Back

Establish, implement, and maintain Automated Data Processing validation checks and editing checks.


CONTROL ID
00924
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain data processing integrity controls., CC ID: 00923

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O40: For the computer center and head and branch offices, the organization shall establish and maintain a system to verify transactions based on a log of operations of terminal devices, a statement of the accounts, and other records, and inspect the log. T17: The organization shall strengthen the ch… (O40, T17, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In order to early detect content inconsistencies, logical errors, etc. between files, it is necessary to provide the functions of matching and verifying the contents of files such as ledgers, checklists, journals, and other files. (P98.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to provide checking functions for the data entered by computer systems terminal operators. (P100.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • There should be suitable interface controls in place. Data transfer from one process to another or from one application to another, particularly for critical systems, should not have any manual intervention in order to prevent any unauthorized modification. The process needs to be automated and prop… (Critical components of information security 11) c.27., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Validation or sanitisation is performed on all input handled by web applications. (Control: ISM-1240; Revision: 3, Australian Government Information Security Manual, June 2023)
  • When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data. (Control: ISM-0669; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Validation or sanitisation is performed on all input handled by web applications. (Control: ISM-1240; Revision: 3, Australian Government Information Security Manual, September 2023)
  • When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data. (Control: ISM-0669; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The organization should conduct data validation on all of the data that passes through the content filter of an unclassified system or sensitive system, and block the content that fails the validation. (Control: 1284, Australian Government Information Security Manual: Controls)
  • The organization must conduct data validation on all of the data that passes through the content filter of a classified system, and block the content that fails the validation. (Control: 1285, Australian Government Information Security Manual: Controls)
  • The consumer IoT device software shall validate data input via user interfaces or transferred via Application Programming Interfaces (APIs) or between networks in services and devices. (Provision 5.13-1, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Validate input data (5.13, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • The validation process should include checks to ensure the data is not altered in meaning and/or value when it is transferred to another system or data format. (¶ 4.8, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Computerized systems that electronically exchange information should include built-in checks for the correct and secure entry and processing of the data. (¶ 5, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Additional checks should be made on the accuracy of the made record when critical data is being entered manually, either by a second person or validated electronic means. (¶ 9, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Implement business controls, where appropriate, into automated application controls such that processing is accurate, complete, timely, authorised and auditable. (AI2.3 Application Control and Auditability, CobiT, Version 4.1)
  • The organization should edit and validate the information in required fields in real-time. The customer should be notified instantly if a required field is incorrect or incomplete. If a customer misses a required field, the web site should notify the customer which field has been missed and allow th… (Pg 33, Pg 34, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Processing controls provide reasonable assurance the data processing was performed appropriately without omissions or double-counting. Processing controls include control-total reports, run-to-run totals, and file and operator controls. See the "Processing Controls" table for controls and tests to e… (App A (Processing Controls), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which requires particular spreadsheet cells to contain a non-null value (i.e., the cell contains a value of some type and is not empty). (CF.13.02.03a, The Standard of Good Practice for Information Security)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which restrict the type of information entered (e.g., requiring entered information to be in the format of date, currency, number, or text). (CF.13.02.03b, The Standard of Good Practice for Information Security)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which use range checks to ensure information entered into the spreadsheet is within a predefined range (e.g., checking that a number that should be positive is not negative). (CF.13.02.03c, The Standard of Good Practice for Information Security)
  • Information input into critical spreadsheets should be subject to integrity checks using validation routines, which generate hash totals, to allow the integrity of information to be checked at various stages of being processed. (CF.13.02.03d, The Standard of Good Practice for Information Security)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which perform consistency checks (e.g., on a formula that is repeated throughout a spreadsheet). (CF.13.02.03e, The Standard of Good Practice for Information Security)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which require particular database fields to contain a non-null value (i.e., the field contains a value of some type and is not empty). (CF.13.03.03a, The Standard of Good Practice for Information Security)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which restrict the type of information entered (e.g., requiring entered information to be in the format of date, currency, number, or text). (CF.13.03.03b, The Standard of Good Practice for Information Security)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which use range checks to ensure information entered into the database is within a predefined range (e.g., checking that a number that should be positive is not negative). (CF.13.03.03c, The Standard of Good Practice for Information Security)
  • Information input into critical databases should be subject to integrity checks using validation routines, which generate hash totals, to allow the integrity of information to be checked at various stages of being processed. (CF.13.03.03d, The Standard of Good Practice for Information Security)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which perform consistency checks (e.g., on a calculation that is repeated throughout a database). (CF.13.03.03e, The Standard of Good Practice for Information Security)
