acknowledgment of submission,
⢠application protocols that requi… (¶ 13.11, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
Nonrepudiation of origin and nonrepudiation of receipt ensure information can be sent and received without the originator or receiver being able to successfully deny having sent or received the information. The evidence should not be forgeable and should be verifiable. (§ 9.1, § 9.2, § D.1, § D.2, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
When scoped data is sent or received electronically or via physical media, is the data checked for confidentiality and integrity following any transmissions? (§ G.14.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Complete electronic health records (EHRs) or EHR modules must be capable of verifying, in accordance with § 170.210(c), that upon receipt, the electronically exchanged health information has not been altered electronically, unless designated as optional, and in accordance with the applicable standa… (§ 170.302(s)(2), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
The originator must verify the required documentation is not altered or lost during transfers. (Ch 2 (Originators/Creators).b(1), Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
Transaction initiation and completion. (AppE.7 Objective 3:4 a., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Clearly defined procedures should be established to provide for the authorization and authentication of transactions. (Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [FedRAMP Assignment: minimum actions including the addition, modification, deletion, approval, sending, or receiving of data]. (AU-10 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [FedRAMP Assignment: minimum actions including the addition, modification, deletion, approval, sending, or receiving of data]. (AU-10 Control, FedRAMP Security Controls High Baseline, Version 5)
Does management review transactions to ensure the integrity of the data? (IT - Security Program Q 9b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does management review transactions to ensure the confidentiality of transactions? (IT - Security Program Q 9c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
The system configuration should be examined to ensure the capability exists for the system to know if an individual user took a particular action, such as creating information and sending or receiving a message. Organizational records and documents should be examined to ensure specific responsibilit… (AU-10, AU-10.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The Information System must protect against individuals falsely denying they performed a particular action. (App F § AU-10, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System should validate the binding of the producer's identity with the information. (App F § AU-10(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System should maintain reviewer/releaser identity with all information reviewed or released. (App F § AU-10(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System should validate binding of reviewer/releaser identity prior to information release to another security domain. (App F § AU-10(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Implement system security measures in accordance with established procedures to ensure confidentiality, integrity, availability, authentication, and non-repudiation. (T0489, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation. (T0446, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed {organizationally documented actions to be covered by non-repudiation}. (AU-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. (AU-10(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed {organizationally documented actions to be covered by non-repudiation}. (AU-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. (AU-10 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Ensures non-repudiation of provenance information and the provenance change records including when, what, and to whom. (PV-2e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
System accountability depends upon the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Nonrepudiation is a service that spans prevention and detection. This service has been placed into the prevention category because the mechanisms impleme… (§ 3.1, Underlying Technical Models for Information Technology Security, SP 800-33, December 2001)
