Overview:
Prevent unauthorized and unintended information transfer via shared system resources.
Action Items:
3.13.4[a]
Determine if: unauthorized and unintended information transfer via shared system resources is prevented.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and communications protection policy; procedures addressing application partitioning; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; system developer].
3
Test: Separation of user functionality from system management functionality].
Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing application partitioning
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) system audit logs and records
7) other relevant documents or records
Additional Guidance:
This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources (e.g., registers, cache memory, main memory, hard disks) after those resources have been released back to the system. This requirement also applies to encrypted representations of information. The control of information in shared system resources is also commonly referred to as object reuse and residual information protection. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.
Article ID: 196
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-information-in-shared-resources-3-13-4-196.html