Project2
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 1/60
10
Operational Controls
Practical Security Considerations
There is no such thing as a free lunch.
Attributed to Milton Friedman, 1912–2006
The controls specified in this chapter are the operational controls or those con-
trols that govern the ongoing operational processes impacting security spanning
multiple departments. This chapter, along with the preceding security control
chapters (Chapter 8 on managerial controls and Chapter 9 on technical controls)
complete the controls necessary for building the foundation for an information
security program. Each listing of the operational control family is preceded with
some practical security considerations for reviewing the family of controls. These
controls are also mapped to COBIT 4.1, ISO 27001:2005, and Health Insurance
Portability and Accountability Act (HIPAA) where a relationship between them
exists.
Awareness and Training Controls
The awareness and training control family (AT) shown in Table 10.1 serves to en-
sure that individuals within the organization have the appropriate level of train-
Topics Start Learning Search 50,000+ courses, events, titles, … What's New
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 2/60
ing. All users of the organization need some level of training, and this includes all
management levels and all end users. Records need to be maintained demonstrat-
ing that everyone has taken the training. End users need awareness training pri-
marily so that they know what is expected of them, when a security breach has
occurred, and how to report the breach. Executive management will also need the
same training, potentially supplemented with training around risk management
as it relates to security. Role-based training can provide technical staff with secu-
rity-specific education, such as the network administrator on securing a firewall,
or the security analyst with Security Information and Event Management (SIEM)
training, or the server engineer on securing Windows/Unix servers. Additionally,
management may need training for a new identity management system or han-
dling terminations. The entire organization may need additional refresher train-
ing on a monthly basis.
End user awareness training should be provided prior to accessing the com-
puter system and on an annual basis at a minimum. In Chapter 12 more ideas for
security training are provided.
Configuration Management Controls
The configuration management control family controls (CM), as shown in Table
10.2, provide control of the configuration setting baselines and their ongoing in-
tegrity. Once the baseline is decided upon, there should be a periodic review to
ensure that the baselines are being kept up with the latest changes by the issuing
agency (e.g., Defense Information Systems Agency). The appropriate team mem-
bers for the particular baseline (server, desktop, firewall, database, mainframe,
etc.) should meet and determine the changes required to the baseline. The new
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 3/60
baseline can then be constructed and applied according to the baseline proce-
dures to all the devices of that type. Exceptions to the baseline standard need to
be documented. The deviations from the baseline can be captured with auto-
mated tools, provided the upfront work has been done to populate the tool with
the existing baseline.
Change control is a difficult area to ensure that changes are properly autho-
rized for change and subsequently approved for production implementation
prior to implementation. Programmers and those responsible for the infrastruc-
ture components may be pressed for time to implement a change and not receive
proper approval beforehand. A change control board (CCB) can be very beneficial
in this case, with individuals tracking the production implementations and fol-
lowing up on individuals that have not received the appropriate approvals.
Managing the change control process provides the traceability of subsequent
changes to the system.
Contingency Planning Controls
The contingency planning control family (CP) ensures that the systems can be
brought up in a reasonable amount of time in the event of a disaster. These con-
trols, shown in Table 10.3, typically require that some form of testing be done to
ensure that the system can be brought up in a reasonable time. The testing identi-
fies gaps in the documentation and highlights information that may have been
left out, such as a file or the knowledge of an administrator password that halted
the testing. If an outsourced data center company handles these functions, testing
should still be performed to determine whether the network at the site will be
available in the event of a disaster.
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 4/60
Business continuity plans should be written for each department to ensure they
are ready in the event of a disaster, not only in terms of the computing platform,
but where will they work and how the equipment will be configured or delivered
to a remote location, or for a work-at-home scenario.
Incident Response Controls
The incident response control family (IR), as shown in Table 10.4, ensures that
the organization has a predefined mechanism in place to respond to an incident.
Security incidents can range from not sending sensitive information encrypted
through e-mail to having the infrastructure penetrated through the use of struc-
tured query language (SQL) injection on the public facing website, for example.
Not all incidents will be of the magnitude to invoke the formation of a computer
security incident response team (CSIRT), however, the CSIRT procedure created
by the organization should spell out the conditions by which the CSIRT team will
be invoked. A senior management crisis management team for significant events,
such as threats of violence, bomb threats, and emergency weather conditions,
should be established. These teams need to be in place prior to the incidents
occurring.
Incidents should be simulated by creating a scenario and walking though what
would be done in the event of a crisis or a technical outage caused by an event,
such as malware, antivirus, or an advanced persistent threat (APT) targeted to-
ward the organization.
Maintenance Controls
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 5/60
The maintenance control family (MA) shown in Table 10.5 ensures that the equip-
ment is properly maintained by having contracts in place, service level agree-
ments, spare parts available, and routine maintenance performed. Exposing the
device to the employees of an external vendor carries the risk that the software,
firmware, or data may be modified to create a subsequent entry point into the
system, or information could be disclosed. The device also needs to be properly
maintained and serviced on a regular basis to ensure appropriate availability.
Contracts should be in place for spare parts availability, with 4 hours not being an
unreasonable time frame in most cases. In the case of workstations or desktops,
for most organizations, having alternate equipment on-site can alleviate the need
for immediate spare parts from a vendor. In this case, there should be agree-
ments with hardware manufacturers to replace the items under warranty and
documented procedures for handling the return of equipment.
There should be contracts in place for each computing platform in the environ-
ment. Mainframe contracts typically come in the form of a master services agree-
ment with an annual renewal signoff. Procedures should also be in place for
when vendors are required to service the equipment on-site to ensure they are es-
corted, as well as procedures for vendor remote access. Vendors that require in-
frequent connections to the equipment could be granted one-time ID/passwords
along with secure tokens to access the equipment. The access should be also be
logged, specifying the individual using the ID and the business reason for the
access.
Media Protection Controls
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 6/60
The media protection control family (MP) controls shown in Table 10.6 address
information wherever it may be stored. As the perimeter of the organization is
disappearing with information moving closer to the end user (i.e., the information
resides on laptops, USB drives, compact disks, DVDs, smartphones, and other
types of flash memory chips), care must be taken to ensure that only those autho-
rized individuals have the ability to copy information to these external sources.
Due to the massive amount of information that can be stored on a portable drive
(multiterabytes), or a USB stick (upward of 64 GB), these devices must be carefully
managed.
Workstations can be locked down with technology to permit only certain users
to write to an external device or CD/DVD writer. Due to the mobile nature and size
of these devices, an encryption method should be chosen by the organization to
encrypt either the media using the software that comes with the USB drive or the
files themselves prior to placing on the media. At least 128-bit encryption, and
AES-256 encryption is desirable. Some encryption products are FIPS 140-2 certi-
fied, which provides the highest level of encryption and suitable for most
organizations.
