Question
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 1/66
9
Technical Controls
Practical Security Considerations
For a successful technology, reality must take precedence over public relations,
for nature cannot be fooled.
Richard Phillips Feynman, Report on space shuttle Challenger disaster (1986)
The controls specified in this chapter are the technical controls, or those
controls that govern the ongoing technical mechanisms impacting secu-
rity. This chapter, along with the preceding Chapter 8 on managerial con-
trols and the subsequent Chapter 10 on operational controls, completes
the controls necessary for building the foundation for an information se-
curity program. Each listing of the operational control family is preceded
with some practical security considerations for reviewing the family of
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 2/66
controls. These controls are also mapped to COBIT 4.1, ISO 27001, and
Health Insurance Portability and Accountability Act (HIPAA) where a re-
lationship between them exists.
Access Control Controls
The access control (AC) family could be in some ways viewed as the pri-
mary focus of information security for the first several decades. This is
the most tested area of information security and uncovers how well the
security policies have been implemented. The AC control family requires
that accounts are set up according to preestablished business reasons and
that they are set up for individuals who have a need to know the informa-
tion they are requesting. Identity management systems of recent years
have been implemented to ensure that access was properly controlled
and that terminated and transferred users no longer had access after
their company or department tenure. Role-based systems provide the
ability to model user access based upon a consistent profile. The profile
can be as simple as creating a small number of roles, defining the access
required by those roles, and then running a macro to create the access for
the account requiring the access.
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 3/66
The AC family also promotes technical controls in place such that ac-
counts are locked in the event that someone is attempting to access the
account and repeatedly failing. The system notification messages should
be made available when the user logs into the system as well as for other
entry points, such as a logging onto a server (via the use of banner pages).
The wireless, mobile device and remote device controls are in place to en-
sure that each entry point into the computing environment has been ad-
dressed by policy and procedures for gaining access. These procedures
ensure that there is a consistent path for requesting and approving the
access. The controls for the AC family are shown in Table 9.1.
Audit and Accountability Controls
The audit and accountability controls family (AU), as shown in Table 9.2,
specifies controls to ensure that the events are being monitored and fail-
ures are being followed up. Due to the volume of audit records that may
be generated, choices need to be made as to what items are most impor-
tant to be audited. Logon failures, for example, may be monitored, but a
threshold of 25 in a week may be used for the level requiring investiga-
tion. Alternatively a trending report may be developed and whereas the
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 4/66
daily occurrence may be low, say 2, just under the threshold of 3 invalid
login attempts before a lockout, resulting in over 60 during a month’s
time. This could be the work of someone internally attempting to guess
someone’s password and having over 750 tries in a year.
Reviewing audit records can be a very time-consuming task and auto-
mation of some sort, whether it be through a Security Information and
Event Management (SIEM) product or an off-the-shelf reporting tool used
to reduce the input records to focus solely on the exceptions over the
thresholds, the activity must be performed beyond merely logging of the
records. Logging the records for forensic review in the event that other
sources point to an incident may cause the organization to miss valuable
information such as that previously described that the audit records
could be pointing to.
Audit record storage and retention periods need to be defined. These
may follow a multilevel strategy, whereby the online audit records are
held for 90 days, followed by 1-year retention on a storage area network
(SAN) device, and then rolled off to tape for longer term archival in the
event of an incident. By the time 1 year has passed, it is a small likelihood
that these records would be needed, unless requested through litigation
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 5/66
to support e-discovery efforts. The record retention policies of the legal
department need to be known before devising a strategy.
Identification and Authentication
The identification and authentication control family (IA) is shown in
Table 9.3. These controls provide assurance that the individuals are each
uniquely identified and are authenticated in a manner such that it is
likely that the person accessing the computer system is who they say they
are. This works with the access control family of controls to provide the
appropriate access.
The strength of the authenticator may vary and may include media ac-
cess control (MAC) addressing, public key infrastructure (PKI) methods,
or may be using multifactor authentication through the use of a software
or hardware token. The transmission of information would also need en-
cryption controls to ensure that the authenticator is not being intercepted
and used for playback.
System and Communications Protections
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 6/66
The systems and communications protections control family (SC) contains
the controls shown in Table 9.4. These controls ensure that the endpoints
of the communication systems are secured as well as sufficient manage-
ment of the applications internally (e.g., application portioning). The con-
tent needs to be secured in transit and at rest (for data classified at a
higher risk level) using encryption.
The security architecture needs to be reviewed to determine the appro-
priate access between servers, applications, placement of devices, and
network zones. Local, host-based firewalls are typically placed on mobile
devices in addition to the network firewall protections. These protections
need to be depicted in the systems security plan to demonstrate how the
boundaries are being protected as well as the transmission of data.
