Back

Control error handling when data is being inputted.


CONTROL ID
00922
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Use automated entry devices to reduce errors during data input., CC ID: 06626


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The input management rules must include a procedure for ensuring input data is accurate and without omissions or duplications and complies with the input control rules. This is a control item that constitutes a greater risk to financial information. This is an IT application control. (App 2-1 Item Number IV.3(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • It is necessary to review the established procedures regularly according to the changes of development methods and operation styles, etc. (P78.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should implement controls to prevent the exploitation of known vulnerabilities that cannot be patched or a security patch is not available by applying external input sanitization, if input triggers the exploit; applying access controls to prevent Access to the vulnerability; applyin… (Control: 0941 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should control error handling. (¶ 26(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • An additional check on data accuracy should be completed on critical data that is inputted manually, either electronically or by a second person. (¶ 6, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • If the input is greater than the maximum length in web applications, does the organization stop processing and return as failure? (Table Row VI.18, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The system should include built-in checks for correct data entry and Data Processing. (¶ 6, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible. (AC3 Accuracy, Completeness and Authenticity Checks, CobiT, Version 4.1)
  • Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original sourc… (AC2 Source Data Collection and Entry, CobiT, Version 4.1)
  • Do not return extensive error codes to the browser. Turn off debug information because it may provide useful clues to a hacker. (§ 3-10, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • If a customer misses a required field, the web site should notify the customer which field has been missed and allow the customer to go back to the previous page and correct or edit information without having to reenter all the information needed for the form. Before submitting a card number for aut… (Pg 33, Pg 39, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of error messages (e.g., error codes and descriptive text provided to inform users when a mistake may have occurred). (CF.13.02.04c, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of error messages (e.g., error codes and descriptive text provided to inform users when a mistake may have occurred). (CF.13.03.04c, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of error messages (e.g., error codes and descriptive text provided to inform users when a mistake may have occurred). (CF.13.02.04c, The Standard of Good Practice for Information Security, 2013)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of error messages (e.g., error codes and descriptive text provided to inform users when a mistake may have occurred). (CF.13.03.04c, The Standard of Good Practice for Information Security, 2013)
  • For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. (Control 18.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The system should conduct explicit error checking for all input. (Critical Control 6.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. (CIS Control 18: Sub-Control 18.2 Ensure Explicit Error Checking is Performed for All In-House Developed Software, CIS Controls, 7.1)
  • For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. (CIS Control 18: Sub-Control 18.2 Ensure Explicit Error Checking is Performed for All In-House Developed Software, CIS Controls, V7)
  • Checks should be made for all input to detect errors or corruption through processing errors or deliberate acts. (§ 12.2.2, ISO 27002 Code of practice for information security management, 2005)
  • Rules for checking the valid syntax of input data such as set points should be in place to verify that this information has not been tampered with and is compliant with the specification. Inputs passed to interpreters should be pre-screened to prevent the content from being unintentionally interpret… (7.7.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Help users avoid and correct mistakes. (Guideline 3.3 ¶ 1, Web Content Accessibility Guidelines (WCAG) 2.1, W3C Recommendation 05 June 2018)
  • If an input error is automatically detected, the item that is in error is identified and the error is described to the user in text. (Success Criterion 3.3.1 (Level A) ¶ 1, Web Content Accessibility Guidelines (WCAG) 2.1, W3C Recommendation 05 June 2018)
  • Checked: Data entered by the user is checked for input errors and the user is provided an opportunity to correct them. (Success Criterion 3.3.4 (Level AA) ¶ 1 Bullet 2, Web Content Accessibility Guidelines (WCAG) 2.1, W3C Recommendation 05 June 2018)
  • CSR 8.1.1: The organization must use sequence checking to identify duplicate or missing transactions. The organization must produce a report of duplicate or missing transactions, investigate these items, and resolve them in a timely manner. CSR 8.2.1: The organization must produce a report of duplic… (CSR 8.1.1, CSR 8.2.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Identify, report, and correct information and information system flaws in a timely manner. (§ 52.204-21 (b)(1)(xii), 48 CFR Part 52.204-21, Basic Safeguarding of Covered Contractor Information Systems)
  • The Records Management Application shall prompt the user to correct data entry or capture errors when they are detected and the prompts shall provide the user guidance in correcting the errors. (§ C2.2.3.12, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • An alert shall be shown to the user if the time period for the "declassify on" field is exceeded, which is currently 10 years. (§ C4.1.8, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Online forms should include error checking for common input mistakes. (Pg 36, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The system should be examined to ensure errors are handled in a timely manner, error messages contain information to help the user but do not display information that can exploited to gain access to the system, only authorized personnel are provided in-depth error messages, and sensitive information… (SI-11, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Develop secure code and error handling. (T0077, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop secure code and error handling. (T0077, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)