Policies regarding media disposal need to ensure that appropriate tracking and
sanitization of the devices is performed prior to disposal, along with retention of
the disposal records. The organization should be able to know where the devices
are located from birth to death of the device. This is no easy task in larger organi-
zations where devices are reimaged frequently and redeployed to other users.
Media protection also extends to paper forms of information and policies and
procedures to support clean desk policies (i.e., no visible confidential information
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 7/60
during the day, locked up during business off-hours), shredding of documents,
and which items are approved for dumpster disposal. On-site shredding of paper,
tapes, and CDs avoids the tracking of information sent off-site and the risks of in-
formation being intercepted or not being properly shredded.
Physical and Environmental Protection Controls
The physical and environmental protection control family (PE) controls listed in
Table 10.7 address the need for physical controls around the facility for employ-
ees, contractors, and visitors, as well as the environmental controls for the com-
puting equipment in the local area networks (LAN) rooms and data centers. Just
as the logical access controls need to be addressed with authorizations for access,
periodic recertifi-cations, terminating access, and restricting access to sensitive
areas, the physical access controls need these same controls. An organization may
employ multiple methods of achieving the physical controls, from security guards,
proximity readers, piggybacking policies, visitor sign-in, temporary badge is-
suance, guard stations, and so forth. One of the more difficult areas of managing
the physical security for an organization is the lack of integration between the
physical security systems capturing the ingress/egress to the buildings and the
identity management systems authorizing the approval. Manual reconciliation
between the systems is necessary to demonstrate that the access was removed
from the physical system. As companies merge, investments are required to
merge the security systems of multiple offices. Small offices may also not have the
same capabilities as systems purchased for the larger offices and may need to be
managed separately.
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 8/60
The fire suppression, temperature, and water controls generally are focusing
upon the data center and LAN room needs. Organizations need to decide on how
power outages will be addressed (uninterruptable power supply [UPS]), and
diesel generators, equipment that must also have contracts and periodic servicing
and testing. LAN closets need to be secured to only staff requiring access to per-
form their jobs along with unused ports disabled.
Personnel Security Controls
The personnel security control family (PS) controls listed in Table 10.8 seek to
place human resource policies and procedures around the employees to ensure
that the individuals have backgrounds without damaging criminal histories, that
their access is appropriately removed when they are no longer working for the
company or have transferred to a different division, and finally to ensure that
they understand their responsibilities with respect to the security controls while
they are working for the company and after they have left the company.
Background checks must be completed before the employee is permitted to
work for the company. To ensure that this happens, the information security de-
partment could withhold the login ID and password until the human resources
department has provided evidence that the background check has been com-
pleted. This would serve as a secondary control to ensure the action took place.
Individuals also need to be rescreened on a periodic basis. The simplest way to
achieve this is to perform rescreens on those determined to be in sensitive posi-
tions (e.g., the information technology [IT] department, finance department, ad-
ministrators) at the same time. Otherwise, the overhead of tracking individuals
based upon anniversary dates, without an automated system to administer this
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 9/60
process, could be manually intensive. For any contractors that are performing
work on behalf of the company, the company may either request a background
check, or require that the contracting firm provide evidence that a background
check has been completed and is satisfactory.
Sanction policies must be in place to provide enforcement of the controls. The
information security department should view itself as the provider of the sup-
porting evidence for the infraction; however, the incident is best handled be-
tween human resources or ethics/ compliance with the individual and his or her
manager. The security department can provide support for the events that
occurred.
Due to the strong linkage between the employees on-boarding, compliance with
security controls while an associate, and the termination procedures and the ac-
cess provisioning of the information security department, an equally strong rela-
tionship between human resources and information security should be main-
tained. Documenting the information flows between the human resource infor-
mation systems (HRIS) and the identity management system can identify gaps in
the processes.
System and Information Integrity Controls
System and information integrity controls (SI) listed in Table 10.9 focus on pro-
viding controls to protect the systems environment and handling such issues as
malicious code; spam; systems monitoring; flaw remediation; and ensuring that
applications are coded correctly with appropriate input validation, error han-
dling, and consistent failure prevention. Antivirus, malware, and spyware prod-
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 10/60
ucts should be installed at the entry points, such as servers, desktops, and fire-
walls, to restrict the entry of malicious traffic, in addition to the security aware-
ness programs on these topics. Processes need to be built to manage the excep-
tions (e.g., when the antivirus is not applied to the desktops within a specified fre-
quency, such as 1 to 3 days after distribution to the servers) to ensure that all
desktops are appropriately being addressed within the system. There may be is-
sues with the software pushing the updates or the asset inventory that needs to be
rectified. End users should be made aware of the effects of malicious code as well
as having the technical infrastructure to support them in the event a wrong deci-
sion is made.
Application code must be written such that information that would be useful to
an intruder is not displayed. Input data needs to be validated to avoid buffer over-
runs and other programming errors, which could provide elevated command line
access. This all works in concert with the systems development life cycle process,
whereby secure coding guidelines would be established and certified to, either by
attestation or the completion of a checklist indicating which guidelines were in-
corporated into the development.
Table 10.1 Awareness and Training Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Awareness
and
training
AT-1 Security Awareness and Training
Policy and Procedures
The organization develops,
disseminates, and reviews/updates
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 11/60
[Assignment: organization defined
frequency]:
a. A formal, documented security
awareness and training policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
b. Formal, documented procedures to
facilitate the implementation of the
security awareness and training
policy, and associated security
awareness and training controls.
A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT DS7.1,
PCS
HIPAA
164.308(a) (5)(i)
Awareness
and
training
AT-2 Security Awareness
The organization provides basic
security awareness training to all
information system users (including
managers, senior executives, and
contractors) as part of initial training
for new users, when required by
system changes, and [Assignment:
organization-defined frequency]
thereafter.
ISO/IEC 27001
A.6.2.2, A.8.1.1,
A.8.2.2, A.9.1.5,
A.10.4.1
COBIT P07.4
HIPAA
164.308(a) (5)
(i), 164.308(a)
(5)(ii)(B)
Awareness
and
AT-3 Security Training
The organization provides role-based
ISO/IEC 27001
A.8.1.1, A.8.2.2,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 12/60
training security-related training: (i) before
authorizing access to the system or
performing assigned duties; (ii) when
required by system changes; and (iii)
[Assignment: organization-defined
frequency] thereafter.
A.9.1.5
COBIT P07.4,
DS7.2
HIPAA
164.308(a) (5)(i)
Awareness
and
training
AT-4 Security Training Records
The organization:
a. Documents and monitors individual
information system security training
activities including basic security
awareness training and specific
information system security training;
and
b. Retains individual training records
for [Assignment: organization-defined
time period].