Table 9.1 Access Control Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Access
control
AC-1 Access Control Policy and
Procedures
ISO/IEC 27001
A5.1.1, A5.1.2,
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 7/66
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined
frequency]:
a. A formal, documented
access control policy that
addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the access
control policy and associated
access controls.
A.6.1.1, A.6.1.3,
A.8.1.1, A10.1.1,
A.10.8.1, A.11.1.1,
A.11.2.1, All.2.2,
All.4.1, A.11.7.1,
A.11.7.2, A.15.1.1,
A.15.2.1
COBIT PC5,
DS11.6
HIPAA 164.308(a)
(4)(ii)(B),
164.308(a)(4)(ii)
(C), 164.312(a) (1),
164.308(a) (3)(i),
164.308(a) (3)(ii)
(A), 164.308(a)(4)
(i)
Access
control
AC-2 Account Management The
organization manages
ISO/IEC 27001
A.8.3.3, A.11.2.1,
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 8/66
information system accounts,
including:
a. Identifying account types
(i.e., individual, group, system,
application, guest/anonymous,
and temporary);
b. Establishing conditions for
group membership;
c. Identifying authorized users
of the information system and
specifying access privileges;
d. Requiring appropriate
approvals for requests to
establish accounts;
e. Establishing, activating,
modifying, disabling, and
removing accounts;
f. Specifically authorizing and
monitoring the use of
A.11.2.2, A.11.2.4,
A15.2.1
COBIT DS5.4
HIPAA 164.308(a)
(4)(ii)(B),
164.308(a)(4)(ii)
(C), 164.308(a) (5)
(ii)(C), 164.312(a)
(2)(i), 164.312(a)
(2)(ii), 164.308(a)
(3)(ii) (B),
164.308(a) (4)(i)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 9/66
guest/anonymous and
temporary accounts;
g. Notifying account managers
when temporary accounts are
no longer required and when
information system users are
terminated, transferred, or
information system usage or
need-to-know/need-to-share
changes;
h. Deactivating: (i) temporary
accounts that are no longer
required; and (ii) accounts of
terminated or transferred
users;
i. Granting access to the
system based on: (i) a valid
access authorization; (ii)
intended system usage; and
(iii) other attributes as
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 10/66
required by the organization
or associated
missions/business functions;
and
j. Reviewing accounts
[Assignment: organization-
defined frequency].
Access
control
AC-3 Access Enforcement
The information system
enforces approved
authorizations for logical
access to the system in
accordance with applicable
policy.
ISO/IEC 27001
A.10.8.1 A.11.4.4,
A.11.4.6, A.11.5.4,
A.11.6.1, A.12.4.2
COBIT P02.3,
AI2.4, DS11.6
HIPAA 164.308(a)
(4)(ii)(B),
164.308(a)(4)(ii)
(C), 164.310(a) (2)
(iii), 164.310(b),
164.312(a)(1),
164.312(a)(2)(i),
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 11/66
164.312(a)(2)(ii),
164.312(a)(2) (iv),
164.308(a) (3)(ii)
(A)
Access
control
AC-4 Information Flow
Enforcement
The information system
enforces approved
authorizations for controlling
the flow of information within
the system and between
interconnected systems in
accordance with applicable
policy.
ISO/IEC 27001
A.10.6.1, A.10.8.1,
A.11.4.5, A.11.4.7,
A.11.7.2,
A.12.4.2,A.12.5.4
COBIT DS5.10
HIPAA 164.308(a)
(4)(ii)(B),
164.310(b),
164.308(a)(3)(ii)
(A)
Access
control
AC-5 Separation of Duties
The organization:
a. Separates duties of
individuals as necessary, to
prevent malevolent activity
ISO/IEC 27001
A.6.1.3, A.8.1.1,
A.10.1.3, A.11.1.1,
A.11.4.1
COBIT P04.11
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 12/66
without collusion;
b. Documents separation of
duties; and
c. Implements separation of
duties through assigned
information system access
authorizations.
HIPAA 164.308(a)
(4)(ii)(A),
164.312(a)(1),
164.308(a)(3)(i),
164.308(a)(4)(i)
Access
control
AC-6 Least Privilege
The organization employs the
concept of least privilege,
allowing only authorized
accesses for users (and
processes acting on behalf of
users) who are necessary to
accomplish assigned tasks in
accordance with
organizational missions and
business functions.
