← Controls / SI

SI-07 Software And Information Integrity

System and Information Integrity

Low Moderate High

Description

The information system detects and protects against unauthorized changes to software and information.

Supplemental Guidance

The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

Changes from Rev 4

Control text adds requirement to take actions when unauthorized changes are detected Parameter added for specifying organization-defined actions Discussion includes additional examples

MITRE ATT&CK Techniques (209)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 6 Execution 22 Persistence 59 Privilege Escalation 41 Defense Evasion 94 Credential Access 21 Discovery 1 Lateral Movement 5 Collection 19 Command & Control 1 Exfiltration 1 Impact 15
Show all 209 techniques grouped by tactic

Persistence

T1037 T1133 T1136 T1176 T1505 T1525 T1542 T1543 T1546 T1554 T1556 T1574 T1037.002 T1037.003 T1037.004 T1037.005 T1053.006 T1098.001 T1098.002 T1098.003 T1136.001 T1136.002 T1136.003 T1505.001 T1505.002 T1505.004 T1542.001 T1542.003 T1542.004 T1542.005 T1543.002 T1546.002 T1546.004 T1546.006 T1546.008 T1546.009 T1546.010 T1546.013 T1547.002 T1547.003 T1547.004 T1547.005 T1547.006 T1547.008 T1547.013 T1556.001 T1556.003 T1556.004 T1556.008 T1556.009 T1574.001 T1574.004 T1574.006 T1574.007 T1574.008 T1574.009 T1574.012 T1574.013 T1574.014

Privilege Escalation

T1037 T1068 T1543 T1546 T1548 T1574 T1611 T1037.002 T1037.003 T1037.004 T1037.005 T1053.006 T1098.001 T1098.002 T1098.003 T1543.002 T1546.002 T1546.004 T1546.006 T1546.008 T1546.009 T1546.010 T1546.013 T1547.002 T1547.003 T1547.004 T1547.005 T1547.006 T1547.008 T1547.013 T1548.004 T1548.006 T1574.001 T1574.004 T1574.006 T1574.007 T1574.008 T1574.009 T1574.012 T1574.013 T1574.014

Defense Evasion

T1027 T1036 T1070 T1112 T1127 T1211 T1216 T1218 T1220 T1221 T1222 T1542 T1548 T1553 T1556 T1562 T1574 T1599 T1601 T1647 T1027.002 T1027.007 T1027.008 T1027.009 T1036.001 T1036.005 T1070.001 T1070.002 T1070.003 T1070.007 T1070.008 T1070.009 T1070.010 T1127.002 T1216.001 T1216.002 T1218.001 T1218.002 T1218.003 T1218.004 T1218.005 T1218.008 T1218.009 T1218.010 T1218.011 T1218.012 T1218.013 T1218.014 T1218.015 T1222.001 T1222.002 T1542.001 T1542.003 T1542.004 T1542.005 T1548.004 T1548.006 T1550.001 T1550.004 T1553.001 T1553.003 T1553.005 T1553.006 T1556.001 T1556.003 T1556.004 T1556.008 T1556.009 T1562.001 T1562.002 T1562.004 T1562.006 T1562.009 T1562.010 T1562.011 T1562.012 T1564.003 T1564.004 T1564.006 T1564.008 T1564.009 T1564.010 T1574.001 T1574.004 T1574.006 T1574.007 T1574.008 T1574.009 T1574.012 T1574.013 T1574.014 T1599.001 T1601.001 T1601.002

Compliance Mappings

CIS Controls v8

CIS 13.2CIS 13.7

NIST CSF 2.0

DE.CM-09RC.RP-03RC.RP-05

SOC 2 TSC

CC6.6CC6.6-POF2CC6.8

PCI DSS v4.0.1

11.511.6

CSA CCM v4

CCC-04CCC-07

CSA AICM v1

AIS-09AIS-13AIS-14CCC-04CCC-07MDS-06MDS-08

ISO 42001:2023

A.6.2.4A.6.2.6

IEC 62443

3-3 SR 3.13-3 SR 3.4

APRA CPS 234

Para 22-23

ASD Essential Eight

E8-3 ML3

ANSSI

Hygiene.20Hygiene.34SecNumCloud.13.6

FINMA Circular 2023/1

IV.B.d(59)IV.C(64)IV.D(78)

OSFI B-13

B-13.3.2B-13.3.3

EU GDPR

Art.32(1)(b)Art.5(1)(d)Art.5(1)(f)

EU DORA

Art.9(4)(b)Art.9(4)(e)

RBI CSF

Annex1.5Annex1.13

FISC Security Guidelines

FISC.T12FISC.T14FISC.T7

LGPD + BCB 4893

BCB.Art.3LGPD.Art.46

HKMA TM-E-1

TME1.10.2TME1.4.3TME1.7.3

MLPS 2.0

8.1.2.38.1.3.68.1.4.48.1.4.68.1.4.7

EU CRA

CRA.I.2bCRA.I.2cCRA.I.2fCRA.II.7

SWIFT CSCF

SWIFT.6.2SWIFT.6.3

SAMA CSF

3.3

NCA ECC

2-35-1

UAE IA

T7

Qatar NIA

OS

CBUAE

CR-7

CBE CSF

CTO-7

SA JS2

JS2-7.2JS2-8.4JS2-8.5

CBN CSF

Part3.3

BoG CISD

CISD-VI

POPIA

s16s19

BoM CTRM

3.6

IOSCO Cyber Resilience

PROT-3PROT-6RR-3TEST-5

BCBS 239

Principle 3Principle 7

CPMI-IOSCO PFMI

CG.DECG.PRPFMI.P17

FFIEC IS

II.C.12III.B

NYDFS 500

500.8

HIPAA Security Rule

§164.312(c)(1)§164.312(c)(2)§164.312(e)(2)(i)

ECB CROE

CROE.2.3.3CROE.2.4

EBA ICT Guidelines

3.4.4

SEBI CSCRF

PR.ESPR.IP

BOT Cyber Resilience

Ch2.6Ch9.1

CMMC 2.0

SI

10 CFR 73.54

RG5.71-A-SI

IEEE 1686-2022

5.3

API 1164

Sec 7

IAEA NSS 17-T

Sec 5.4

PCI PTS v6

BFL

FIPS 140-3

FIPS 140-3 §7.10FIPS 140-3 §7.5

PCI HSM

8

Common Criteria

CC Part 2 — FPT

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.8Pillar3-Reporting

Lloyd's Minimum Standards

MS8.10MS8.4

NAIC Insurance Data Security

4B5

PRA SS1/23

P3.2P4.3

FCA SYSC 13

SYSC 13.7.1SYSC 13.7.4

HITRUST CSF v11

09.c11.c

FDA 21 CFR Part 11

§11.10(b)§11.10(f)§11.70

FDA Cybersecurity Guidance

SA-3ST-1

OWASP MASVS v2.1

MASVS-RESILIENCE-1MASVS-RESILIENCE-2MASVS-RESILIENCE-3MASVS-RESILIENCE-4

CCSS v9.0

1.01.31.02.4

MiCA

Art.88(1)

Basel SCO60

SCO60.11SCO60.14SCO60.21SCO60.23SCO60.51SCO60.52SCO60.65SCO60.71

BSSC Standards

NOS-02TIS-05

SEC Custody (Digital Assets)

SEC-CD-09SEC-CD-13

ISO 17799 (legacy)

12.2.112.2.212.2.4

COBIT 4.1 (legacy)

PO2.4AI2.4DS5.9