1.9 KiB
| implementation-status | control-origination | |||||
|---|---|---|---|---|---|---|
|
|
si-11 - [catalog] Error Handling
Control Statement
-
[a] Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and
-
[b] Reveal error messages only to personnel or roles.
Control guidance
Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.
Control assessment-objective
error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited; error messages are revealed only to personnel or roles.
What is the solution and how is it implemented?
Implementation a.
Add control implementation description here for item si-11_smt.a
Implementation b.
Add control implementation description here for item si-11_smt.b