ISO/IEC 27001
A.6.1.3, A.8.1.1,
A.11.1.1, A.11.2.2,
A.11.4.1, A.11.4.4,
A.11.4.6, A.11.5.4,
A.11.6.1, A.12.4.3
COBIT P04.11
HIPAA 164.308(a)
(4)(ii)(A),
164.312(a)(1),
164.308(a)(3)(i),
164.308(a)(4)(i)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 13/66
Access
control
AC-7 Unsuccessful Login
Attempts The information
system_
a. Enforces a limit of
[Assignment: organization-
defined number] consecutive
invalid login attempts by a
user during a [Assignment:
organization-defined time
period]; and
b. Automatically [Selection:
locks the account/node] for an
[Assignment: organization-
defined time period]; locks the
account/node until released
by an administrator; delays
next login prompt according
to [Assignment: organization-
defined delay algorithm]
when the maximum number
ISO/IEC 27001
A.11.5.1
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 14/66
of unsuccessful attempts is
exceeded. The control applies
regardless of whether the
login occurs via a local or
network connection.
Access
control
AC-8 System Use Notification
The information system_
a. Displays an approved
system use notification
message or banner before
granting access to the system
that provides privacy and
security notices consistent
with applicable federal laws,
executive orders, directives,
policies, regulations,
standards, and guidance and
states that: (i) users are
accessing a U.S. government
information system; (ii)
ISO/IEC 27001
A.6.2.2, A.8.1.1,
A.11.5.1, A.15.1.5
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 15/66
system usage may be
monitored, recorded, and
subject to audit; (iii)
unauthorized use of the
system is prohibited and
subject to criminal and civil
penalties; and (iv) use of the
system indicates consent to
monitoring and recording;
b. Retains the notification
message or banner on the
screen until users take explicit
actions to log on to or further
access the information
system; and
c. For publicly accessible
systems: (i) displays the
system use information when
appropriate, before granting
further access; (ii) displays
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 16/66
references, if any, to
monitoring, recording, or
auditing that are consistent
with privacy accommodations
for such systems that
generally prohibit those
activities; and (iii) includes in
the notice given to public
users of the information
system, a description of the
authorized uses of the system.
Access
control
AC-9 Previous Logon (Access)
Notification
The information system
notifies the user, upon
successful logon (access), of
the date and time of the last
logon (access).
ISO/IEC 27001
A.11.5.1
Access
control
AC-10 Concurrent Session
Control The information
ISO/IEC 27001
A.11.5.1
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 17/66
system limits the number of
concurrent sessions for each
system account to
[Assignment: organization-
defined number].
Access
control
AC-11 Session Lock
The information system_
a. Prevents further access to
the system by initiating a
session lock after
[Assignment: organization-
defined time period] of
inactivity or upon receiving a
request from a user; and
b. Retains the session lock
until the user reestablishes
access using established
identification and
authentication procedures.
ISO/IEC 27001
A.11.3.2, A.11.3.3,
A.11.5.5
HIPAA 164.310(b),
164.312(a)(2)(iii)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 18/66
Access
control
AC-14 Permitted Actions
without Identification or
Authentication The
organization:
a. Identifies specific user
actions that can be performed
on the information system
without identification or
authentication; and
b. Documents and provides
supporting rationale in the
security plan for the
information system, user
actions not requiring
identification and
authentication.
ISO/IEC 27001
A.11.6.1
Access
control
AC-16 Security Attributes
The information system
supports and maintains the
binding of [Assignment:
ISO/IEC 27001
A.7.2.2
COBIT P02.3,
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 19/66
organization-defined security
attributes] to information in
storage, in process, and in
transmission.
DS11.6
HIPAA 164.310(b)
Access
control
AC-17 Remote Access
The organization:
a. Documents allowed
methods of remote access to
the information system;
b. Establishes usage
restrictions and
implementation guidance for
each allowed remote access
method;
c. Monitors for unauthorized
remote access to the
information system;
d. Authorizes remote access to
the information system prior
to connection; and
ISO/IEC 27001
A.10.6.1, A.10.8.1,
A.11.1.1, A.11.4.1,
A.11.4.2, A.11.4.4,
A.11.4.6, A.11.4.7,
A.11.7.1, A.11.7.2
HIPAA 164.310(b)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 20/66
e. Enforces requirements for
remote connections to the
information system.
Access
control
AC-18 Wireless Access
The organization:
a. Establishes usage
restrictions and
implementation guidance for
wireless access;
b. Monitors for unauthorized
wireless access to the
information system;
c. Authorizes wireless access
to the information system
prior to connection; and
d. Enforces requirements for
wireless connections to the
information system.
