Back

Define risk tolerance to illicit data flow for each type of information classification.


CONTROL ID
01923
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems., CC ID: 01410

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices. (Security Control: 1083; Revision: 2, Australian Government Information Security Manual, March 2021)
  • An analysis document should be developed and should contain the following: the procedures used to find covert channels; assumptions made by the testers during the covert channel analysis; a list of all identified covert channels; the method that was used to estimate the capacity of the covert channe… (§ 19.1, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • An analysis document should be developed and should contain the following: the procedures used to find covert channels; assumptions made by the testers during the covert channel analysis; a list of all identified covert channels; the method that was used to estimate the capacity of the covert channe… (§ 19.1, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret. (5.1.3.3 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator and acknowledge that risk will likely increase over time. It is the responsibility of the organization to determine the level of ac… (5.2.10 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)