Project2

profilejimpop1998
Chapter10OperationalChapter10Controls_PracticalSecurityConsiderations_InformationSecurityGovernanceSimplified.pdf

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 1/60

10

Operational Controls

Practical Security Considerations

There is no such thing as a free lunch.

Attributed to Milton Friedman, 1912–2006

The controls specified in this chapter are the operational controls or those con-

trols that govern the ongoing operational processes impacting security spanning

multiple departments. This chapter, along with the preceding security control

chapters (Chapter 8 on managerial controls and Chapter 9 on technical controls)

complete the controls necessary for building the foundation for an information

security program. Each listing of the operational control family is preceded with

some practical security considerations for reviewing the family of controls. These

controls are also mapped to COBIT 4.1, ISO 27001:2005, and Health Insurance

Portability and Accountability Act (HIPAA) where a relationship between them

exists.

Awareness and Training Controls

The awareness and training control family (AT) shown in Table 10.1 serves to en-

sure that individuals within the organization have the appropriate level of train-

Topics Start Learning Search 50,000+ courses, events, titles, … What's New

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 2/60

ing. All users of the organization need some level of training, and this includes all

management levels and all end users. Records need to be maintained demonstrat-

ing that everyone has taken the training. End users need awareness training pri-

marily so that they know what is expected of them, when a security breach has

occurred, and how to report the breach. Executive management will also need the

same training, potentially supplemented with training around risk management

as it relates to security. Role-based training can provide technical staff with secu-

rity-specific education, such as the network administrator on securing a firewall,

or the security analyst with Security Information and Event Management (SIEM)

training, or the server engineer on securing Windows/Unix servers. Additionally,

management may need training for a new identity management system or han-

dling terminations. The entire organization may need additional refresher train-

ing on a monthly basis.

End user awareness training should be provided prior to accessing the com-

puter system and on an annual basis at a minimum. In Chapter 12 more ideas for

security training are provided.

Configuration Management Controls

The configuration management control family controls (CM), as shown in Table

10.2, provide control of the configuration setting baselines and their ongoing in-

tegrity. Once the baseline is decided upon, there should be a periodic review to

ensure that the baselines are being kept up with the latest changes by the issuing

agency (e.g., Defense Information Systems Agency). The appropriate team mem-

bers for the particular baseline (server, desktop, firewall, database, mainframe,

etc.) should meet and determine the changes required to the baseline. The new

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 3/60

baseline can then be constructed and applied according to the baseline proce-

dures to all the devices of that type. Exceptions to the baseline standard need to

be documented. The deviations from the baseline can be captured with auto-

mated tools, provided the upfront work has been done to populate the tool with

the existing baseline.

Change control is a difficult area to ensure that changes are properly autho-

rized for change and subsequently approved for production implementation

prior to implementation. Programmers and those responsible for the infrastruc-

ture components may be pressed for time to implement a change and not receive

proper approval beforehand. A change control board (CCB) can be very beneficial

in this case, with individuals tracking the production implementations and fol-

lowing up on individuals that have not received the appropriate approvals.

Managing the change control process provides the traceability of subsequent

changes to the system.

Contingency Planning Controls

The contingency planning control family (CP) ensures that the systems can be

brought up in a reasonable amount of time in the event of a disaster. These con-

trols, shown in Table 10.3, typically require that some form of testing be done to

ensure that the system can be brought up in a reasonable time. The testing identi-

fies gaps in the documentation and highlights information that may have been

left out, such as a file or the knowledge of an administrator password that halted

the testing. If an outsourced data center company handles these functions, testing

should still be performed to determine whether the network at the site will be

available in the event of a disaster.

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 4/60

Business continuity plans should be written for each department to ensure they

are ready in the event of a disaster, not only in terms of the computing platform,

but where will they work and how the equipment will be configured or delivered

to a remote location, or for a work-at-home scenario.

Incident Response Controls

The incident response control family (IR), as shown in Table 10.4, ensures that

the organization has a predefined mechanism in place to respond to an incident.

Security incidents can range from not sending sensitive information encrypted

through e-mail to having the infrastructure penetrated through the use of struc-

tured query language (SQL) injection on the public facing website, for example.

Not all incidents will be of the magnitude to invoke the formation of a computer

security incident response team (CSIRT), however, the CSIRT procedure created

by the organization should spell out the conditions by which the CSIRT team will

be invoked. A senior management crisis management team for significant events,

such as threats of violence, bomb threats, and emergency weather conditions,

should be established. These teams need to be in place prior to the incidents

occurring.

Incidents should be simulated by creating a scenario and walking though what

would be done in the event of a crisis or a technical outage caused by an event,

such as malware, antivirus, or an advanced persistent threat (APT) targeted to-

ward the organization.

Maintenance Controls

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 5/60

The maintenance control family (MA) shown in Table 10.5 ensures that the equip-

ment is properly maintained by having contracts in place, service level agree-

ments, spare parts available, and routine maintenance performed. Exposing the

device to the employees of an external vendor carries the risk that the software,

firmware, or data may be modified to create a subsequent entry point into the

system, or information could be disclosed. The device also needs to be properly

maintained and serviced on a regular basis to ensure appropriate availability.

Contracts should be in place for spare parts availability, with 4 hours not being an

unreasonable time frame in most cases. In the case of workstations or desktops,

for most organizations, having alternate equipment on-site can alleviate the need

for immediate spare parts from a vendor. In this case, there should be agree-

ments with hardware manufacturers to replace the items under warranty and

documented procedures for handling the return of equipment.

There should be contracts in place for each computing platform in the environ-

ment. Mainframe contracts typically come in the form of a master services agree-

ment with an annual renewal signoff. Procedures should also be in place for

when vendors are required to service the equipment on-site to ensure they are es-

corted, as well as procedures for vendor remote access. Vendors that require in-

frequent connections to the equipment could be granted one-time ID/passwords

along with secure tokens to access the equipment. The access should be also be

logged, specifying the individual using the ID and the business reason for the

access.

Media Protection Controls

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 6/60

The media protection control family (MP) controls shown in Table 10.6 address

information wherever it may be stored. As the perimeter of the organization is

disappearing with information moving closer to the end user (i.e., the information

resides on laptops, USB drives, compact disks, DVDs, smartphones, and other

types of flash memory chips), care must be taken to ensure that only those autho-

rized individuals have the ability to copy information to these external sources.