ISO/IEC 27001
A.10.6.1, A.10.8.1,
A.11.1.1, A.11.4.1,
A.11.4.2, A.11.4.4,
A.11.4.6, A.11.4.7,
A.11.7.1, A.11.7.2
Access
control
AC-19 Access Control for
Mobile Devices
ISO/IEC 27001
A.10.4.1, A.11.1.1,
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 21/66
The organization:
a. Establishes usage
restrictions and
implementation guidance for
organization-controlled
mobile devices;
b. Authorizes connection of
mobile devices meeting
organizational usage
restrictions and
implementation guidance to
organizational information
systems;
c. Monitors for unauthorized
connections of mobile devices
to organizational information
systems;
d. Enforces requirements for
the connection of mobile
devices to organizational
A.11.4.3, A.11.7.1
HIPAA 164.310(b)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 22/66
information systems;
e. Disables information system
functionality that provides the
capability for automatic
execution of code on mobile
devices without user
direction;
f. Issues specially configured
mobile devices to individuals
traveling to locations that the
organization deems to be of
significant risk in accordance
with organizational policies
and procedures; and
g. Applies [Assignment:
organization-defined
inspection and preventative
measures] to mobile devices
returning from locations that
the organization deems to be
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 23/66
of significant risk in
accordance with
organizational policies and
procedures.
Access
control
AC-20 Use of External
Information Systems
The organization establishes
terms and conditions,
consistent with any trust
relationships established with
other organizations owning,
operating, and/ or
maintaining external
information systems, allowing
authorized individuals to:
a. Access the information
system from the external
information systems; and
b. Process, store, and/or
transmit organization-
ISO/IEC 27001
A.7.1.3, A.8.1.1,
A.8.1.3, A.10.6.1,
A.10.8.1, A.11.4.1,
A.11.4.2
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 24/66
controlled information using
the external information
systems.
Access
control
AC-21 User-Based Collaboration
and Information Sharing The
organization:
a. Facilitates information
sharing by enabling
authorized users to determine
whether access authorizations
assigned to the sharing
partner match the access
restrictions on the
information for [Assignment:
organization-defined
information sharing
circumstances where user
discretion is required]; and
b. Employs [Assignment: list of
organization-defined
ISO/IEC 27001
A.11.2.1, A.11.2.2
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 25/66
information sharing
circumstances and automated
mechanisms or manual
processes required] to assist
users in making information
sharing/ collaboration
decisions.
Access
control
AC-22 Publicly Accessible
Content The organization:
a. Designates individuals
authorized to post
information onto an
organizational information
system that is publicly
accessible;
b. Trains authorized
individuals to ensure that
publicly accessible
information does not contain
nonpublic information;
ISO/IEC 27001
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 26/66
c. Reviews the proposed
content of publicly accessible
information for nonpublic
information prior to posting
onto the organizational
information system;
d. Reviews the content on the
publicly accessible
organizational information
system for nonpublic
information [Assignment:
organization-defined
frequency]; and
e. Removes nonpublic
information from the publicly
accessible organizational
information system, if
discovered.
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 27/66
Table 9.2 Audit and Accountability Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Audit and
accountability
AU-1 Audit and
Accountability Policy and
Procedures
The organization
develops, disseminates,
and reviews/updates
[Assignment: organization
defined frequency]:
a. A formal, documented
audit and accountability
policy that addresses
purpose, scope, roles,
responsibilities,
management
commitment, coordination
among organizational
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.10.10.2,
A.15.1.1,
A.15.2.1,
A.15.3.1
COBIT PC2, PC5
HIPAA
164.312(b)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 28/66
entities, and compliance;
and
b. Formal, documented
procedures to facilitate the
implementation of the
audit and accountability
policy and associated
audit and accountability
controls.
Audit and
accountability
AU-2 Auditable Events
The organization:
a. Determines, based on a
risk assessment and
mission/business needs,
that the information
system must be capable of
auditing the following
events: [Assignment:
organization-defined list
of auditable events];
ISO/IEC 27001
A.10.10.1,
A.10.10.4,
A.10.10.5,
A.15.3.1
COBIT AI2.3
HIPAA
164.312(b),
164.308(a)(5)(ii)
(C)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 29/66
b. Coordinates the security
audit function with other
organizational entities
requiring audit-related
information to enhance
mutual support and to
help guide the selection of
auditable events;
c. Provides a rationale for
why the list of auditable
events is deemed to be
adequate to support after-
the-fact investigations of
security incidents; and
d. Determines, based on
current threat information
and ongoing assessment of
risk, that the following
events are to be audited
within the information
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 30/66
system_ [Assignment:
organization defined
subset of the auditable
events defined in AU-2(a)
to be audited along with
the frequency of (or
situation requiring)
auditing for each
identified event].
Audit and
accountability
AU-3 Content of Audit
Records The information
system produces audit
records that contain
sufficient information to,
at a minimum, establish
what type of event
occurred, when (date and
time) the event occurred,
where the event occurred,
the source of the event,
ISO/IEC 27001
A.10.10.4,
A.10.10.5,
A.15.3.1
A.10.10.1 HIPAA
164.312(b)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 31/66
the outcome (success or
failure) of the event, and
the identity of any
user/subject associated
with the event.
