SI-06 Security Functionality Verification

System and Information Integrity

Low Moderate High

Description

The information system verifies the correct operation of security functions [Selection (one or more): upon system startup and restart, upon command by user with appropriate privilege, periodically every [Assignment: organization-defined time-period]] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered.

Supplemental Guidance

The need to verify security functionality applies to all security functions. For those security functions that are not able to execute automated self-tests, the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required.

Changes from Rev 4

Title changed from 'Security Function Verification' Control text changes 'Notifies' to 'Alert' Parameter adds 'and privacy' Discussion expanded to include privacy function verification

Compliance Mappings

ISO 42001:2023

A.6.2.4

ANSSI

Hygiene.31SecNumCloud.13.6

FINMA Circular 2023/1

IV.D(75)IV.D(76)

OSFI B-13

B-13.3.3B-13.3.5

EU GDPR

Art.32(1)(d)Art.5(1)(d)

EU DORA

Art.10(1)Art.10(2)

RBI CSF

Annex1.16

EU CRA

CRA.II.3

POPIA

s16

IOSCO Cyber Resilience

DET-2DET-4TEST-3

BCBS 239

Principle 3Principle 7

CPMI-IOSCO PFMI

CG.TE

ECB CROE

CROE.2.6.1

EBA ICT Guidelines

3.4.6

BOT Cyber Resilience

Ch10.1

CMMC 2.0

FIPS 140-3

FIPS 140-3 §7.10

Common Criteria

CC Part 2 — FPT

PRA SS1/23

P3.2P4.3P5.2

FCA SYSC 13

SYSC 13.7.1SYSC 13.7.5

HITRUST CSF v11

10.d

FDA 21 CFR Part 11

§11.10(a)§11.300(e)

FDA Cybersecurity Guidance

SA-5

OWASP MASVS v2.1

MASVS-RESILIENCE-1

Basel SCO60

SCO60.14SCO60.21SCO60.52

SEC Custody (Digital Assets)

SEC-CD-13

ISO 17799 (legacy)

None.

COBIT 4.1 (legacy)

None.