Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
Explanation
Digital signature validation ensures that software has not been tampered with and comes from a legitimate source. This process typically involves checking cryptographic signatures against trusted certificates or keys to confirm that code hasn't been modified since it was signed by the developer or publisher.
Evidence could include documented procedures for signature verification, screenshots of signature validation processes, logs showing signature verification steps during software deployment, or configuration settings in deployment tools that enforce signature validation before installation.
Implementation Example
Confirm the integrity of software by validating signatures
ID: PR.DS-01.225
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-at-rest are protected
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?
- Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?