Audit and
accountability
AU-4 Audit Storage Capacity
The organization allocates
audit record storage
capacity and configures
auditing to reduce the
likelihood of such capacity
being exceeded.
ISO/IEC 27001
A.10.10.1,
A.10.3.1 HIPAA
164.312(b)
Audit and
accountability
AU-5 Response to Audit
Processing Failures
The information system_
a. Alerts designated
organizational officials in
the event of an audit
processing failure; and
b. Takes the following
ISO/IEC 27001
A.10.3.1,
A.10.10.1
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 32/66
additional actions:
[Assignment:
organization-defined
actions to be taken (e.g.,
shut down information
system, overwrite oldest
audit records, stop
generating audit records)].
Audit and
accountability
AU-6 Audit Review,
Analysis, and Reporting
The organization:
a. Reviews and analyzes
information system audit
records [Assignment:
organization-defined
frequency] for indications
of inappropriate or
unusual activity, and
reports findings to
designated organizational
ISO/IEC 27001
A.10.10.2,
A.10.10.5,
A.13.1.1,A.15.1.5
COBITDS5.5
HIPAA
164.308(a) (5)(ii)
(C), 164.312(b),
164.308(a)(1)(ii)
(D)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 33/66
officials; and
b. Adjusts the level of
audit review, analysis, and
reporting within the
information system when
there is a change in risk to
organizational operations,
organizational assets,
individuals, other
organizations, or the
nation based on law
enforcement information,
intelligence information,
or other credible sources
of information.
Audit and
accountability
AU-7 Audit Reduction and
Report Generation
The information system
provides an audit
ISO/IEC 27001
A.10.10.2
HIPAA
164.312(b),
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 34/66
reduction and report
generation capability.
164.308(a)(1)(ii)
(D)
Audit and
accountability
AU-8 Time Stamps
The information system
uses internal system
clocks to generate time
stamps for audit records.
ISO/IEC 27001
A.10.10.1,
A.10.10.6
Audit and
accountability
AU-9 Protection of Audit
Information The
information system
protects audit information
and audit tools from
unauthorized access,
modification, and deletion.
ISO/IEC 27001
A.10.10.3,
A.13.2.3,
A.15.1.3,
A.15.3.2
Audit and
accountability
AU-10 Non-Repudiation
The information system
protects against an
individual falsely denying
having performed a
particular action.
ISO/IEC 27001
A.10.9.1,
A.12.2.3
COBIT DS5.11,
AC6
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 35/66
Audit and
accountability
AU-11 Audit Record
Retention
The organization retains
audit records for
[Assignment:
organization-defined time
period consistent with
records retention policy]
to provide support for
after-the-fact
investigations of security
incidents and to meet
regulatory and
organizational
information retention
requirements.
ISO/IEC 27001
A.10.10.1,
A.10.10.2,
A.15.1.3
Audit and
accountability
AU-12 Audit Generation
The information system_
a. Provides audit record
generation capability for
ISO/IEC 27001
A.10.10.1,
A.10.10.4,
A.10.10.5
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 36/66
the list of auditable events
defined in AU-2 at
[Assignment:
organization-defined
information system
components];
b. Allows designated
organizational personnel
to select which auditable
events are to be audited
by specific components of
the system; and
c. Generates audit records
for the list of audited
events defined in AU-2
with the content as
defined in AU-3.
Audit and
accountability
AU-13 Monitoring for
Information Disclosure
The organization monitors
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 37/66
open source information
for evidence of
unauthorized exfiltration
or disclosure of
organizational
information [Assignment:
organization-defined
frequency].
Audit and
accountability
AU-14 Session Audit
The information system
provides the capability to:
a. Capture/record and log
all content related to a
user session; and
b. Remotely view/hear all
content related to an
established user session in
real time.
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 38/66
Table 9.3 Identification and Authentication Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Identification
and
authentication
IA-1 Identification and
Authentication Policy and
Procedures
The organization develops,
disseminates, and
reviews/updates
[Assignment: organization
defined frequency]:
a. A formal, documented
identification and
authentication policy that
addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities, and
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1,
A.10.1.1,
A.11.2.1,
A.15.1.1,
A.15.2.1
COBIT DS5.3,
PC5
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 39/66
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
identification and
authentication policy and
associated identification
and authentication
controls.
Identification
and
authentication
IA-2 Identification and
Authentication
(Organizational Users)
The information system
uniquely identifies and
authenticates
organizational users (or
processes acting on behalf
of organizational users).