ISO/IEC 27001
(None)
COBIT DS7.2
HIPAA
164.308(a) (5)(i)
Awareness
and
training
AT-5 Contacts with Security Groups and
Associations The organization
establishes and institutionalizes
contact with selected groups and
associations within the security
community:
• To facilitate ongoing security
education and training for
organizational personnel;
ISO/IEC 27001
A.6.1.7
HIPAA
164.308(a) (5)(i)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 13/60
• To share current security-related
information including threats,
vulnerabilities, and incidents.
Table 10.2 Configuration Management Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Configuration
management
CM-1 Configuration Management
Policy and Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. A formal, documented
configuration management policy
that addresses purpose, scope,
roles, responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
b. Formal, documented procedures
to facilitate the implementation of
the configuration management
policy and associated configuration
management controls.
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.10.1.2,
A.12.4.1,
A.12.5.1,
A.15.1.1,
A.15.2.1
COBIT ® DS9.1,
PC5,P02.1, AI6.1
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 14/60
Configuration
management
CM-2 Baseline Configuration
The organization develops,
documents, and maintains under
configuration control, a current
baseline configuration of the
information system.
ISO/IEC 27001
COBIT DS9.1,
P01.6, P02.1
Configuration
management
CM-3 Configuration Change Control
The organization:
a. Determines the types of changes
to the information system that are
configuration controlled;
b. Approves configuration-
controlled changes to the system
with explicit consideration for
security impact analyses;
c. Documents approved
configuration-controlled changes to
the system;
d. Retains and reviews records of
configuration-controlled changes to
the system;
e. Audits activities associated with
configuration-controlled changes to
the system; and
f. Coordinates and provides
oversight for configuration change
ISO/IEC 27001
A.10.1.1,
A.10.1.2,
A.10.3.2,
A.12.4.1,
A.12.5.1,
A.12.5.2,
A.12.5.3
COBIT DS9.2,
AI6.1, AI6.3
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 15/60
control activities through
[Assignment: organization-defined
configuration change control
element (e.g., committee, board]
that convenes [Selection (one or
more): [Assignment: organization-
defined frequency]; [Assignment:
organization-defined configuration
change conditions]].
Configuration
management
CM-4 Security Impact Analysis
The organization analyzes changes
to the information system to
determine potential security
impacts prior to change
implementation.
ISO/IEC 27001
A.10.1.2,
A.10.3.2,
A.12.4.1,
A.12.5.2,
A.12.5.3
COBIT DS5.5,
DS9.3
Configuration
management
CM-5 Access Restrictions for Change
The organization defines,
documents, approves, and enforces
physical and logical access
restrictions associated with
changes to the information system.
ISO/IEC 27001
A.10.1.2,
A.11.1.1,
A.11.6.1,
A.12.4.1,
A.12.4.3,
A.12.5.3
Configuration
management
CM-6 Configuration Settings
The organization:
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 16/60
a. Establishes and documents
mandatory configuration settings
for information technology
products employed within the
information system using
[Assignment: organization-defined
security configuration checklists]
that reflect the most restrictive
mode consistent with operational
requirements;
b. Implements the configuration
settings;
c. Identifies, documents, and
approves exceptions from the
mandatory configuration settings
for individual components within
the information system based on
explicit operational requirements;
and
d. Monitors and controls changes to
the configuration settings in
accordance with organizational
policies and procedures.
ISO/IEC 27001
(None)
Configuration
management
CM-7 Least Functionality
The organization configures the
information system to provide only
ISO/IEC 27001
(None)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 17/60
essential capabilities and
specifically prohibits or restricts
the use of the following functions,
ports, protocols, and/or services:
[Assignment: organization-defined
list of prohibited or restricted
functions, ports, protocols, and/or
services].
Configuration
management
CM-8 Information System
Component Inventory
The organization develops,
documents, and maintains an
inventory of information system
components that:
a. Accurately reflects the current
information system;
b. Is consistent with the
authorization boundary of the
information system;
c. Is at the level of granularity
deemed necessary for tracking and
reporting;
d. Includes [Assignment:
organization-defined information
deemed necessary to achieve
effective property accountability];
ISO/IEC 27001
A.7.1.1, A.7.1.2
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 18/60
and
e. Is available for review and audit
by designated organizational
officials.
Configuration
management
CM-9 Configuration Management
Plan
The organization develops,
documents, and implements a
configuration management plan
for the information system that:
a. Addresses roles, responsibilities,
and configuration management
processes and procedures;
ISO/IEC 27001
A.6.1.3. A.7.1.1,
A.7.1.2, A.8.1.1,
A.10.1.1,
A.10.1.2,
A.10.3.2,
A.12.4.1,
A.12.4.3,
A.12.5.1,
A.12.5.2,
A.12.5.3
b. Defines the configuration items
for the information system and
when in the system development
life cycle the configuration items
are placed under configuration
management; and
c. Establishes the means for
identifying configuration items
throughout the system
development life cycle and a
process for managing the
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 19/60
configuration of the configuration
items.
Table 10.3 Contingency Planning Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Contingency
planning
CP-1 Contingency Planning Policy
And Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment:
organization defined frequency]:
a A formal, documented
contingency planning policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
b. Formal, documented procedures
to facilitate the implementation of
the contingency planning policy
and associated contingency
planning controls.
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.9.1.4,
A.10.1.1, A.10.1.2,
A.14.1.1, A.14.1.3,
A.15.1.1, A.15.2.1
COBIT ®
PC5,DS4.1
HIPAA 164.308(a)
(7)(i)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 20/60
Contingency
planning
CP-2 Contingency Plan
The organization:
a. Develops a contingency plan for
the information system that:
• Identifies essential missions and
business functions and associated
contingency requirements;
• Provides recovery objectives,
restoration priorities, and metrics;
• Addresses contingency roles,
responsibilities, assigned
individuals with contact
information;
• Addresses maintaining essential
missions and business functions
despite an information system
disruption, compromise, or failure;
• Addresses eventual, full
information system restoration
without deterioration of the
security measures originally
planned and implemented; and
• Is reviewed and approved by
designated officials within the
organization;
ISO/IEC 27001
A.6.1.2, A.9.1.4,
A.10.3.1, A.14.1.1,
A.14.1.2, A.14.1.3,
A.14.1.4, A.14.1.5
COBIT DS4.2
HIPAA 164.308(a)
(7)(ii)(B),
164.308(a)(7)(ii)
(C), 164.308(a)(7)
(ii)(E), 164.310(a)
(2)(i), 164.312(a)
(2)(ii)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 21/60
b. Distributes copies of the
contingency plan to [Assignment:
organization-defined list of key
contingency personnel (identified
by name and/or by role) and
organizational elements];
c. Coordinates contingency
planning activities with incident
handling activities;
d. Reviews the contingency plan for
the information system
[Assignment: organization-defined
frequency];
e. Revises the contingency plan to
address changes to the
organization, information system,
or environment of operation and
problems encountered during
contingency plan implementation,
execution, or testing; and
f. Communicates contingency plan
changes to [Assignment:
organization-defined list of key
contingency personnel (identified
by name and/or by role) and
organizational elements].
