Establish, implement, and maintain Automated Data Processing error handling procedures.

Back

CONTROL ID
00925

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain data processing integrity controls., CC ID: 00923

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The organization should consider keeping a processing history to detect defective data. This is accomplished by adding the date of data processing, personnel ID, terminal ID, and other required information in the recovery journals. These files should be protected with access control and other securi… (T32.1(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
In order to prevent errors in operations of general purpose machines and servers at the computer center and detect them at an early stage, it is necessary to enhance functions to check the operator's work. (P100.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Web applications should provide as little information as possible about Database Management System software and database schema. (Control: 1278, Australian Government Information Security Manual: Controls)
Safeguards must be implemented that allow information processing errors (which may compromise confidentiality, availability, or integrity), mistakes that are critical to security, and security incidents to be avoided as far as possible, to be limited in their impact, or at least noticed prematurely.… (§ 8.3 Subsection 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
The system should include built-in checks for correct data entry and Data Processing. (¶ 6, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
Procedures should be established to record and analyze errors and allow corrective action to be taken. (¶ 17, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
Business applications should incorporate security controls to protect the integrity of information by producing error reports. (CF.04.01.04c-1, The Standard of Good Practice for Information Security)
Business applications should incorporate security controls to protect the integrity of information by producing error reports. (CF.04.01.04c-1, The Standard of Good Practice for Information Security, 2013)
Verify that a "last resort" error handler is defined which will catch all unhandled exceptions. (7.4.3, Application Security Verification Standard 4.0.3, 4.0.3)
Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse. (AIS-03, Cloud Controls Matrix, v3.0)
Data stored on media should be monitored to ensure integrity errors or hardware glitches do not occur and damage the data. If an error is detected, the system should take appropriate actions to fix the error. (§ 11.11, § F.11, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
Validation checks should be built in to applications. Areas that should be addressed are as follows: Using add, modify, and delete functions to alter data; procedures to prevent programs from running in the wrong order; programs used to recover from failures; and protection against buffer overflows. (§ 12.2.2, ISO 27002 Code of practice for information security management, 2005)
Errors encountered in processing or production activities are detected and corrected in a timely manner. (PI1.3 ¶ 2 Bullet 3 Detects and Corrects Processing or Production Activity Errors, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Components shall identify and handle error conditions in a manner that does not provide information that could be exploited by adversaries to attack the IACS. (7.9.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The security program, in relation to protecting personal information, should include procedures on how the organization handles errors and omissions. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
Errors in the production process are detected and corrected in a timely manner. (PI1.3 Detects and Corrects Production Errors, Trust Services Criteria)
Errors in the production process are detected and corrected in a timely manner. (PI1.3 ¶ 2 Bullet 3 Detects and Corrects Production Errors, Trust Services Criteria, (includes March 2020 updates))
The Records Management Application shall prompt the user to correct data entry or capture errors when they are detected and the prompts shall provide the user guidance in correcting the errors. (§ C2.2.3.12, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
Error processing procedures and problem resolution procedures should be implemented to help mitigate risk. (Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Perform [Assignment: organization-defined actions] in the event of a validation error. (AU-10(2)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Perform [Assignment: organization-defined actions] in the event of a validation error. (AU-10(2)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The system should be examined to ensure errors are handled in a timely manner, error messages contain information to help the user but do not display information that can exploited to gain access to the system, only authorized personnel are provided in-depth error messages, and sensitive information… (SI-11, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The organization must identify, correct, and report all smart grid Information System flaws. (SG.SI-2 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should manage the flaw remediation process centrally and consider the risk of using automated flaw remediation processes. (SG.SI-2 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The smart grid Information System must identify all error conditions. (SG.SI-9 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The information system performs {organizationally documented actions} in the event of a validation error. (AU-10(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system performs {organizationally documented actions} in the event of a validation error. (AU-10(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization ensures that input validation errors are reviewed and resolved within {organizationally documented time period}. (SI-10(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. (SI-10(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs. (SI-10(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
Performs [Assignment: organization-defined actions] in the event of a validation error. (AU-10(2)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Performs [Assignment: organization-defined actions] in the event of a validation error. (AU-10(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. (SI-10(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs. (SI-10(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period]. (SI-10(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Perform [Assignment: organization-defined actions] in the event of a validation error. (AU-10(4)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Perform [Assignment: organization-defined actions] in the event of a validation error. (AU-10(2)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Verify that the system behaves in a predictable and documented manner when invalid inputs are received. (SI-10(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Account for timing interactions among system components in determining appropriate responses for invalid inputs. (SI-10(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Review and resolve input validation errors within [Assignment: organization-defined time period]. (SI-10(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Perform [Assignment: organization-defined actions] in the event of a validation error. (AU-10(4)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Perform [Assignment: organization-defined actions] in the event of a validation error. (AU-10(2)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Verify that the system behaves in a predictable and documented manner when invalid inputs are received. (SI-10(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Account for timing interactions among system components in determining appropriate responses for invalid inputs. (SI-10(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Review and resolve input validation errors within [Assignment: organization-defined time period]. (SI-10(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Performs [Assignment: organization-defined actions] in the event of a validation error. (AU-10(2) ¶ 1(b), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)