ISO/IEC 27001
A.11.3.2,
A.11.5.1,
A.11.5.2,
A.11.5.3
COBIT AI2.4,
DS5.3
HIPAA
164.308(a) (5)
(ii)(D),
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 40/66
164.312(a)(2)
(i), 164.312(d)
Identification
and
authentication
IA-3 Device Identification
and Authentication
The information system
uniquely identifies and
authenticates [Assignment:
organization defined list of
specific and/or types of
devices] before establishing
a connection.
ISO/IEC 27001
A.11.4.3
HIPAA
164.312(a) (2)
(i), 164.312(d)
Identification
and
authentication
IA-4 Identifier Management
The organization manages
information system
identifiers for users and
devices by:
a. Receiving authorization
from a designated
organizational official to
ISO/IEC 27001
A.11.5.2
COBITDS5.3,
DS5.4
HIPAA
164.308(a) (5)
(ii)(D),
164.312(a)(2)
(i), 164.312(d)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 41/66
assign a user or device
identifier;
Identification
and
authentication
b. Selecting an identifier that
uniquely identifies an
individual or device;
c. Assigning the user
identifier to the intended
party or the device
identifier to the intended
device;
d. Preventing reuse of user
or device identifiers for
[Assignment: organization-
defined time period]; and
e. Disabling the user
identifier after
[Assignment: organization-
defined time period of
inactivity].
IA-5 Authenticator
ISO/IEC 27001
A.11.2.1,
A.11.2.3,
A.11.3.1,
A.11.5.2,
A.11.5.3
HIPAA
164.308(a) (5)
(ii)(D)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 42/66
Management
The organization manages
information system
authenticators for users
and devices by:
a. Verifying, as part of the
initial authenticator
distribution, the identity of
the individual and/or
device receiving the
authenticator;
b. Establishing initial
authenticator content for
authenticators defined by
the organization;
c. Ensuring that
authenticators have
sufficient strength of
mechanism for their
intended use;
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 43/66
d. Establishing and
implementing
administrative procedures
for initial authenticator
distribution, for
lost/compromised or
damaged authenticators,
and for revoking
authenticators;
e. Changing default content
of authenticators upon
information system
installation;
f. Establishing minimum
and maximum lifetime
restrictions and reuse
conditions for
authenticators (if
appropriate);
g. Changing/refreshing
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 44/66
authenticators
[Assignment: organization-
defined time period by
authenticator type];
h. Protecting authenticator
content from unauthorized
disclosure and
modification; and
i. Requiring users to take,
and having devices
implement, specific
measures to safeguard
authenticators.
Identification
and
authentication
IA-6 Authenticator Feedback
The information system
obscures feedback of
authentication information
during the authentication
process to protect the
information from possible
ISO/IEC 27001
A.11.5.1
HIPAA
164.308(a) (5)
(ii)(D)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 45/66
exploitation/use by
unauthorized individuals.
Identification
and
authentication
IA-7 Cryptographic Module
Authentication
The information system
uses mechanisms for
authentication to a
cryptographic module that
meet the requirements of
applicable federal laws,
executive orders,
directives, policies,
regulations, standards, and
guidance for such
authentication.
ISO/IEC 27001
A.12.3.1,
A.15.1.1,
A.15.1.6,
A.15.2.1
HIPAA
164.308(a) (5)
(ii)(D)
Identification
and
authentication
IA-8 Identification and
Authentication (Non-
Organizational Users)
The information system
uniquely identifies and
ISO/IEC 27001
A.10.9.1,
A.11.4.2,
A.11.5.1,
A.11.5.2
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 46/66
authenticates non-
organizational users (or
processes acting on behalf
of non-organizational
users).
Table 9.4 System and Communications Protection Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
System and
communication
s protection
SC-1 System and
Communications
Protection Policy and
Procedures
The organization develops,
disseminates, and
reviews/updates
[Assignment: organization
defined frequency]:
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.10.1.1,
A.15.1.1,
A.15.2.1
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 47/66
a. A formal, documented
system and
communications
protection policy that
addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities,
and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
system and
communications
protection policy and
associated system and
communications
protection controls.
COBIT DS5.2,
PC5
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 48/66
System and
communication
s protection
SC-2 Application
Partitioning
The information system
separates user
functionality (including
user interface services)
from information system
management functionality.
ISO/IEC 27001
A.10.4.1,
A.10.4.2
COBIT AI2.4
System and
communication
s protection
SC-3 Security Function
Isolation
The information system
isolates security functions
from nonsecurity
functions.
ISO/IEC 27001
A.10.4.1,
A.10.4.2,
A.10.9.1,
A.10.9.2
COBIT DS5.7
System and
communication
s protection
SC-4 Information in Shared
Resources
The information system
prevents unauthorized
and unintended
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 49/66
information transfer via
shared system resources.