Due to the massive amount of information that can be stored on a portable drive

(multiterabytes), or a USB stick (upward of 64 GB), these devices must be carefully

managed.

Workstations can be locked down with technology to permit only certain users

to write to an external device or CD/DVD writer. Due to the mobile nature and size

of these devices, an encryption method should be chosen by the organization to

encrypt either the media using the software that comes with the USB drive or the

files themselves prior to placing on the media. At least 128-bit encryption, and

AES-256 encryption is desirable. Some encryption products are FIPS 140-2 certi-

fied, which provides the highest level of encryption and suitable for most

organizations.

Policies regarding media disposal need to ensure that appropriate tracking and

sanitization of the devices is performed prior to disposal, along with retention of

the disposal records. The organization should be able to know where the devices

are located from birth to death of the device. This is no easy task in larger organi-

zations where devices are reimaged frequently and redeployed to other users.

Media protection also extends to paper forms of information and policies and

procedures to support clean desk policies (i.e., no visible confidential information

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 7/60

during the day, locked up during business off-hours), shredding of documents,

and which items are approved for dumpster disposal. On-site shredding of paper,

tapes, and CDs avoids the tracking of information sent off-site and the risks of in-

formation being intercepted or not being properly shredded.

Physical and Environmental Protection Controls

The physical and environmental protection control family (PE) controls listed in

Table 10.7 address the need for physical controls around the facility for employ-

ees, contractors, and visitors, as well as the environmental controls for the com-

puting equipment in the local area networks (LAN) rooms and data centers. Just

as the logical access controls need to be addressed with authorizations for access,

periodic recertifi-cations, terminating access, and restricting access to sensitive

areas, the physical access controls need these same controls. An organization may

employ multiple methods of achieving the physical controls, from security guards,

proximity readers, piggybacking policies, visitor sign-in, temporary badge is-

suance, guard stations, and so forth. One of the more difficult areas of managing

the physical security for an organization is the lack of integration between the

physical security systems capturing the ingress/egress to the buildings and the

identity management systems authorizing the approval. Manual reconciliation

between the systems is necessary to demonstrate that the access was removed

from the physical system. As companies merge, investments are required to

merge the security systems of multiple offices. Small offices may also not have the

same capabilities as systems purchased for the larger offices and may need to be

managed separately.

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 8/60

The fire suppression, temperature, and water controls generally are focusing

upon the data center and LAN room needs. Organizations need to decide on how

power outages will be addressed (uninterruptable power supply [UPS]), and

diesel generators, equipment that must also have contracts and periodic servicing

and testing. LAN closets need to be secured to only staff requiring access to per-

form their jobs along with unused ports disabled.

Personnel Security Controls

The personnel security control family (PS) controls listed in Table 10.8 seek to

place human resource policies and procedures around the employees to ensure

that the individuals have backgrounds without damaging criminal histories, that

their access is appropriately removed when they are no longer working for the

company or have transferred to a different division, and finally to ensure that

they understand their responsibilities with respect to the security controls while

they are working for the company and after they have left the company.

Background checks must be completed before the employee is permitted to

work for the company. To ensure that this happens, the information security de-

partment could withhold the login ID and password until the human resources

department has provided evidence that the background check has been com-

pleted. This would serve as a secondary control to ensure the action took place.

Individuals also need to be rescreened on a periodic basis. The simplest way to

achieve this is to perform rescreens on those determined to be in sensitive posi-

tions (e.g., the information technology [IT] department, finance department, ad-

ministrators) at the same time. Otherwise, the overhead of tracking individuals

based upon anniversary dates, without an automated system to administer this

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 9/60

process, could be manually intensive. For any contractors that are performing

work on behalf of the company, the company may either request a background

check, or require that the contracting firm provide evidence that a background

check has been completed and is satisfactory.

Sanction policies must be in place to provide enforcement of the controls. The

information security department should view itself as the provider of the sup-

porting evidence for the infraction; however, the incident is best handled be-

tween human resources or ethics/ compliance with the individual and his or her

manager. The security department can provide support for the events that

occurred.

Due to the strong linkage between the employees on-boarding, compliance with

security controls while an associate, and the termination procedures and the ac-

cess provisioning of the information security department, an equally strong rela-

tionship between human resources and information security should be main-

tained. Documenting the information flows between the human resource infor-

mation systems (HRIS) and the identity management system can identify gaps in

the processes.

System and Information Integrity Controls

System and information integrity controls (SI) listed in Table 10.9 focus on pro-

viding controls to protect the systems environment and handling such issues as

malicious code; spam; systems monitoring; flaw remediation; and ensuring that

applications are coded correctly with appropriate input validation, error han-

dling, and consistent failure prevention. Antivirus, malware, and spyware prod-

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 10/60

ucts should be installed at the entry points, such as servers, desktops, and fire-

walls, to restrict the entry of malicious traffic, in addition to the security aware-

ness programs on these topics. Processes need to be built to manage the excep-

tions (e.g., when the antivirus is not applied to the desktops within a specified fre-

quency, such as 1 to 3 days after distribution to the servers) to ensure that all

desktops are appropriately being addressed within the system. There may be is-

sues with the software pushing the updates or the asset inventory that needs to be

rectified. End users should be made aware of the effects of malicious code as well

as having the technical infrastructure to support them in the event a wrong deci-

sion is made.

Application code must be written such that information that would be useful to

an intruder is not displayed. Input data needs to be validated to avoid buffer over-

runs and other programming errors, which could provide elevated command line

access. This all works in concert with the systems development life cycle process,

whereby secure coding guidelines would be established and certified to, either by

attestation or the completion of a checklist indicating which guidelines were in-

corporated into the development.

Table 10.1 Awareness and Training Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Awareness

and

training

AT-1 Security Awareness and Training

Policy and Procedures

The organization develops,

disseminates, and reviews/updates

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 11/60

[Assignment: organization defined

frequency]:

a. A formal, documented security

awareness and training policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

b. Formal, documented procedures to

facilitate the implementation of the

security awareness and training

policy, and associated security

awareness and training controls.

A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT DS7.1,

PCS

HIPAA

164.308(a) (5)(i)

Awareness

and

training

AT-2 Security Awareness

The organization provides basic

security awareness training to all

information system users (including

managers, senior executives, and

contractors) as part of initial training

for new users, when required by

system changes, and [Assignment:

organization-defined frequency]

thereafter.