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 22/60
Contingency
planning
CP-3 Contingency Training
The organization trains personnel
in their contingency roles and
responsibilities with respect to the
information system and provides
refresher training [Assignment:
organization defined frequency].
ISO/IEC 27001
A.8.2.2, A.9.1.4,
A.14.1.3
COBIT DS4.6
HIPAA 164.308(a)
(7)(ii)(D)
Contingency
planning
CP-4 Contingency Plan Testing and
Exercises
The organization: a. Tests and/or
exercises the contingency plan for
the information system
[Assignment: organization-defined
frequency] using [Assignment:
organization-defined tests and/or
exercises] to determine the plan’s
effectiveness and the organization’s
readiness to execute the plan; and
ISO/IEC 27001
A.6.1.2, A.9.1.4,
A.14.1.1, A.14.1.3,
A.14.1.4, A.14.1.5
COBIT DS4.2,
DS4.5
HIPAA 164.308(a)
(7)(ii)(D)
b. Reviews the contingency plan
test/exercise results and initiates
corrective actions.
Contingency
planning
CP-6 Alternate Storage Site The
organization establishes an
alternate storage site including
necessary agreements to permit the
storage and recovery of
ISO/IEC 27001
A.9.1.4,A.14.1.3
COBIT DS4.1,
DS4.9
HIPAA 164.308(a)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 23/60
information system backup
information.
(7)(ii)(B),
164.310(a)(2)(i)
Contingency
planning
CP-7 Alternate Processing Site The
organization:
a. Establishes an alternate
processing site including necessary
agreements to permit the
resumption of information system
operations for essential missions
and business functions within
[Assignment: organization-defined
time period consistent with
recovery time objectives] when the
primary processing capabilities are
unavailable; and
b. Ensures that equipment and
supplies required to resume
operations are available at the
alternate site or contracts are in
place to support delivery to the site
in time to support the organization-
defined time period for
resumption.
ISO/IEC 27001
A.9.1.4, A.14.1.3
COBIT DS4.1,
DS4.8
HIPAA 164.308(a)
(7)(ii)(B),
164.310(a)(2)(i)
Contingency
planning
CP-8 Telecommunications Services
The organization establishes
alternate telecommunications
ISO/IEC 27001
A.9.1.4, A.10.6.1,
A.14.1.3
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 24/60
services including necessary
agreements to permit the
resumption of information system
operations for essential missions
and business functions within
[Assignment: organization-defined
time period] when the primary
telecommunications capabilities
are unavailable.
COBIT DS4.1,
HIPAA 164.308(a)
(7)(ii)(B)
Contingency
planning
CP-9 Information System Backup
The organization:
a. Conducts backups of user-level
information contained in the
information system [Assignment;
organization-defined frequency
consistent with recovery time and
recovery point objectives];
b. Conducts backups of system-level
information contained in the
information system [Assignment:
organization-defined frequency
consistent with recovery time and
recovery point objectives];
c. Conducts backups of information
system documentation including
security-related documentation
ISO/IEC 27001
A.9.1.4, A.10.5.1,
A.14.1.3, A.15.1.3
COBIT DS4.2,
DS11.5
HIPAA 164.308(a)
(7)(N)(A),
164.310(d)(2) (iv),
164.312(c) (1)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 25/60
[Assignment: organization-defined
frequency consistent with recovery
time and recovery point
objectives]; and
d. Protects the confidentiality and
integrity of backup information at
the storage location.
Contingency
planning
CP-10 Information System Recovery
and Reconstitution
The organization provides for the
recovery and reconstitution of the
information system to a known
state after a disruption,
compromise, or failure.
ISO/IEC 27001
A.9.1.4, A.14.1.3
COBIT DS4.8,
DS11.5
HIPAA 164.308(a)
(7)(ii)(B),
164.308(a)(7)(ii)
(C)
Table 10.4 Incident Response Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Incident
response
IR-1 Incident Response Policy And
Procedures
The organization develops, disseminates,
and reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented incident
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 26/60
response policy that addresses purpose,
scope, roles, responsibilities,
management commitment, coordination
among organizational entities, and
compliance; and
b. Formal, documented procedures to
facilitate the implementation of the
incident response policy and associated
incident response controls.
A.10.1.1,
A.13.1.1,
A.13.2.1,
A.15.1.1,
A.15.2.1
COBIT ®
P09.5, P09.6,
DS5.6, DS8.2,
PC5
HIPAA
164.308(a)(6)
(i)
Incident
response
IR-2 Incident Response Training The
organization:
a. Trains personnel in their incident
response roles and responsibilities with
respect to the information system; and
b. Provides refresher training
[Assignment: organization-defined
frequency].
ISO/IEC 27001
A.8.2.2
HIPAA
164.308(a) (6)
(i)
Incident
response
IR-3 Incident Response Testing and
Exercises
The organization tests and/or exercises
the incident response capability for the
information system [Assignment:
organization-defined frequency] using
ISO/IEC 27001
(None)
HIPAA
164.308(a) (6)
(i)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 27/60
[Assignment: organization-defined tests
and/or exercises] to determine the
incident response effectiveness and
documents the results.
Incident
response
IR-4 Incident Handling
The organization:
a. Implements an incident handling
capability for security incidents that
includes preparation, detection and
analysis, containment, eradication, and
recovery;
ISO/IEC 27001
A.6.1.2,
A.13.2.2,
A.13.2.3
COBIT P09.5,
P09.6, DS8.2
HIPAA
164.308(a) (6)
(ii)
b. Coordinates incident handling activities
with contingency planning activities;
and
c. Incorporates lessons learned from
ongoing incident handling activities into
incident response procedures, training,
and testing/exercises, and implements
the resulting changes accordingly.
Incident
response
IR-5 Incident Monitoring The organization
tracks and documents information
system security incidents.
ISO/IEC 27001
(None)
COBIT DS8.2,
DS8.4
HIPAA
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 28/60
164.308(a) (6)
(ii), 164.308(a)
(1)(ii) (D)
Incident
response
IR-6 Incident Reporting The organization:
a. Requires personnel to report
suspected security incidents to the
organizational incident response
capability within [Assignment:
organization-defined time-period]; and
b. Reports security incident information
to designated authorities.
ISO/IEC 27001
A.6.1.6,
A.13.1.1
COBIT DS5.6
HIPAA
164.308(a)
(D(ii)(D),
164.308(a)(6)
(ii), 164.314(a)
(2)(i)
Incident
response
IR-7 Incident Response Assistance The
organization provides an incident
response support resource integral to the
organizational incident response
capability that offers advice and
assistance to users of the information
system for the handling and reporting of
security incidents.