System and
communication
s protection
SC-5 Denial of Service
Protection
The information system
protects against or limits
the effects of the following
types of denial of service
attacks: [Assignment:
organization-defined list of
types of denial of service
attacks or reference to
source for current list].
ISO/IEC 27001
A.10.3.1
System and
communication
s protection
SC-6 Resource Priority
The information system
limits the use of resources
by priority.
ISO/IEC 27001
(None)
System and
communication
s protection
SC-7 Boundary Protection
The information system_
a. Monitors and controls
ISO/IEC 27001
A.6.2.1,
A.10.4.1,
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 50/66
communications at the
external boundary of the
system and at key internal
boundaries within the
system; and
b. Connects to external
networks or information
systems only through
managed interfaces
consisting of boundary
protection devices
arranged in accordance
with an organizational
security architecture.
A.10.4.2,
A.10.6.1,
A.10.8.1,
A.10.9.1,
A.10.9.2,
A.10.10.2,
A.11.4.5,
A.11.4.6
COBITDS5.10
System and
communication
s protection
SC-8 Transmission Integrity
The information system
protects the integrity of
transmitted information.
ISO/IEC 27001
A.10.4.2,
A.10.6.1,
A.10.6.2,
A.10.9.1,
A.10.9.2,
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 51/66
A.12.2.3,
A.12.3.1
COBIT AC6
HIPAA
164.312(c) (1),
164.312(c) (2),
164.312(e) (2)
(i)
System and
communication
s protection
SC-9 Transmission
Confidentiality
The information system
protects the confidentiality
of transmitted
information.
ISO/IEC 27001
A.10.6.1,
A.10.6.2,
A.10.9.1,
A.10.9.2,
A.12.3.1
COBIT DS5.11,
AC6
HIPAA
164.312(e) (1),
164.312(e) (2)
(ii)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 52/66
System and
communication
s protection
SC-10 Network Disconnect
The information system
terminates the network
connection associated with
a communications session
at the end of the session or
after [Assignment:
organization-defined time
period] of inactivity.
ISO/IEC 27001
A.10.6.1,
A.11.3.2,
A.11.5.1,
A.11.5.5
System and
communication
s protection
SC-11 Trusted Path
The information system
establishes a trusted
communications path
between the user and the
following security
functions of the system_
[Assignment: organization-
defined security functions
to include at a minimum
information system
ISO/IEC 27001
(None)
COBIT AC6,
DS5.11
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 53/66
authentication and
reauthentication].
System and
communication
s protection
SC-12 Cryptographic Key
Establishment and
Management
The organization
establishes and manages
cryptographic keys for
required cryptography
employed within the
information system.
ISO/IEC 27001
A.12.3.2
COBIT DS5.8
HIPAA
164.312(e) (2)
(ii)
System and
communication
s protection
SC-13 Use of Cryptography
The information system
implements required
cryptographic protections
using cryptographic
modules that comply with
applicable federal laws,
executive orders,
directives, policies,
ISO/IEC 27001
A.12.3.1,
A.15.1.6
COBIT DS5.8
HIPAA
164.312(a) (2)
(iv), 164.312(e)
(2)(ii)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 54/66
regulations, standards, and
guidance.
System and
communication
s protection
SC-14 Public Access
Protections The
information system
protects the integrity and
availability of publicly
available information and
applications.
ISO/IEC 27001
A.10.4.1,
A.10.4.2,
A.10.9.1,
A.10.9.2,
A.10.9.3
System and
communication
s protection
SC-15 Collaborative
Computing Devices The
information system_
a. Prohibits remote
activation of collaborative
computing devices with
the following exceptions:
[Assignment: organization-
defined exceptions where
remote activation is to be
allowed]; and
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 55/66
b. Provides an explicit
indication of use to users
physically present at the
devices.
System and
communication
s protection
SC-16 Transmission of
Security Attributes
The information system
associates security
attributes with
information exchanged
between information
systems.
ISO/IEC 27001
A.7.2.2,
A.10.8.1
COBIT DS5.11
System and
communication
s protection
SC-17 Public Key
Infrastructure Certificates
The organization issues
public key certificates
under an [Assignment:
organization-defined
certificate policy] or
obtains public key
ISO/IEC 27001
A.12.3.2
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 56/66
certificates under an
appropriate certificate
policy from an approved
service provider.
System and
communication
s protection
SC-18 Mobile Code
The organization:
a. Defines acceptable and
unacceptable mobile code
and mobile code
technologies;
b. Establishes usage
restrictions and
implementation guidance
for acceptable mobile code
and mobile code
technologies; and
c. Authorizes, monitors,
and controls the use of
mobile code within the
information system.