ISO/IEC 27001

A.6.2.2, A.8.1.1,

A.8.2.2, A.9.1.5,

A.10.4.1

COBIT P07.4

HIPAA

164.308(a) (5)

(i), 164.308(a)

(5)(ii)(B)

Awareness

and

AT-3 Security Training

The organization provides role-based

ISO/IEC 27001

A.8.1.1, A.8.2.2,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 12/60

training security-related training: (i) before

authorizing access to the system or

performing assigned duties; (ii) when

required by system changes; and (iii)

[Assignment: organization-defined

frequency] thereafter.

A.9.1.5

COBIT P07.4,

DS7.2

HIPAA

164.308(a) (5)(i)

Awareness

and

training

AT-4 Security Training Records

The organization:

a. Documents and monitors individual

information system security training

activities including basic security

awareness training and specific

information system security training;

and

b. Retains individual training records

for [Assignment: organization-defined

time period].

ISO/IEC 27001

(None)

COBIT DS7.2

HIPAA

164.308(a) (5)(i)

Awareness

and

training

AT-5 Contacts with Security Groups and

Associations The organization

establishes and institutionalizes

contact with selected groups and

associations within the security

community:

• To facilitate ongoing security

education and training for

organizational personnel;

ISO/IEC 27001

A.6.1.7

HIPAA

164.308(a) (5)(i)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 13/60

• To share current security-related

information including threats,

vulnerabilities, and incidents.

Table 10.2 Configuration Management Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Configuration

management

CM-1 Configuration Management

Policy and Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. A formal, documented

configuration management policy

that addresses purpose, scope,

roles, responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

b. Formal, documented procedures

to facilitate the implementation of

the configuration management

policy and associated configuration

management controls.

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.10.1.2,

A.12.4.1,

A.12.5.1,

A.15.1.1,

A.15.2.1

COBIT ® DS9.1,

PC5,P02.1, AI6.1

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 14/60

Configuration

management

CM-2 Baseline Configuration

The organization develops,

documents, and maintains under

configuration control, a current

baseline configuration of the

information system.

ISO/IEC 27001

COBIT DS9.1,

P01.6, P02.1

Configuration

management

CM-3 Configuration Change Control

The organization:

a. Determines the types of changes

to the information system that are

configuration controlled;

b. Approves configuration-

controlled changes to the system

with explicit consideration for

security impact analyses;

c. Documents approved

configuration-controlled changes to

the system;

d. Retains and reviews records of

configuration-controlled changes to

the system;

e. Audits activities associated with

configuration-controlled changes to

the system; and

f. Coordinates and provides

oversight for configuration change

ISO/IEC 27001

A.10.1.1,

A.10.1.2,

A.10.3.2,

A.12.4.1,

A.12.5.1,

A.12.5.2,

A.12.5.3

COBIT DS9.2,

AI6.1, AI6.3

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 15/60

control activities through

[Assignment: organization-defined

configuration change control

element (e.g., committee, board]

that convenes [Selection (one or

more): [Assignment: organization-

defined frequency]; [Assignment:

organization-defined configuration

change conditions]].

Configuration

management

CM-4 Security Impact Analysis

The organization analyzes changes

to the information system to

determine potential security

impacts prior to change

implementation.

ISO/IEC 27001

A.10.1.2,

A.10.3.2,

A.12.4.1,

A.12.5.2,

A.12.5.3

COBIT DS5.5,

DS9.3

Configuration

management

CM-5 Access Restrictions for Change

The organization defines,

documents, approves, and enforces

physical and logical access

restrictions associated with

changes to the information system.

ISO/IEC 27001

A.10.1.2,

A.11.1.1,

A.11.6.1,

A.12.4.1,

A.12.4.3,

A.12.5.3

Configuration

management

CM-6 Configuration Settings

The organization:

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 16/60

a. Establishes and documents

mandatory configuration settings

for information technology

products employed within the

information system using

[Assignment: organization-defined

security configuration checklists]

that reflect the most restrictive

mode consistent with operational

requirements;

b. Implements the configuration

settings;

c. Identifies, documents, and

approves exceptions from the

mandatory configuration settings

for individual components within

the information system based on

explicit operational requirements;

and

d. Monitors and controls changes to

the configuration settings in

accordance with organizational

policies and procedures.

ISO/IEC 27001

(None)

Configuration

management

CM-7 Least Functionality

The organization configures the

information system to provide only

ISO/IEC 27001

(None)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 17/60

essential capabilities and

specifically prohibits or restricts

the use of the following functions,

ports, protocols, and/or services:

[Assignment: organization-defined

list of prohibited or restricted

functions, ports, protocols, and/or

services].

Configuration

management

CM-8 Information System

Component Inventory

The organization develops,

documents, and maintains an

inventory of information system

components that:

a. Accurately reflects the current

information system;

b. Is consistent with the

authorization boundary of the

information system;

c. Is at the level of granularity

deemed necessary for tracking and

reporting;

d. Includes [Assignment:

organization-defined information

deemed necessary to achieve

effective property accountability];

ISO/IEC 27001

A.7.1.1, A.7.1.2

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 18/60

and

e. Is available for review and audit

by designated organizational

officials.

Configuration

management

CM-9 Configuration Management

Plan

The organization develops,

documents, and implements a

configuration management plan

for the information system that:

a. Addresses roles, responsibilities,

and configuration management

processes and procedures;

ISO/IEC 27001

A.6.1.3. A.7.1.1,

A.7.1.2, A.8.1.1,

A.10.1.1,

A.10.1.2,

A.10.3.2,

A.12.4.1,

A.12.4.3,

A.12.5.1,

A.12.5.2,

A.12.5.3

b. Defines the configuration items

for the information system and

when in the system development

life cycle the configuration items

are placed under configuration

management; and

c. Establishes the means for

identifying configuration items

throughout the system

development life cycle and a

process for managing the

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 19/60

configuration of the configuration

items.

Table 10.3 Contingency Planning Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Contingency

planning

CP-1 Contingency Planning Policy

And Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment:

organization defined frequency]:

a A formal, documented

contingency planning policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

b. Formal, documented procedures

to facilitate the implementation of

the contingency planning policy

and associated contingency

planning controls.

