compliance controls are associated with this Policy definition 'Perform information input validation' (8b1f29eb-1b22-4217-5337-9207cb55231e)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SI-10 |
FedRAMP_High_R4_SI-10 |
FedRAMP High SI-10 |
System And Information Integrity |
Information Input Validation |
Shared |
n/a |
The information system checks the validity of [Assignment: organization-defined information inputs].
Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
SI-10 |
FedRAMP_Moderate_R4_SI-10 |
FedRAMP Moderate SI-10 |
System And Information Integrity |
Information Input Validation |
Shared |
n/a |
The information system checks the validity of [Assignment: organization-defined information inputs].
Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.
References: None. |
link |
1 |
| hipaa |
0706.10b1System.12-10.b |
hipaa-0706.10b1System.12-10.b |
0706.10b1System.12-10.b |
07 Vulnerability Management |
0706.10b1System.12-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. |
|
4 |
| hipaa |
0733.10b2System.4-10.b |
hipaa-0733.10b2System.4-10.b |
0733.10b2System.4-10.b |
07 Vulnerability Management |
0733.10b2System.4-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
The information system checks the validity of organization-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible. For in-house developed software, the organization ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. |
|
2 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| ISO27001-2013 |
A.14.2.5 |
ISO27001-2013_A.14.2.5 |
ISO 27001:2013 A.14.2.5 |
System Acquisition, Development And Maintenance |
Secure system engineering principles |
Shared |
n/a |
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. |
link |
5 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| NIST_SP_800-53_R4 |
SI-10 |
NIST_SP_800-53_R4_SI-10 |
NIST SP 800-53 Rev. 4 SI-10 |
System And Information Integrity |
Information Input Validation |
Shared |
n/a |
The information system checks the validity of [Assignment: organization-defined information inputs].
Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.
References: None. |
link |
1 |
| NIST_SP_800-53_R5 |
SI-10 |
NIST_SP_800-53_R5_SI-10 |
NIST SP 800-53 Rev. 5 SI-10 |
System and Information Integrity |
Information Input Validation |
Shared |
n/a |
Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]. |
link |
1 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
| SOC_2 |
PI1.2 |
SOC_2_PI1.2 |
SOC 2 Type 2 PI1.2 |
Additional Criteria For Processing Integrity |
System inputs over completeness and accuracy |
Shared |
The customer is responsible for implementing this recommendation. |
• Defines Characteristics of Processing Inputs — The characteristics of processing
inputs that are necessary to meet requirements are defined.
• Evaluates Processing Inputs — Processing inputs are evaluated for compliance
with defined input requirements.
• Creates and Maintains Records of System Inputs — Records of system input activities are created and maintained completely and accurately in a timely manner. |
|
1 |
| SOC_2 |
PI1.3 |
SOC_2_PI1.3 |
SOC 2 Type 2 PI1.3 |
Additional Criteria For Processing Integrity |
System processing |
Shared |
The customer is responsible for implementing this recommendation. |
• Defines Processing Specifications — The processing specifications that are necessary to meet product or service requirements are defined.
• Defines Processing Activities — Processing activities are defined to result in products or services that meet specifications.
• Detects and Corrects Production Errors — Errors in the production process are detected and corrected in a timely manner.
• Records System Processing Activities — System processing activities are recorded
completely and accurately in a timely manner.
• Processes Inputs — Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities |
|
5 |