ISO/IEC 27001
(None)
COBIT DS8.1
HIPAA
164.308(a) (6)
(ii)
Incident
response
IR-8 Incident Response Plan
The organization: a. Develops an
incident response plan that:
• Provides the organization with a
roadmap for implementing its incident
ISO/IEC 27001
(None)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 29/60
response capability;
• Describes the structure and
organization of the incident response
capability.
Table 10.5 Maintenance Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Maintenance MA-1 System Maintenance Policy And
Procedures
The organization develops, disseminates,
and reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented information
system maintenance policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and compliance;
and
b. Formal, documented procedures to
facilitate the implementation of the
information system maintenance policy
and associated system maintenance
controls.
ISO/IEC
27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.9.2.4,
A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT ®
PC5
HIPAA
164.310(a)
(2)(iv)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 30/60
Maintenance MA-2 Controlled Maintenance
The organization:
a. Schedules, performs, documents, and
reviews records of maintenance and
repairs on information system
components in accordance with
manufacturer or vendor specifications
and/or organizational requirements;
b. Controls all maintenance activities,
whether performed on site or remotely
and whether the equipment is serviced
on site or removed to another location;
c. Requires that a designated official
explicitly approves the removal of the
information system or system
components from organizational
facilities for off-site maintenance or
repairs;
d. Sanitizes equipment to remove all
information from associated media prior
to removal from organizational facilities
for off-site maintenance or repairs; and
ISO/IEC
27001
A.9.2.4
COBIT
AI2.10
HIPAA
164.310(a)
(2)(iv)
e. Checks all potentially impacted security
controls to verify that the controls are
still functioning properly following
maintenance or repair actions.
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 31/60
Maintenance MA-3 Maintenance Tools
The organization approves, controls,
monitors the use of, and maintains on an
ongoing basis, information system
maintenance tools.
Supplemental guidance: The intent of
this control is to address the security-
related issues arising from the hardware
and software brought into the
information system specifically for
diagnostic and repair actions (e.g., a
hardware or software packet sniffer that
is introduced for the purpose of a
particular maintenance activity).
Hardware and/or software components
that may support information system
maintenance, yet are a part of the system
(e.g., the software implementing “ping,”
“Is,” “ipconfig,” or the hardware and
software implementing the monitoring
port of an Ethernet switch) are not
covered by this control. Related to MP-6.
ISO/IEC
27001
A.9.2.4,
A.11.4.4
Maintenance MA-4 Non-Local Maintenance
The organization:
a. Authorizes, monitors, and controls
non-local maintenance and diagnostic
ISO/IEC
27001
A.9.2.4,
A.11.4.4
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 32/60
activities;
b. Allows the use of non-local
maintenance and diagnostic tools only as
consistent with organizational policy and
documented in the security plan for the
information system;
c. Employs strong identification and
authentication techniques in the
establishment of non-local maintenance
and diagnostic sessions;
d. Maintains records for non-local
maintenance and diagnostic activities;
and
e. Terminates all sessions and network
connections when non-local
maintenance is completed.
Maintenance MA-5 Maintenance Personnel
The organization:
a. Establishes a process for maintenance
personnel authorization and maintains a
current list of authorized maintenance
organizations or personnel; and
b. Ensures that personnel performing
maintenance on the information system
have required access authorizations or
designates organizational personnel with
ISO/IEC
27001
A.9.2.4,
A.12.4.3
HIPAA
164.308(a)
(3)(ii)(A)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 33/60
required access authorizations and
technical competence deemed necessary
to supervise information system
maintenance when maintenance
personnel do not possess the required
access authorizations.
Maintenance MA-6 Timely Maintenance
The organization obtains maintenance
support and/or spare parts for
[Assignment: organization-defined list of
security-critical information system
components and/or key information
technology components] within
[Assignment: organization-defined time
period] of failure.
ISO/IEC
27001
A.9.2.4
HIPAA
164.310(a)
(2)(iv)
Table 10.6 Media Protection Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Media
protection
MP-1 Media Protection Policy And
Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1,
A.10.1.1,
A.10.7.1,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 34/60
a. A formal, documented media
protection policy that addresses
purpose, scope, roles, responsibilities,
management commitment,
coordination among organizational
entities, and compliance; and
b. Formal, documented procedures to
facilitate the implementation of the
media protection policy and
associated media protection controls.
A.10.7.2,
A.10.7.3,
A.11.1.1,
A.15.1.1,
A.15.1.3,
A.15.2.1
COBIT ®
DS11.1, DS11.6,
PC5
HIPAA
164.310(d)(1)
Media
protection
MP-2 Media Access
The organization restricts access to
[Assignment: organization-defined
types of digital and non-digital media]
to [Assignment: organization-defined
list of authorized individuals] using
[Assignment: organization-defined
security measures].
ISO/IEC 27001
A.7.2.2,
A.10.7.1,
A.10.7.3
COBIT DS11.6
HIPAA
164.308(a) (3)
(ii)(A)
Media
protection
MP-3 Media Marking
The organization:
a. Marks, in accordance with
organizational policies and
procedures, removable information
system media and information system
output indicating the distribution
ISO/IEC 27001
A.7.2.2,
A.10.7.1,
A.10.7.3
COBIT DS11.6
HIPAA
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 35/60
limitations, handling caveats, and
applicable security markings (if any)
of the information; and
b. Exempts [Assignment: organization-
defined list of removable media types]
from marking as long as the exempted
items remain within [Assignment:
organization-defined controlled
areas].
164.310(c),
164.310(d)(1)
Media
protection
MP-4 Media Storage
The organization:
a. Physically controls and securely
stores [Assignment: organization-
defined types of digital and non-digital
media] within [Assignment:
organization-defined controlled areas]
using [Assignment: organization-
defined security measures];
b. Protects information system media
until the media are destroyed or
sanitized using approved equipment,
techniques, and procedures.
ISO/IEC 27001
A.10.7.1,
A.10.7.3,
A.10.7.4,
A.15.1.3
COBIT DS11.2,
DS11.6
HIPAA
164.310(c),
164.310(d)(1),
164.310(d)(2)
(iv)
Media
protection
MP-5 Media Transport
The organization:
a. Protects and controls [Assignment:
organization-defined types of digital
ISO/IEC 27001
A.9.2.5, A.9.2.7,
A.10.7.1,
A.10.7.3,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 36/60
and non-digital media] during
transport outside of controlled areas
using [Assignment: organization-
defined security measures];
b. Maintains accountability for
information system media during
transport outside of controlled areas;
and
c. Restricts the activities associated
with transport of such media to
authorized personnel.
A.10.8.3
COBIT DS11.4,
DS11.6
HIPAA
164.310(d) (1),
164.310(d) (2)
(iii), 164.312(c)
(1)
Media
protection
MP-6 Media Sanitization The
organization:
a. Sanitizes information system media,
both digital and nondigital, prior to
disposal, release out of organizational
control, or release for reuse; and
b. Employs sanitization mechanisms
with strength and integrity
commensurate with the classification
or sensitivity of the information.