  • Individuals should be supported by approved methods of validating processes / data. (CF.02.05.06c, The Standard of Good Practice for Information Security)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which requires particular spreadsheet cells to contain a non-null value (i.e., the cell contains a value of some type and is not empty). (CF.13.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which restrict the type of information entered (e.g., requiring entered information to be in the format of date, currency, number, or text). (CF.13.02.03b, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which use range checks to ensure information entered into the spreadsheet is within a predefined range (e.g., checking that a number that should be positive is not negative). (CF.13.02.03c, The Standard of Good Practice for Information Security, 2013)
  • Information input into critical spreadsheets should be subject to integrity checks using validation routines, which generate hash totals, to allow the integrity of information to be checked at various stages of being processed. (CF.13.02.03d, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical spreadsheets should be subject to integrity checks using validation routines, which perform consistency checks (e.g., on a formula that is repeated throughout a spreadsheet). (CF.13.02.03e, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which require particular database fields to contain a non-null value (i.e., the field contains a value of some type and is not empty). (CF.13.03.03a, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which restrict the type of information entered (e.g., requiring entered information to be in the format of date, currency, number, or text). (CF.13.03.03b, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which use range checks to ensure information entered into the database is within a predefined range (e.g., checking that a number that should be positive is not negative). (CF.13.03.03c, The Standard of Good Practice for Information Security, 2013)
  • Information input into critical databases should be subject to integrity checks using validation routines, which generate hash totals, to allow the integrity of information to be checked at various stages of being processed. (CF.13.03.03d, The Standard of Good Practice for Information Security, 2013)
  • Information input into Critical databases should be subject to integrity checks using validation routines, which perform consistency checks (e.g., on a calculation that is repeated throughout a database). (CF.13.03.03e, The Standard of Good Practice for Information Security, 2013)
  • Individuals should be supported by approved methods of validating processes / data. (CF.02.05.06c, The Standard of Good Practice for Information Security, 2013)
  • Verify that input validation is enforced on a trusted service layer. (1.5.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that JSON schema validation is in place and verified before accepting input. (13.2.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. (5.2.6, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application protects against Reflective File Download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename. (12.3.4, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that if application assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset. (14.2.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place. (13.3.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. (13.2.5, Application Security Verification Standard 4.0.3, 4.0.3)
  • Checks should be made on all inputted data to ensure the data is correct. The checks should look for errors, such as incomplete data, invalid characters, or out-of-range values. Items that should be checked include names, addresses, phone numbers, sales prices, and tax rates. (§ 12.2.1, ISO 27002 Code of practice for information security management, 2005)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • CSR 8.4.2: The organization must generate trailer labels or control records that contain record counts and control totals for all computer files and they are tested by application programs to help determine if all records have been processed. CSR 8.4.4: The system interfaces require that the sending… (CSR 8.4.2, CSR 8.4.4, CSR 9.5.1, CSR 9.8.2, CSR 9.8.3, CSR 9.8.4, CSR 9.8.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Management Information System (MIS) should ensure all information is processed and compiled consistently. (Pg 14, FFIEC IT Examination Handbook - Management)
  • Payment data should be verified to help mitigate risk. (Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization shall have procedures and controls in place for using operational system checks for enforcing the permitted sequencing of steps and events. (§ 11.10(f), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Check the validity of the following information inputs: [Assignment: organization- defined information inputs to the system]. (SI-10 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Check the validity of the following information inputs: [Assignment: organization- defined information inputs to the system]. (SI-10 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Check the validity of the following information inputs: [Assignment: organization- defined information inputs to the system]. (SI-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Check the validity of the following information inputs: [Assignment: organization- defined information inputs to the system]. (SI-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The Information System must check the validity of the information inputs. (App F § SI-10, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system checks the validity of {organizationally documented information inputs}. (SI-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides a manual override capability for input validation of {organizationally documented inputs}. (SI-10(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system restricts the use of the manual override capability to only {organizationally documented authorized individuals}. (SI-10(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system checks the validity of {organizationally documented information inputs}. (SI-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system checks the validity of {organizationally documented information inputs}. (SI-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides a manual override capability for input validation of [Assignment: organization-defined inputs]; (SI-10(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide the capability to check the integrity of information while it resides in the external system. (SA-9(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Check the validity of the following information inputs: [Assignment: organization- defined information inputs to the system]. (SI-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; (SI-10(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide the capability to check the integrity of information while it resides in the external system. (SA-9(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Check the validity of the following information inputs: [Assignment: organization- defined information inputs to the system]. (SI-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; (SI-10(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Application controls should be in place to ensure that data that is converted to an automated form is entered into the system correctly and accurately. (Pg 33, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Controls should be in place to verify the input and output data for all applications. (§ II.C, OMB Circular A-123, Management's Responsibility for Internal Control)
  • The information system checks the validity of [Assignment: organization-defined information inputs]. (SI-10 Control, TX-RAMP Security Controls Baseline Level 2)