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.9.1.4,

A.10.1.1, A.10.1.2,

A.14.1.1, A.14.1.3,

A.15.1.1, A.15.2.1

COBIT ®

PC5,DS4.1

HIPAA 164.308(a)

(7)(i)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 20/60

Contingency

planning

CP-2 Contingency Plan

The organization:

a. Develops a contingency plan for

the information system that:

• Identifies essential missions and

business functions and associated

contingency requirements;

• Provides recovery objectives,

restoration priorities, and metrics;

• Addresses contingency roles,

responsibilities, assigned

individuals with contact

information;

• Addresses maintaining essential

missions and business functions

despite an information system

disruption, compromise, or failure;

• Addresses eventual, full

information system restoration

without deterioration of the

security measures originally

planned and implemented; and

• Is reviewed and approved by

designated officials within the

organization;

ISO/IEC 27001

A.6.1.2, A.9.1.4,

A.10.3.1, A.14.1.1,

A.14.1.2, A.14.1.3,

A.14.1.4, A.14.1.5

COBIT DS4.2

HIPAA 164.308(a)

(7)(ii)(B),

164.308(a)(7)(ii)

(C), 164.308(a)(7)

(ii)(E), 164.310(a)

(2)(i), 164.312(a)

(2)(ii)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 21/60

b. Distributes copies of the

contingency plan to [Assignment:

organization-defined list of key

contingency personnel (identified

by name and/or by role) and

organizational elements];

c. Coordinates contingency

planning activities with incident

handling activities;

d. Reviews the contingency plan for

the information system

[Assignment: organization-defined

frequency];

e. Revises the contingency plan to

address changes to the

organization, information system,

or environment of operation and

problems encountered during

contingency plan implementation,

execution, or testing; and

f. Communicates contingency plan

changes to [Assignment:

organization-defined list of key

contingency personnel (identified

by name and/or by role) and

organizational elements].

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 22/60

Contingency

planning

CP-3 Contingency Training

The organization trains personnel

in their contingency roles and

responsibilities with respect to the

information system and provides

refresher training [Assignment:

organization defined frequency].

ISO/IEC 27001

A.8.2.2, A.9.1.4,

A.14.1.3

COBIT DS4.6

HIPAA 164.308(a)

(7)(ii)(D)

Contingency

planning

CP-4 Contingency Plan Testing and

Exercises

The organization: a. Tests and/or

exercises the contingency plan for

the information system

[Assignment: organization-defined

frequency] using [Assignment:

organization-defined tests and/or

exercises] to determine the plan’s

effectiveness and the organization’s

readiness to execute the plan; and

ISO/IEC 27001

A.6.1.2, A.9.1.4,

A.14.1.1, A.14.1.3,

A.14.1.4, A.14.1.5

COBIT DS4.2,

DS4.5

HIPAA 164.308(a)

(7)(ii)(D)

b. Reviews the contingency plan

test/exercise results and initiates

corrective actions.

Contingency

planning

CP-6 Alternate Storage Site The

organization establishes an

alternate storage site including

necessary agreements to permit the

storage and recovery of

ISO/IEC 27001

A.9.1.4,A.14.1.3

COBIT DS4.1,

DS4.9

HIPAA 164.308(a)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 23/60

information system backup

information.

(7)(ii)(B),

164.310(a)(2)(i)

Contingency

planning

CP-7 Alternate Processing Site The

organization:

a. Establishes an alternate

processing site including necessary

agreements to permit the

resumption of information system

operations for essential missions

and business functions within

[Assignment: organization-defined

time period consistent with

recovery time objectives] when the

primary processing capabilities are

unavailable; and

b. Ensures that equipment and

supplies required to resume

operations are available at the

alternate site or contracts are in

place to support delivery to the site

in time to support the organization-

defined time period for

resumption.

ISO/IEC 27001

A.9.1.4, A.14.1.3

COBIT DS4.1,

DS4.8

HIPAA 164.308(a)

(7)(ii)(B),

164.310(a)(2)(i)

Contingency

planning

CP-8 Telecommunications Services

The organization establishes

alternate telecommunications

ISO/IEC 27001

A.9.1.4, A.10.6.1,

A.14.1.3

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 24/60

services including necessary

agreements to permit the

resumption of information system

operations for essential missions

and business functions within

[Assignment: organization-defined

time period] when the primary

telecommunications capabilities

are unavailable.

COBIT DS4.1,

HIPAA 164.308(a)

(7)(ii)(B)

Contingency

planning

CP-9 Information System Backup

The organization:

a. Conducts backups of user-level

information contained in the

information system [Assignment;

organization-defined frequency

consistent with recovery time and

recovery point objectives];

b. Conducts backups of system-level

information contained in the

information system [Assignment:

organization-defined frequency

consistent with recovery time and

recovery point objectives];

c. Conducts backups of information

system documentation including

security-related documentation

ISO/IEC 27001

A.9.1.4, A.10.5.1,

A.14.1.3, A.15.1.3

COBIT DS4.2,

DS11.5

HIPAA 164.308(a)

(7)(N)(A),

164.310(d)(2) (iv),

164.312(c) (1)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 25/60

[Assignment: organization-defined

frequency consistent with recovery

time and recovery point

objectives]; and

d. Protects the confidentiality and

integrity of backup information at

the storage location.

Contingency

planning

CP-10 Information System Recovery

and Reconstitution

The organization provides for the

recovery and reconstitution of the

information system to a known

state after a disruption,

compromise, or failure.

ISO/IEC 27001

A.9.1.4, A.14.1.3

COBIT DS4.8,

DS11.5

HIPAA 164.308(a)

(7)(ii)(B),

164.308(a)(7)(ii)

(C)

Table 10.4 Incident Response Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Incident

response

IR-1 Incident Response Policy And

Procedures

The organization develops, disseminates,

and reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented incident

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 26/60

response policy that addresses purpose,

scope, roles, responsibilities,

management commitment, coordination

among organizational entities, and

compliance; and

b. Formal, documented procedures to

facilitate the implementation of the

incident response policy and associated

incident response controls.

A.10.1.1,

A.13.1.1,

A.13.2.1,

A.15.1.1,

A.15.2.1

COBIT ®

P09.5, P09.6,

DS5.6, DS8.2,

PC5

HIPAA

164.308(a)(6)

(i)

Incident

response

IR-2 Incident Response Training The

organization:

a. Trains personnel in their incident

response roles and responsibilities with

respect to the information system; and

b. Provides refresher training

[Assignment: organization-defined

frequency].