ISO/IEC 27001
A.10.4.2
COBIT DS5.9
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 57/66
System and
communication
s protection
SC-19 Voice Over Internet
Protocol The organization:
a. Establishes usage
restrictions and
implementation guidance
for Voice over Internet
Protocol (VoIP)
technologies based on the
potential to cause damage
to the information system
if used maliciously; and
b. Authorizes, monitors,
and controls the use of
VoIP within the
information system.
ISO/IEC 27001
A.10.6.1
System and
communication
s protection
SC-20 Secure Name/Address
Resolution Service
(Authoritative Source)
The information system
provides additional data
ISO/IEC 27001
A.10.6.1
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 58/66
origin and integrity
artifacts along with the
authoritative data the
system returns in response
to name/address
resolution queries.
System and
communication
s protection
SC-21 Secure Name/Address
Resolution Service
(Recursive or Caching
Resolver)
The information system
performs data origin
authentication and data
integrity verification on
the name/ address
resolution responses the
system receives from
authoritative sources
when requested by client
systems.
ISO/IEC 27001
A.10.6.1
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 59/66
System and
communication
s protection
SC-22 Architecture and
Provisioning for
Name/Address Resolution
Service
The information systems
that collectively provide
name/address resolution
service for an organization
are fault-tolerant and
implement
internal/external role
separation.
ISO/IEC 27001
A.10.6.1
System and
communication
s protection
SC-23 Session Authenticity
The information system
provides mechanisms to
protect the authenticity of
communications sessions.
ISO/IEC 27001
A.10.6.1 COBIT
AC6
System and
communication
s protection
SC-24 Fail in Known State
The information system
fails to a [Assignment:
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 60/66
organization-defined
known state] for
[Assignment: organization-
defined types of failures]
preserving [Assignment:
organization-defined
system state information]
in failure.
System and
communication
s protection
SC-25 Thin Nodes
The information system
employs processing
components that have
minimal functionality and
information storage.
ISO/IEC 27001
(None)
System and
communication
s protection
SC-26 Honeypots
The information system
includes components
specifically designed to be
the target of malicious
attacks for the purpose of
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 61/66
detecting, deflecting, and
analyzing such attacks.
System and
communication
s protection
SC-27 Operating System-
Independent Applications
The information system
includes: [Assignment:
organization-defined
operating system
independent applications].
ISO/IEC 27001
(None)
System and
communication
s protection
SC-28 Protection of
Information at Rest
The information system
protects the confidentiality
and integrity of
information at rest.
ISO/IEC 27001
(None)
System and
communication
s protection
SC-29 Heterogeneity
The organization employs
diverse information
technologies in the
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 62/66
implementation of the
information system.
System and
communication
s protection
SC-30 Virtualization
Techniques The
organization employs
virtualization techniques
to present information
system components as
other types of components,
or components with
differing configurations.
ISO/IEC 27001
(None)
System and
communication
s protection
SC-31 Covert Channel
Analysis The organization
requires that information
system
developers/integrators
perform a covert channel
analysis to identify those
aspects of system
communication that are
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 63/66
potential avenues for
covert storage and timing
channels.
System and
communication
s protection
SC-32 Information System
Partitioning The
organization partitions the
information system into
components residing in
separate physical domains
(or environments) as
deemed necessary.
ISO/IEC 27001
(None)
System and
communication
s protection
SC-33 Transmission
Preparation Integrity
The information system
protects the integrity of
information during the
processes of data
aggregation, packaging,
and transformation in
ISO/IEC 27001
(None)
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 64/66
preparation for
transmission.
System and
communication
s protection
SC-34 Non-Modifiable
Executable Programs
The information system at
[Assignment: organization-
defined information
system components]:
a. Loads and executes the
operating environment
from hardware-enforced,
read-only media; and
b. Loads and executes
[Assignment: organization-
defined applications] from
hardware-enforced, read-
only media.
ISO/IEC 27001
(None)
Suggested Reading
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 65/66
1.
2.
3.
4.
5.
National Institute of Standards and Technology (NIST). August 2009. Special
Publication 800-53 Rev3: Recommended security controls for federal information
systems and organizations. http://csrc.nist.gov/publications/nistpubs/800-53-
Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT 4.1,
http://www.itgi.org
National Institute of Standards and Technology (NIST). October 2008. An introduc-
tory resource guide for implementing the Health Insurance Portability and
Accountability Act (HIPAA) security rule.
http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-Revisionl.pdf
International Organization for Standardization (ISO). ISO/IEC 27001:2005
Information security management systems—Requirements.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
International Organization for Standardization (ISO). ISO/IEC 27002:2005
Information technology security techniques—Code of practice for information se-
curity management.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
4/30/23, 12:18 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 66/66
6. Department of Health and Human Services, Office of the Secretary. February 20,
2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security standards;
Final rule. Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf