For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that transmit classified data, perform a dynamic program analysis to assess if any data classification attributes are transmitted with the data. Check the received data and examine it for the inclusion of classification attributes. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if the code supports any data classification attributes are transmitted with the data. If the static or dynamic program analysis reveals no data classification attributes are transmitted with the data, this is a finding. This test may entail an end-to-end test that extends beyond that of the application, to ensure the data file construct meets the requirements of data classification attribute presence. |