ISO/IEC 27001

A.8.2.2

HIPAA

164.308(a) (6)

(i)

Incident

response

IR-3 Incident Response Testing and

Exercises

The organization tests and/or exercises

the incident response capability for the

information system [Assignment:

organization-defined frequency] using

ISO/IEC 27001

(None)

HIPAA

164.308(a) (6)

(i)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 27/60

[Assignment: organization-defined tests

and/or exercises] to determine the

incident response effectiveness and

documents the results.

Incident

response

IR-4 Incident Handling

The organization:

a. Implements an incident handling

capability for security incidents that

includes preparation, detection and

analysis, containment, eradication, and

recovery;

ISO/IEC 27001

A.6.1.2,

A.13.2.2,

A.13.2.3

COBIT P09.5,

P09.6, DS8.2

HIPAA

164.308(a) (6)

(ii)

b. Coordinates incident handling activities

with contingency planning activities;

and

c. Incorporates lessons learned from

ongoing incident handling activities into

incident response procedures, training,

and testing/exercises, and implements

the resulting changes accordingly.

Incident

response

IR-5 Incident Monitoring The organization

tracks and documents information

system security incidents.

ISO/IEC 27001

(None)

COBIT DS8.2,

DS8.4

HIPAA

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 28/60

164.308(a) (6)

(ii), 164.308(a)

(1)(ii) (D)

Incident

response

IR-6 Incident Reporting The organization:

a. Requires personnel to report

suspected security incidents to the

organizational incident response

capability within [Assignment:

organization-defined time-period]; and

b. Reports security incident information

to designated authorities.

ISO/IEC 27001

A.6.1.6,

A.13.1.1

COBIT DS5.6

HIPAA

164.308(a)

(D(ii)(D),

164.308(a)(6)

(ii), 164.314(a)

(2)(i)

Incident

response

IR-7 Incident Response Assistance The

organization provides an incident

response support resource integral to the

organizational incident response

capability that offers advice and

assistance to users of the information

system for the handling and reporting of

security incidents.

ISO/IEC 27001

(None)

COBIT DS8.1

HIPAA

164.308(a) (6)

(ii)

Incident

response

IR-8 Incident Response Plan

The organization: a. Develops an

incident response plan that:

• Provides the organization with a

roadmap for implementing its incident

ISO/IEC 27001

(None)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 29/60

response capability;

• Describes the structure and

organization of the incident response

capability.

Table 10.5 Maintenance Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Maintenance MA-1 System Maintenance Policy And

Procedures

The organization develops, disseminates,

and reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented information

system maintenance policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and compliance;

and

b. Formal, documented procedures to

facilitate the implementation of the

information system maintenance policy

and associated system maintenance

controls.

ISO/IEC

27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.9.2.4,

A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT ®

PC5

HIPAA

164.310(a)

(2)(iv)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 30/60

Maintenance MA-2 Controlled Maintenance

The organization:

a. Schedules, performs, documents, and

reviews records of maintenance and

repairs on information system

components in accordance with

manufacturer or vendor specifications

and/or organizational requirements;

b. Controls all maintenance activities,

whether performed on site or remotely

and whether the equipment is serviced

on site or removed to another location;

c. Requires that a designated official

explicitly approves the removal of the

information system or system

components from organizational

facilities for off-site maintenance or

repairs;

d. Sanitizes equipment to remove all

information from associated media prior

to removal from organizational facilities

for off-site maintenance or repairs; and

ISO/IEC

27001

A.9.2.4

COBIT

AI2.10

HIPAA

164.310(a)

(2)(iv)

e. Checks all potentially impacted security

controls to verify that the controls are

still functioning properly following

maintenance or repair actions.

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 31/60

Maintenance MA-3 Maintenance Tools

The organization approves, controls,

monitors the use of, and maintains on an

ongoing basis, information system

maintenance tools.

Supplemental guidance: The intent of

this control is to address the security-

related issues arising from the hardware

and software brought into the

information system specifically for

diagnostic and repair actions (e.g., a

hardware or software packet sniffer that

is introduced for the purpose of a

particular maintenance activity).

Hardware and/or software components

that may support information system

maintenance, yet are a part of the system

(e.g., the software implementing “ping,”

“Is,” “ipconfig,” or the hardware and

software implementing the monitoring

port of an Ethernet switch) are not

covered by this control. Related to MP-6.

ISO/IEC

27001

A.9.2.4,

A.11.4.4

Maintenance MA-4 Non-Local Maintenance

The organization:

a. Authorizes, monitors, and controls

non-local maintenance and diagnostic

ISO/IEC

27001

A.9.2.4,

A.11.4.4

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 32/60

activities;

b. Allows the use of non-local

maintenance and diagnostic tools only as

consistent with organizational policy and

documented in the security plan for the

information system;

c. Employs strong identification and

authentication techniques in the

establishment of non-local maintenance

and diagnostic sessions;

d. Maintains records for non-local

maintenance and diagnostic activities;

and

e. Terminates all sessions and network

connections when non-local

maintenance is completed.

Maintenance MA-5 Maintenance Personnel

The organization:

a. Establishes a process for maintenance

personnel authorization and maintains a

current list of authorized maintenance

organizations or personnel; and

b. Ensures that personnel performing

maintenance on the information system

have required access authorizations or

designates organizational personnel with

ISO/IEC

27001

A.9.2.4,

A.12.4.3

HIPAA

164.308(a)

(3)(ii)(A)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 33/60

required access authorizations and

technical competence deemed necessary

to supervise information system

maintenance when maintenance

personnel do not possess the required

access authorizations.

Maintenance MA-6 Timely Maintenance

The organization obtains maintenance

support and/or spare parts for

[Assignment: organization-defined list of

security-critical information system

components and/or key information

technology components] within

[Assignment: organization-defined time

period] of failure.

ISO/IEC

27001

A.9.2.4

HIPAA

164.310(a)

(2)(iv)

Table 10.6 Media Protection Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Media

protection

MP-1 Media Protection Policy And

Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1,

A.10.1.1,

A.10.7.1,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 34/60

a. A formal, documented media

protection policy that addresses

purpose, scope, roles, responsibilities,

management commitment,

coordination among organizational

entities, and compliance; and

b. Formal, documented procedures to

facilitate the implementation of the

media protection policy and

associated media protection controls.

A.10.7.2,

A.10.7.3,

A.11.1.1,

A.15.1.1,

A.15.1.3,

A.15.2.1

COBIT ®

DS11.1, DS11.6,

PC5

HIPAA

164.310(d)(1)

Media

protection

MP-2 Media Access

The organization restricts access to

[Assignment: organization-defined

types of digital and non-digital media]

to [Assignment: organization-defined

list of authorized individuals] using

[Assignment: organization-defined

security measures].

ISO/IEC 27001

A.7.2.2,

A.10.7.1,

A.10.7.3

COBIT DS11.6

HIPAA

164.308(a) (3)

(ii)(A)

Media

protection

MP-3 Media Marking

The organization:

a. Marks, in accordance with

organizational policies and

procedures, removable information

system media and information system

output indicating the distribution

ISO/IEC 27001

A.7.2.2,

A.10.7.1,

A.10.7.3

COBIT DS11.6

HIPAA

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 35/60

limitations, handling caveats, and

applicable security markings (if any)

of the information; and

b. Exempts [Assignment: organization-

defined list of removable media types]

from marking as long as the exempted

items remain within [Assignment:

organization-defined controlled

areas].

164.310(c),

164.310(d)(1)

Media

protection

MP-4 Media Storage

The organization:

a. Physically controls and securely

stores [Assignment: organization-

defined types of digital and non-digital

media] within [Assignment:

organization-defined controlled areas]

using [Assignment: organization-

defined security measures];

b. Protects information system media

until the media are destroyed or

sanitized using approved equipment,

techniques, and procedures.

ISO/IEC 27001

A.10.7.1,

A.10.7.3,

A.10.7.4,

A.15.1.3

COBIT DS11.2,

DS11.6

HIPAA

164.310(c),

164.310(d)(1),

164.310(d)(2)

(iv)

Media

protection

MP-5 Media Transport

The organization:

a. Protects and controls [Assignment:

organization-defined types of digital

ISO/IEC 27001

A.9.2.5, A.9.2.7,

A.10.7.1,

A.10.7.3,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 36/60

and non-digital media] during

transport outside of controlled areas

using [Assignment: organization-

defined security measures];

b. Maintains accountability for

information system media during

transport outside of controlled areas;

and

c. Restricts the activities associated

with transport of such media to

authorized personnel.

A.10.8.3

COBIT DS11.4,

DS11.6

HIPAA

164.310(d) (1),

164.310(d) (2)

(iii), 164.312(c)

(1)

Media

protection

MP-6 Media Sanitization The

organization:

a. Sanitizes information system media,

both digital and nondigital, prior to

disposal, release out of organizational

control, or release for reuse; and

b. Employs sanitization mechanisms

with strength and integrity

commensurate with the classification

or sensitivity of the information.

ISO/IEC 27001

A.9.2.6,

A.10.7.1,

A.10.7.2,

A.10.7.3

COBIT DS11.4,

DS11.6,

HIPAA

164.310(d) (1),

164.310(d) (2)(i)

Table 10.7 Physical and Environment Protection Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 37/60

Physical and

environmental

protection

PE-1 Physical And Environmental

Protection Policy And Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. A formal, documented physical

and environmental protection

policy that addresses purpose,

scope, roles, responsibilities,

management commitment,

coordination among organizational

entities, and compliance; and

b. Formal, documented procedures

to facilitate the implementation of

the physical and environmental

protection policy and associated

physical and environmental

protection controls.

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.9.1.4,

A.9.2.1,

A.9.2.2,

A.10.1.1,

A.11.1.1,

A.11.2.1,

A.11.2.2,

A.15.1.1,

A.15.2.1

COBIT ®

DS12.1,

DS12.5, PC5

HIPAA

164.310(a)(1)

164.310(a)(2)

(ii)

164.310(a)(2)

(iii)

Physical and

environmental

PE-2 Physical Access Authorizations

The organization:

ISO/IEC 27001

A.9.1.5,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 38/60

protection a. Develops and keeps current a list

of personnel with authorized access

to the facility where the

information system resides (except

for those areas within the facility

officially designated as publicly

accessible);

b. Issues authorization credentials;

c. Reviews and approves the access

list and authorization credentials

[Assignment: organization defined

frequency], removing from the

access list personnel no longer

requiring access.

A.11.2.1,

A.11.2.2,

A.11.2.4

COBIT DS12.3

HIPAA

164.310(a)

(1),

164.310(a) (2)

(iii)

Physical and

environmental

protection

PE-3 Physical Access Control

The organization:

a. Enforces physical access

authorizations for all physical

access points (including designated

entry/exit points) to the facility

where the information system

resides (excluding those areas

within the facility officially

designated as publicly accessible);

ISO/IEC 27001

A.9.1.1,

A.9.1.2,

A.9.1.3,

A.9.1.5,

A.9.1.6,

A.11.3.2,

A.11.4.4

COBIT DS12.2

HIPAA

164.310(a)

(1),

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 39/60

164.310(a) (2)

(iii),

164.310(b),

164.310(c)

b. Verifies individual access

authorizations before granting

access to the facility;

c. Controls entry to the facility

containing the information system

using physical access devices and/or

guards;

d. Controls access to areas officially

designated as publicly accessible in

accordance with the organization’s

assessment of risk;

e. Secures keys, combinations, and

other physical access devices;

f. Inventories physical access

devices [Assignment: organization-

defined frequency]; and

g. Changes combinations and keys

[Assignment: organization-defined

frequency] and when keys are lost,

combinations are compromised, or

individuals are transferred or

terminated.

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 40/60

Physical and

environmental

protection

PE-4 Access Control for Transmission

Medium

The organization controls physical

access to information system

distribution and transmission lines

within organizational facilities.

ISO/IEC 27001

A.9.1.3,

A.9.1.5,

A.9.2.3

COBIT DS5.7,

DS12.2

HIPAA

164.310(a)

(1),

164.310(c)

Physical and

environmental

protection

PE-5 Access Control for Output

Devices

The organization controls physical

access to information system output

devices to prevent unauthorized

individuals from obtaining the

output.

ISO/IEC 27001

A.9.1.2,

A.9.1.3,

A.10.6.1,

A.11.3.2

COBIT DS12.2

HIPAA

164.310(b),

164.310(c),

164.310(a)(1)

Physical and

environmental

protection

PE-6 Monitoring Physical Access The

organization:

a. Monitors physical access to the

information system to detect and

respond to physical security

incidents;

ISO/IEC 27001

A.9.1.2,

A.9.1.5,

A.10.10.2

COBIT DS12.3

HIPAA

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 41/60

b. Reviews physical access logs

[Assignment: organization-defined

frequency]; and

164.310(a) (2)

(iii)

c. Coordinates results of reviews and

investigations with the

organization’s incident response

capability.

