https://artifacts.trustmarkinitiative.org/lib/tds/access-is-controlled-through-applications/1.0/Access Is Controlled Through Applications1.0Defines conformance and assessment criteria for verifying that an organization has implemented access control using application level mechanisms.2017-05-10T00:00:00.000Zhttps://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/Organizations that are interested in implementing or making use of digital information systems in a manner that complies with information security standards such as NIST 800-53 and the FBI CJIS Security Policy.Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with information security standards such as NIST 800-53 and the FBI CJIS Security Policy.Organizations and individuals that desire their trusted partners' computer and information systems to comply with information security standards and practices such as ecurity standards such as NIST 800-53 and the FBI CJIS Security Policy.Organizations that audit or evaluate other organizations for compliance with widely accepted information security standards and practices such as NIST Special Publication 800-53.Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.This Trustmark Definition requires no extension data.This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.This trustmark definition is not officially endorsed by the FBI CJIS Division. Receipt of a trustmark based on this trustmark definition is in no way a substitute for an actual FBI CJIS audit or evaluation.SecurityInformation AssuranceCJIS Security PolicyAccess to Criminal Justice InformationAccreditationAdministration of Criminal JusticeAgency Controlled Mobile DeviceAgency CoordinatorACAgency Issued Mobile DeviceAgency LiaisonALAuthorized RecipientAuthorized User/PersonnelAuthorizing OfficialAvailabilityBiographic DataBiometric DataCase / Incident HistoryCertificate Authority (CA) CertificateCertificationChannelerCJIS Advisory Policy BoardAPBCJIS Audit UnitCAUCJIS Security PolicyCJIS Systems AgencyCSACJIS Systems Agency Information Security OfficerCSA ISOCJIS Systems OfficerCSOCloud ClientCloud ComputingCloud ProviderCloud SubscriberCompact CouncilCompact OfficersCompensating ControlsComputer Security Incident Response CapabilityCSIRCConfidentialityContracting Government AgencyCGAContractorCrime Reports DataCriminal History Record InformationCHRICriminal Justice AgencyCJACriminal Justice Agency User AgreementCriminal Justice ConveyanceCriminal Justice Information (CJI)Criminal Justice Information Services DivisionFBI CJISCJISDataDegaussDepartment of JusticeDoJDigital MediaDigital SignatureDirect AccessDisseminationEnvironmentEscortFBI CJIS Information Security Officer (FBI CJIS ISO)Federal Bureau of InvestigationFBIFederal Information Security Management ActFISMAFor Official Use OnlyFOUOGuest Operating SystemHit ConfirmationHost Operating SystemHypervisorIdentity History DataIncidentIndirect AccessInformationInformation Exchange AgreementInformation SecurityInformation Security OfficerISOInformation SystemInformation TechnologyInformationTypesIntegrated Automated Fingerprint Identification SystemIAFISIntegrityInterconnection Security AgreementISAInterface AgencyInternet ProtocolIPInterstate Identification IndexIIIJailbreak (Jailbroken)Laptop DevicesLaw Enforcement Enterprise PortalLEEPLocal Agency Security OfficerLASOLogical AccessLogical PartitioningManagement Control AgreementMCAManagement ControlsMediaMobile DeviceMobile Device ManagementMDMNational Crime Information CenterNCICNational Instant Criminal Background Check SystemNICSNational Institute of Standards and TechnologyNISTNCJA (Government)NCJA (Private)NCJA (Public)Noncriminal Justice AgencyNCJANoncriminal Justice PurposeOffice of Management and BudgetOMBOrganizationOutsourcingOutsourcing StandardPartitioningPersonal FirewallPersonally Identifiable InformationPIIPhysical AccessPhysical MediaPhysical PartitioningPhysically Secure LocationPocket/Handheld Mobile DevicePortable DevicePotential ImpactProperty DataRap BackReceive-Only TerminalROTRecordsRepository Manager, or Chief AdministratorRiskRisk ManagementRoot (Rooting, Rooted)SafeguardsSanitizationSecondary DisseminationSecurity AddendumSASecurity CategorySecurity ControlsSecurity PlanSecurity RequirementsSensitive But UnclassifiedSBUServer/Client Computer Certificate (device-based)ServiceShredderSmartphoneSocial EngineeringSoftware PatchSpamState and Federal Agency User AgreementState Compact OfficerState Identification BureauSIBState Identification Bureau ChiefSIB ChiefState of ResidencySystemSystem Security PlanTablet DevicesTerminal Agency CoordinatorTACThreatUserUser Certificate (user-based)Virtual EscortVirtual MachineVMVirtualizationVoice over Internet ProtocolVoIPVulnerabilityCJIS-SP-V5-4Criminal Justice Information Services (CJIS) Security Policy Version 5.4, 10/06/2015, CJISD-ITS-DOC-08140-5.4
Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.]]>1C1When setting up access controls, agencies shall use one or more of the following mechanisms: <br>
4. Application Level. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level to provide increased information security for the agency.Section 5.5.2.4.]]>
Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.
The assessment step shall not be marked as satisfied without this evidence.]]>1Access Controls Implemented Via Application Level MechanismsDoes the organization implement access control using application level mechanisms?
In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level to provide increased information security for the organization?A1