ISO/IEC 27001
A.9.2.6,
A.10.7.1,
A.10.7.2,
A.10.7.3
COBIT DS11.4,
DS11.6,
HIPAA
164.310(d) (1),
164.310(d) (2)(i)
Table 10.7 Physical and Environment Protection Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 37/60
Physical and
environmental
protection
PE-1 Physical And Environmental
Protection Policy And Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. A formal, documented physical
and environmental protection
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among organizational
entities, and compliance; and
b. Formal, documented procedures
to facilitate the implementation of
the physical and environmental
protection policy and associated
physical and environmental
protection controls.
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.9.1.4,
A.9.2.1,
A.9.2.2,
A.10.1.1,
A.11.1.1,
A.11.2.1,
A.11.2.2,
A.15.1.1,
A.15.2.1
COBIT ®
DS12.1,
DS12.5, PC5
HIPAA
164.310(a)(1)
164.310(a)(2)
(ii)
164.310(a)(2)
(iii)
Physical and
environmental
PE-2 Physical Access Authorizations
The organization:
ISO/IEC 27001
A.9.1.5,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 38/60
protection a. Develops and keeps current a list
of personnel with authorized access
to the facility where the
information system resides (except
for those areas within the facility
officially designated as publicly
accessible);
b. Issues authorization credentials;
c. Reviews and approves the access
list and authorization credentials
[Assignment: organization defined
frequency], removing from the
access list personnel no longer
requiring access.
A.11.2.1,
A.11.2.2,
A.11.2.4
COBIT DS12.3
HIPAA
164.310(a)
(1),
164.310(a) (2)
(iii)
Physical and
environmental
protection
PE-3 Physical Access Control
The organization:
a. Enforces physical access
authorizations for all physical
access points (including designated
entry/exit points) to the facility
where the information system
resides (excluding those areas
within the facility officially
designated as publicly accessible);
ISO/IEC 27001
A.9.1.1,
A.9.1.2,
A.9.1.3,
A.9.1.5,
A.9.1.6,
A.11.3.2,
A.11.4.4
COBIT DS12.2
HIPAA
164.310(a)
(1),
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 39/60
164.310(a) (2)
(iii),
164.310(b),
164.310(c)
b. Verifies individual access
authorizations before granting
access to the facility;
c. Controls entry to the facility
containing the information system
using physical access devices and/or
guards;
d. Controls access to areas officially
designated as publicly accessible in
accordance with the organization’s
assessment of risk;
e. Secures keys, combinations, and
other physical access devices;
f. Inventories physical access
devices [Assignment: organization-
defined frequency]; and
g. Changes combinations and keys
[Assignment: organization-defined
frequency] and when keys are lost,
combinations are compromised, or
individuals are transferred or
terminated.
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 40/60
Physical and
environmental
protection
PE-4 Access Control for Transmission
Medium
The organization controls physical
access to information system
distribution and transmission lines
within organizational facilities.
ISO/IEC 27001
A.9.1.3,
A.9.1.5,
A.9.2.3
COBIT DS5.7,
DS12.2
HIPAA
164.310(a)
(1),
164.310(c)
Physical and
environmental
protection
PE-5 Access Control for Output
Devices
The organization controls physical
access to information system output
devices to prevent unauthorized
individuals from obtaining the
output.
ISO/IEC 27001
A.9.1.2,
A.9.1.3,
A.10.6.1,
A.11.3.2
COBIT DS12.2
HIPAA
164.310(b),
164.310(c),
164.310(a)(1)
Physical and
environmental
protection
PE-6 Monitoring Physical Access The
organization:
a. Monitors physical access to the
information system to detect and
respond to physical security
incidents;
ISO/IEC 27001
A.9.1.2,
A.9.1.5,
A.10.10.2
COBIT DS12.3
HIPAA
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 41/60
b. Reviews physical access logs
[Assignment: organization-defined
frequency]; and
164.310(a) (2)
(iii)
c. Coordinates results of reviews and
investigations with the
organization’s incident response
capability.
Physical and
environmental
protection
PE-7 Visitor Control
The organization controls physical
access to the information system by
authenticating visitors before
authorizing access to the facility
where the information system
resides other than areas designated
as publicly accessible.
ISO/IEC 27001
A.9.1.2,
A.9.1.5,
A.9.1.6
COBIT DS12.3
HIPAA
164.310(a) (2)
(iii)
Physical and
environmental
protection
PE-8 Access Records
The organization:
a. Maintains visitor access records
to the facility where the
information system resides (except
for those areas within the facility
officially designated as publicly
accessible); and
b. Reviews visitor access records
[Assignment: organization-defined
frequency].
ISO/IEC 27001
A.9.1.5,
A.10.10.2,
A.15.2.1
COBIT DS12.3
HIPAA
164.310(a) (2)
(iii)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 42/60
Physical and
environmental
protection
PE-9 Power Equipment and Power
Cabling
The organization protects power
equipment and power cabling for
the information system from
damage and destruction.
ISO/IEC 27001
A.9.1.4,
A.9.2.2,
A.9.2.3
COBIT DS12.4
Physical and
environmental
protection
PE-10 Emergency Shutoff The
organization:
a. Provides the capability of
shutting off power to the
information system or individual
system components in emergency
situations;
b. Places emergency shutoff
switches or devices in [Assignment:
organization-defined location by
information system or system
component] to facilitate safe and
easy access for personnel; and
c. Protects emergency power
shutoff capability from
unauthorized activation.
ISO/IEC 27001
A.9.1.4
COBIT DS12.4
Physical and
environmental
protection
PE-11 Emergency Power
The organization provides a short-
term uninterruptible power supply
to facilitate an orderly shutdown of
ISO/IEC 27001
A.9.1.4,
A.9.2.2
COBIT DS12.4
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 43/60
the information system in the event
of a primary power source loss.
Supplemental guidance: This
control, to include any
enhancements specified, may be
satisfied by similar requirements
fulfilled by another organizational
entity other than the information
security program. Organizations
avoid duplicating actions already
covered.
Physical and
environmental
protection
PE-12 Emergency Lighting
The organization employs and
maintains automatic emergency
lighting for the information system
that activates in the event of a
power outage or disruption, and
that covers emergency exits and
evacuation routes within the
facility.
ISO/IEC 27001
A.9.2.2
COBIT DS12.4
Physical and
environmental
protection
PE-13 Fire Protection
The organization employs and
maintains fire suppression and
detection devices/systems for the
information system that are
ISO/IEC 27001
A.9.1.4
COBIT DS12.4
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 44/60
supported by an independent
energy source.
Physical and
environmental
protection
PE-14 Temperature and Humidity
Controls
The organization:
a. Maintains temperature and
humidity levels within the facility
where the information system
resides at [Assignment:
organization-defined acceptable
levels]; and
b. Monitors temperature and
humidity levels [Assignment:
organization-defined frequency].
ISO/IEC 27001
A.9.2.2
COBIT DS12.4
Physical and
environmental
protection
PE-15 Water Damage Protection
The organization protects the
information system from damage
resulting from water leakage by
providing master shutoff valves
that are accessible, working
properly, and known to key
personnel.
ISO/IEC 27001
A.9.1.4
COBIT DS12.4
Physical and
environmental
protection
PE-16 Delivery and Removal
The organization authorizes,
monitors, and controls
[Assignment: organization-defined
ISO/IEC 27001
A.9.1.6,
A.9.2.7,
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 45/60
types of information system
components] entering and exiting
the facility, and maintains records
of those items.
A.10.7.1
COBIT DS12.2
Physical and
environmental
protection
PE-17 Alternate Work Site
The organization:
a. Employs [Assignment:
organization-defined management,
operational, and technical
information system security
controls] at alternate work sites;
b. Assesses as feasible, the
effectiveness of security controls at
alternate work sites; and
c. Provides a means for employees
to communicate with information
security personnel in case of
security incidents or problems.
ISO/IEC 27001
A.9.2.5,
A.11.7.2
HIPAA
164.310(a) (2)
(i)
Physical and
environmental
protection
PE-18 Location of Information
System Components
The organization positions
information system components
within the facility to minimize
potential damage from physical and
environmental hazards and to
ISO/IEC 27001
A.9.2.1,
A.11.3.2
COBIT DS12.1
HIPAA
164.310(c)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 46/60
minimize the opportunity for
unauthorized access.
Physical and
environmental
protection
PE-19 Information Leakage
The organization protects the
information system from
information leakage due to
electromagnetic signals
emanations.
ISO/IEC 27001
A.12.5.4
COBIT DS12.2
Table 10.8 Personnel Security Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Personnel
security
PS-1 Personnel Security Policy and
Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. A formal, documented personnel
security policy that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.15.1.1, A.15.2.1
COBIT ® PC5,
P04.6, P07.3
HIPAA
164.308(a)(3)(ii)
(A)
164.308(a)(3)(ii)
(B)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 47/60
b. Formal, documented procedures to
facilitate the implementation of the
personnel security policy and
associated personnel security
controls.
164.308(a)(3)(ii)
(C)
Personnel
security
PS-2 Position Categorization
The organization:
a. Assigns a risk designation to all
positions;
b. Establishes screening criteria for
individuals filling those positions;
and
c. Reviews and revises position risk
designations [Assignment:
organization-defined frequency].
ISO/IEC 27001
A.8.1.1
COBIT P04.13,
P07.3
HIPAA 164.308(a)
(3)(ii)(B)
Personnel
security
PS-3 Personnel Screening
The organization:
a. Screens individuals prior to
authorizing access to the information
system; and
b. Rescreens individuals according to
[Assignment: organization-defined
list of conditions requiring
rescreening and, where rescreening
is so indicated, the frequency of such
rescreening].
ISO/IEC 27001
A.8.1.2
COBIT P07.6
HIPAA 164.308(a)
(3)(ii)(B)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 48/60
Personnel
security
PS-4 Personnel Termination
The organization, upon termination
of individual employment:
a. Terminates information system
access;
b. Conducts exit interviews;
c. Retrieves all security-related
organizational information system-
related property; and
d. Retains access to organizational
information and information systems
formerly controlled by terminated
individual.
ISO/IEC 27001
A.8.3.1, A.8.3.2,
A.8.3.3
COBIT P07.8
HIPAA 164.308(a)
(3)(ii)(C)
Personnel
security
PS-5 Personnel Transfer
The organization reviews logical and
physical access authorizations to
information systems/facilities when
personnel are reassigned or
transferred to other positions within
the organization and initiates
[Assignment: organization-defined
transfer or reassignment actions]
within [Assignment: organization-
defined time period following the
formal transfer action].
ISO/IEC 27001
A.8.3.1, A.8.3.2,
A.8.3.3
COBIT P07.8
HIPAA 164.308(a)
(3)(ii)(C)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 49/60
Personnel
security
PS-6 Access Agreements
The organization:
a. Ensures that individuals requiring
access to organizational information
and information systems sign
appropriate access agreements prior
to being granted access; and
b. Reviews/updates the access
agreements [Assignment:
organization-defined frequency].
ISO/IEC 27001
A.6.1.5, A.8.1.1,
A.8.1.3, A.8.2.1,
A.9.1.5, A.10.8.1,
A.11.7.1, A.11.7.2,
A.15.1.5
COBIT DS5.4
HIPAA 164.308(a)
(3)(ii)(A),
164.308(a)(3)(ii)
(B), 164.308(a) (4)
(ii)(B), 164.310(b),
164.310(d)(2) (iii),
164.314(a) (1),
164.314(a) (2)(i),
164.314(a) (2)(ii)
Personnel
security
PS-7 Third-Party Personnel Security
The organization:
a. Establishes personnel security
requirements including security
roles and responsibilities for third-
party providers;
b. Documents personnel security
requirements; and
c. Monitors provider compliance.
ISO/IEC 27001
A.6.2.3, A.8.1.1,
A.8.2.1, A.8.1.3
COBIT P04.14,
DS2.2
HIPAA 164.308(a)
(3)(ii)(A),
164.308(a)(4)(ii)
(B), 164.308(b) (1),
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 50/60
164.314(a) (1),
164.314(a) (2)(i),
Personnel
security
PS-8 Personnel Sanctions
The organization employs a formal
sanctions process for personnel
failing to comply with established
information security policies and
procedures.
164.314(a)(2)(ii)
ISO/IEC 27001
A.8.2.3, A.15.1.5
HIPAA 164.308(a)
(1)(ii)(C)
Table 10.9 System and information integrity controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
System and
informatio
n integrity
Sl-1 System And Information Integrity
Policy And Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. A formal, documented system and
information integrity policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.15.1.1, A.15.2.1
COBIT ® P02.4,
PC5
HIPAA
164.312(c)(1)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 51/60
b. Formal, documented procedures
to facilitate the implementation of
the system and information integrity
policy and associated system and
information integrity controls.
System and
informatio
n integrity
SI-2 Flaw Remediation
The organization:
a. Identifies, reports, and corrects
information system flaws;
b. Tests software updates related to
flaw remediation for effectiveness
and potential side effects on
organizational information systems
before installation; and
c. Incorporates flaw remediation
into the organizational
configuration management process.
ISO/IEC 27001
A.10.10.5,
A.12.5.2,
A.12.6.1,A.13.1.2
System and
informatio
n integrity
SI-3 Malicious Code Protection The
organization:
a. Employs malicious code
protection mechanisms at
information system entry and exit
points and at workstations, servers,
or mobile computing devices on the
network to detect and eradicate
malicious code:
ISO/IEC 27001
A.10.4.1
COBIT DS5.9
HIPAA
164.308(a) (5)(ii)
(B)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 52/60
• Transported by electronic mail,
electronic mail attachments, Web
accesses, removable media, or other
common means; or
• Inserted through the exploitation of
information system vulnerabilities;
b. Updates malicious code protection
mechanisms (including signature
definitions) whenever new releases
are available in accordance with
organizational configuration
management policy and procedures;
c. Configures malicious code
protection mechanisms to:
• Perform periodic scans of the
information system [Assignment:
organization-defined frequency] and
real-time scans of files from external
sources as the files are downloaded,
opened, or executed in accordance
with organizational security policy;
and
• [Selection (one or more): block
malicious code; quarantine
malicious code; send alert to
administrator; [Assignment:
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 53/60
organization-defined action]] in
response to malicious code
detection; and
d. Addresses the receipt of false
positives during malicious code
detection and eradication and the
resulting potential impact on the
availability of the information
system.
System and
informatio
n integrity
SI-4 Information System Monitoring
The organization:
a. Monitors events on the
information system in accordance
with [Assignment: organization
defined monitoring objectives] and
detects information system attacks;
b. Identifies unauthorized use of the
information system;
ISO/IEC 27001
A.10.10.2,
A.13.1.1, A.13.1.2
COBIT P02.4,
DS5.5, DS5.10
HIPAA
164.308(a) (5)(ii)
(B), 164.308(a)(1)
(ii) (D)
c. Deploys monitoring devices: (i)
strategically within the information
system to collect organization-
determined essential information;
and (ii) at ad hoc locations within
the system to track specific types of
transactions of interest to the
organization;
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 54/60
d. Heightens the level of information
system monitoring activity
whenever there is an indication of
increased risk to organizational
operations and assets, individuals,
other organizations, or the nation
based on law enforcement
information, intelligence
information, or other credible
sources of information; and
e. Obtains legal opinion with regard
to information system monitoring
activities in accordance with
applicable federal laws, executive
orders, directives, policies, or
regulations.
System and
informatio
n integrity
SI-5 Security Alerts, Advisories, and
Directives
The organization:
a. Receives information system
security alerts, advisories, and
directives from designated external
organizations on an ongoing basis;
b. Generates internal security alerts,
advisories, and directives as deemed
necessary;
ISO/IEC 27001
A.6.1.6, A.12.6.1,
A.13.1.1,A.13.1.2
HIPAA
164.308(a) (5)(ii)
(A)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 55/60
c. Disseminates security alerts,
advisories, and directives to
[Assignment: organization-defined
list of personnel (identified by name
and/or by role)]; and
d. Implements security directives in
accordance with established time
frames, or notifies the issuing
organization of the degree of
noncompliance.
System and
informatio
n integrity
SI-6 Security Functionality
Verification
The information system verifies the
correct operation of security
functions [Selection (one or more):
[Assignment: organization-defined
system transitional states]; upon
command by user with appropriate
privilege; periodically every
[Assignment: organization-defined
time-period]] and [Selection (one or
more): notifies system
administrator; shuts the system
down; restarts the system;
[Assignment: organization-defined
ISO/IEC 27001
(None)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 56/60
alternative action(s)]] when
anomalies are discovered.
System and
informatio
n integrity
SI-7 Software and Information
Integrity
The information system detects
unauthorized changes to software
and information.
ISO/IEC 27001
A.10.4.1,
A.12.2.2, A.12.2.3
COBIT
P02.4AI2.4,
DS5.9
HIPAA
164.312(c) (1),
164.312(c) (2),
164.312(e) (2)(i)
System and
informatio
n integrity
SI-8 Spam Protection
The organization:
a. Employs spam protection
mechanisms at information system
entry and exit points and at
workstations, servers, or mobile
computing devices on the network
to detect and take action on
unsolicited messages transported by
electronic mail, electronic mail
attachments, web accesses, or other
common means; and
b. Updates spam protection
mechanisms (including signature
ISO/IEC 27001
(None)
COBIT DS5.9
HIPAA
164.308(a) (5)(ii)
(B)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 57/60
definitions) when new releases are
available in accordance with
organizational configuration
management policy and procedures.
System and
informatio
n integrity
SI-9 Information Input Restrictions
The organization restricts the
capability to input information to
the information system to
authorized personnel.
ISO/IEC 27001
A.10.8.1,
A.11.1.1,
A.11.2.2, A.12.2.2
COBIT AC1, AC2
System and
informatio
n integrity
SI-10 Information Input Validation
The information system checks the
validity of information inputs.
ISO/IEC 27001
A.12.2.1,A.12.2.2
COBIT AC3,AC4,
AC6
System and
informatio
n integrity
Sl-ll Error Handling
The information system_
a. Identifies potentially security-
relevant error conditions;
b. Generates error messages that
provide information necessary for
corrective actions without revealing
[Assignment: organization-defined
sensitive or potentially harmful
information] in error logs and
administrative messages that could
be exploited by adversaries; and
ISO/IEC 27001
(None)
COBIT AC5
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 58/60
c. Reveals error messages only to
authorized personnel.
System and
informatio
n integrity
SI-12 Information Output Handling
and Retention
The organization handles and
retains both information within and
output from the information system
in accordance with applicable
federal laws, executive orders,
directives, policies, regulations,
standards, and operational
requirements.
ISO/IEC 27001
A.10.7.3,
A.15.1.3,
A.15.1.4, A.15.2.1
COBIT AC5,
DS11.1, DS11.6
System and
informatio
n integrity
SI-13 Predictable Failure Prevention
The organization:
a. Protects the information system
from harm by considering mean
time to failure for [Assignment:
organization-defined list of
information system components] in
specific environments of operation;
and
b. Provides substitute information
system components, when needed,
and a mechanism to exchange active
and standby roles of the
components.
ISO/IEC 27001
(None)
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 59/60
1.
2.
3.
4.
5.
6.
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special Publication
800-53 Rev 3: Recommended security controls for federal information systems and organi-
zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf
IT Governance Institute. 2007. Mapping of NIST SP 800-53 Rev 1 with COBIT 4.1.
http://www.itgi.org
National Institute of Standards and Technology (NIST). October 2008. An introductory re-
source guide for implementing the Health Insurance Portability and Accountability Act
(HIPAA) security rule. http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-
Revisionl.pdf
International Organization for Standardization (ISO). ISO/IEC 27001:2005 Information
Security Management Systems—Requirements,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
International Organization for Standardization (ISO). ISO/IEC 27002:2005 Information tech-
nology—Security techniques—Code of practice for information security management,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
Department of Health and Human Services, Office of the Secretary. February 20, 2003. 45
CFR Parts 160, 162, and 164 Health insurance reform: Security standards; Final rule.
Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityru-
lepdf.pdf
3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 60/60