Physical and

environmental

protection

PE-7 Visitor Control

The organization controls physical

access to the information system by

authenticating visitors before

authorizing access to the facility

where the information system

resides other than areas designated

as publicly accessible.

ISO/IEC 27001

A.9.1.2,

A.9.1.5,

A.9.1.6

COBIT DS12.3

HIPAA

164.310(a) (2)

(iii)

Physical and

environmental

protection

PE-8 Access Records

The organization:

a. Maintains visitor access records

to the facility where the

information system resides (except

for those areas within the facility

officially designated as publicly

accessible); and

b. Reviews visitor access records

[Assignment: organization-defined

frequency].

ISO/IEC 27001

A.9.1.5,

A.10.10.2,

A.15.2.1

COBIT DS12.3

HIPAA

164.310(a) (2)

(iii)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 42/60

Physical and

environmental

protection

PE-9 Power Equipment and Power

Cabling

The organization protects power

equipment and power cabling for

the information system from

damage and destruction.

ISO/IEC 27001

A.9.1.4,

A.9.2.2,

A.9.2.3

COBIT DS12.4

Physical and

environmental

protection

PE-10 Emergency Shutoff The

organization:

a. Provides the capability of

shutting off power to the

information system or individual

system components in emergency

situations;

b. Places emergency shutoff

switches or devices in [Assignment:

organization-defined location by

information system or system

component] to facilitate safe and

easy access for personnel; and

c. Protects emergency power

shutoff capability from

unauthorized activation.

ISO/IEC 27001

A.9.1.4

COBIT DS12.4

Physical and

environmental

protection

PE-11 Emergency Power

The organization provides a short-

term uninterruptible power supply

to facilitate an orderly shutdown of

ISO/IEC 27001

A.9.1.4,

A.9.2.2

COBIT DS12.4

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 43/60

the information system in the event

of a primary power source loss.

Supplemental guidance: This

control, to include any

enhancements specified, may be

satisfied by similar requirements

fulfilled by another organizational

entity other than the information

security program. Organizations

avoid duplicating actions already

covered.

Physical and

environmental

protection

PE-12 Emergency Lighting

The organization employs and

maintains automatic emergency

lighting for the information system

that activates in the event of a

power outage or disruption, and

that covers emergency exits and

evacuation routes within the

facility.

ISO/IEC 27001

A.9.2.2

COBIT DS12.4

Physical and

environmental

protection

PE-13 Fire Protection

The organization employs and

maintains fire suppression and

detection devices/systems for the

information system that are

ISO/IEC 27001

A.9.1.4

COBIT DS12.4

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 44/60

supported by an independent

energy source.

Physical and

environmental

protection

PE-14 Temperature and Humidity

Controls

The organization:

a. Maintains temperature and

humidity levels within the facility

where the information system

resides at [Assignment:

organization-defined acceptable

levels]; and

b. Monitors temperature and

humidity levels [Assignment:

organization-defined frequency].

ISO/IEC 27001

A.9.2.2

COBIT DS12.4

Physical and

environmental

protection

PE-15 Water Damage Protection

The organization protects the

information system from damage

resulting from water leakage by

providing master shutoff valves

that are accessible, working

properly, and known to key

personnel.

ISO/IEC 27001

A.9.1.4

COBIT DS12.4

Physical and

environmental

protection

PE-16 Delivery and Removal

The organization authorizes,

monitors, and controls

[Assignment: organization-defined

ISO/IEC 27001

A.9.1.6,

A.9.2.7,

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 45/60

types of information system

components] entering and exiting

the facility, and maintains records

of those items.

A.10.7.1

COBIT DS12.2

Physical and

environmental

protection

PE-17 Alternate Work Site

The organization:

a. Employs [Assignment:

organization-defined management,

operational, and technical

information system security

controls] at alternate work sites;

b. Assesses as feasible, the

effectiveness of security controls at

alternate work sites; and

c. Provides a means for employees

to communicate with information

security personnel in case of

security incidents or problems.

ISO/IEC 27001

A.9.2.5,

A.11.7.2

HIPAA

164.310(a) (2)

(i)

Physical and

environmental

protection

PE-18 Location of Information

System Components

The organization positions

information system components

within the facility to minimize

potential damage from physical and

environmental hazards and to

ISO/IEC 27001

A.9.2.1,

A.11.3.2

COBIT DS12.1

HIPAA

164.310(c)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 46/60

minimize the opportunity for

unauthorized access.

Physical and

environmental

protection

PE-19 Information Leakage

The organization protects the

information system from

information leakage due to

electromagnetic signals

emanations.

ISO/IEC 27001

A.12.5.4

COBIT DS12.2

Table 10.8 Personnel Security Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Personnel

security

PS-1 Personnel Security Policy and

Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. A formal, documented personnel

security policy that addresses

purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.15.1.1, A.15.2.1

COBIT ® PC5,

P04.6, P07.3

HIPAA

164.308(a)(3)(ii)

(A)

164.308(a)(3)(ii)

(B)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 47/60

b. Formal, documented procedures to

facilitate the implementation of the

personnel security policy and

associated personnel security

controls.

164.308(a)(3)(ii)

(C)

Personnel

security

PS-2 Position Categorization

The organization:

a. Assigns a risk designation to all

positions;

b. Establishes screening criteria for

individuals filling those positions;

and

c. Reviews and revises position risk

designations [Assignment:

organization-defined frequency].

ISO/IEC 27001

A.8.1.1

COBIT P04.13,

P07.3

HIPAA 164.308(a)

(3)(ii)(B)

Personnel

security

PS-3 Personnel Screening

The organization:

a. Screens individuals prior to

authorizing access to the information

system; and

b. Rescreens individuals according to

[Assignment: organization-defined

list of conditions requiring

rescreening and, where rescreening

is so indicated, the frequency of such

rescreening].

ISO/IEC 27001

A.8.1.2

COBIT P07.6

HIPAA 164.308(a)

(3)(ii)(B)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 48/60

Personnel

security

PS-4 Personnel Termination

The organization, upon termination

of individual employment:

a. Terminates information system

access;

b. Conducts exit interviews;

c. Retrieves all security-related

organizational information system-

related property; and

d. Retains access to organizational

information and information systems

formerly controlled by terminated

individual.

