System Integrity Policy

Netspective Communications LLC’s policy manages risks from system vulnerabilities and helps implement security best practices for all IT resources owned or operated by the company. Users are responsible for adhering to this policy. [FII-SCF-021-SEA-01]

Each Netspective Communications LLC Business System must comply with or develop a program plan to demonstrate compliance with the standards outlined in the following sections of the policy.

1. SI-1 System and Information Integrity Procedures: All Netspective Communications LLC Business Systems must create, adopt, or follow a formal and documented system and information integrity policy that covers purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

2. SI-2 Flaw Remediation: All Netspective Communications LLC Business Systems must identify, report, and correct information system flaws, test the effectiveness of software updates related to flaw remediation, and check for potential side effects on organizational information assets before installing updates. The systems must also include flaw remediation in the organizational configuration management process.

3. SI-3 Malicious Code Protection:Netspective Communications LLC Business Systems must:

• Utilize malicious code protection mechanisms at information asset entry and exit points, workstations, servers, or mobile computing devices (e.g., email, removable media, and malicious websites) on the network to detect and eradicate malicious code.
• Update malicious code protection mechanisms (including signature definitions) in accordance with organizational configuration management policy and procedures whenever new releases are available.
• Configure malicious code protection mechanisms (e.g., real-time scans, periodic scans, malicious code detection) for the protection of Company information systems and assets.
• Manage the receipt of false positives during malicious code detection and eradication and mitigate the resulting potential impact on the availability of the information asset.

4. SI-4 Information System Monitoring: Netspective Communications LLC Business Systems must:

• Monitor events on the information asset and detect attacks on the information asset.
• Identify any unauthorized use of the information assets.
• Deploy monitoring devices (1) at strategic locations within the information asset to collect organization-determined essential information and (2) at ad-hoc locations within the system to track specific types of transactions of interest to the organization.
• Increase the level of information asset monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
• Obtain a legal opinion regarding information asset monitoring activities in accordance with applicable federal laws, directives, policies, or regulations.

5. SI-5 Security Alerts, Advisories, and Directives: Netspective Communications LLC Business Systems must:

• Continuously receive information asset security alerts, advisories, and directives from designated external organizations.
• Generate internal security alerts, advisories, and directives as necessary.
• Share security alerts, advisories, and directives with key system owners and stakeholders.
• Implement security directives within established time frames or inform the issuing organization of the degree of noncompliance.

6. SI-6 Security Functionality Verification: Netspective Communications LLC Business Systems must annually verify the correct operation of security functions and promptly notify the system administrator of any anomalies discovered to ensure timely corrective action.

7. SI-7 Software and Information Integrity: Netspective Communications LLC Business Systems must detect any unauthorized changes to software within their information asset.

8. SI-8 Spam Protection: Netspective Communications LLC Business Systems must utilize spam protection mechanisms and update them in accordance with organizational policies to detect and take action on unsolicited messages at information asset entry and exit points, workstations, servers, or mobile computing devices on the network.

9. SI-9 Information Input Restrictions: Netspective Communications LLC Business Systems must limit the ability to input information into the information asset to authorized personnel.

10. SI-10 Information Input Validation: Netspective Communications LLC Business Systems must validate information inputs for company information assets.

11. SI-11 Error Handling: Netspective Communications LLC Business Systems must ensure that company information assets:

    • Identify potentially security-relevant error conditions.
    • Generate error messages that provide necessary information for corrective actions, while not disclosing company-sensitive information in error logs and administrative messages that could be used by adversaries.
    • Only display error messages to authorized personnel.

12. SI-12 Information Output Handling and Retention: Netspective Communications LLC Business Systems must comply with applicable federal laws, directives, policies, regulations, standards, and operational requirements for handling and retaining both information within and output from the information system.