| Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner possibly resulting in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information requiring protection. Filtering rules for routers and firewalls, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security-relevant information. Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential a security configuration or data may be dynamically and perhaps, surreptitiously overwritten or changed (without going through a formal system change process that can document the changes).
Rationale for non-applicability:
Mobile applications that provide flow control or inter-domain communication are outside the scope of this SRG. Any controls that manage the dissemination of secure data within a system are covered by relevant SRGs and STIGs. At the device level, local interprocess communication is a core operating system function; OS security controls will preside over application-level controls in the event an application is taken over by a malicious user. |