ISO/IEC 27001

A.8.3.1, A.8.3.2,

A.8.3.3

COBIT P07.8

HIPAA 164.308(a)

(3)(ii)(C)

Personnel

security

PS-5 Personnel Transfer

The organization reviews logical and

physical access authorizations to

information systems/facilities when

personnel are reassigned or

transferred to other positions within

the organization and initiates

[Assignment: organization-defined

transfer or reassignment actions]

within [Assignment: organization-

defined time period following the

formal transfer action].

ISO/IEC 27001

A.8.3.1, A.8.3.2,

A.8.3.3

COBIT P07.8

HIPAA 164.308(a)

(3)(ii)(C)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 49/60

Personnel

security

PS-6 Access Agreements

The organization:

a. Ensures that individuals requiring

access to organizational information

and information systems sign

appropriate access agreements prior

to being granted access; and

b. Reviews/updates the access

agreements [Assignment:

organization-defined frequency].

ISO/IEC 27001

A.6.1.5, A.8.1.1,

A.8.1.3, A.8.2.1,

A.9.1.5, A.10.8.1,

A.11.7.1, A.11.7.2,

A.15.1.5

COBIT DS5.4

HIPAA 164.308(a)

(3)(ii)(A),

164.308(a)(3)(ii)

(B), 164.308(a) (4)

(ii)(B), 164.310(b),

164.310(d)(2) (iii),

164.314(a) (1),

164.314(a) (2)(i),

164.314(a) (2)(ii)

Personnel

security

PS-7 Third-Party Personnel Security

The organization:

a. Establishes personnel security

requirements including security

roles and responsibilities for third-

party providers;

b. Documents personnel security

requirements; and

c. Monitors provider compliance.

ISO/IEC 27001

A.6.2.3, A.8.1.1,

A.8.2.1, A.8.1.3

COBIT P04.14,

DS2.2

HIPAA 164.308(a)

(3)(ii)(A),

164.308(a)(4)(ii)

(B), 164.308(b) (1),

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 50/60

164.314(a) (1),

164.314(a) (2)(i),

Personnel

security

PS-8 Personnel Sanctions

The organization employs a formal

sanctions process for personnel

failing to comply with established

information security policies and

procedures.

164.314(a)(2)(ii)

ISO/IEC 27001

A.8.2.3, A.15.1.5

HIPAA 164.308(a)

(1)(ii)(C)

Table 10.9 System and information integrity controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

System and

informatio

n integrity

Sl-1 System And Information Integrity

Policy And Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. A formal, documented system and

information integrity policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.15.1.1, A.15.2.1

COBIT ® P02.4,

PC5

HIPAA

164.312(c)(1)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 51/60

b. Formal, documented procedures

to facilitate the implementation of

the system and information integrity

policy and associated system and

information integrity controls.

System and

informatio

n integrity

SI-2 Flaw Remediation

The organization:

a. Identifies, reports, and corrects

information system flaws;

b. Tests software updates related to

flaw remediation for effectiveness

and potential side effects on

organizational information systems

before installation; and

c. Incorporates flaw remediation

into the organizational

configuration management process.

ISO/IEC 27001

A.10.10.5,

A.12.5.2,

A.12.6.1,A.13.1.2

System and

informatio

n integrity

SI-3 Malicious Code Protection The

organization:

a. Employs malicious code

protection mechanisms at

information system entry and exit

points and at workstations, servers,

or mobile computing devices on the

network to detect and eradicate

malicious code:

ISO/IEC 27001

A.10.4.1

COBIT DS5.9

HIPAA

164.308(a) (5)(ii)

(B)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 52/60

• Transported by electronic mail,

electronic mail attachments, Web

accesses, removable media, or other

common means; or

• Inserted through the exploitation of

information system vulnerabilities;

b. Updates malicious code protection

mechanisms (including signature

definitions) whenever new releases

are available in accordance with

organizational configuration

management policy and procedures;

c. Configures malicious code

protection mechanisms to:

• Perform periodic scans of the

information system [Assignment:

organization-defined frequency] and

real-time scans of files from external

sources as the files are downloaded,

opened, or executed in accordance

with organizational security policy;

and

• [Selection (one or more): block

malicious code; quarantine

malicious code; send alert to

administrator; [Assignment:

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 53/60

organization-defined action]] in

response to malicious code

detection; and

d. Addresses the receipt of false

positives during malicious code

detection and eradication and the

resulting potential impact on the

availability of the information

system.

System and

informatio

n integrity

SI-4 Information System Monitoring

The organization:

a. Monitors events on the

information system in accordance

with [Assignment: organization

defined monitoring objectives] and

detects information system attacks;

b. Identifies unauthorized use of the

information system;

ISO/IEC 27001

A.10.10.2,

A.13.1.1, A.13.1.2

COBIT P02.4,

DS5.5, DS5.10

HIPAA

164.308(a) (5)(ii)

(B), 164.308(a)(1)

(ii) (D)

c. Deploys monitoring devices: (i)

strategically within the information

system to collect organization-

determined essential information;

and (ii) at ad hoc locations within

the system to track specific types of

transactions of interest to the

organization;

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 54/60

d. Heightens the level of information

system monitoring activity

whenever there is an indication of

increased risk to organizational

operations and assets, individuals,

other organizations, or the nation

based on law enforcement

information, intelligence

information, or other credible

sources of information; and

e. Obtains legal opinion with regard

to information system monitoring

activities in accordance with

applicable federal laws, executive

orders, directives, policies, or

regulations.

System and

informatio

n integrity

SI-5 Security Alerts, Advisories, and

Directives

The organization:

a. Receives information system

security alerts, advisories, and

directives from designated external

organizations on an ongoing basis;

b. Generates internal security alerts,

advisories, and directives as deemed

necessary;

ISO/IEC 27001

A.6.1.6, A.12.6.1,

A.13.1.1,A.13.1.2

HIPAA

164.308(a) (5)(ii)

(A)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 55/60

c. Disseminates security alerts,

advisories, and directives to

[Assignment: organization-defined

list of personnel (identified by name

and/or by role)]; and

d. Implements security directives in

accordance with established time

frames, or notifies the issuing

organization of the degree of

noncompliance.

System and

informatio

n integrity

SI-6 Security Functionality

Verification

The information system verifies the

correct operation of security

functions [Selection (one or more):

[Assignment: organization-defined

system transitional states]; upon

command by user with appropriate

privilege; periodically every

[Assignment: organization-defined

time-period]] and [Selection (one or

more): notifies system

administrator; shuts the system

down; restarts the system;

[Assignment: organization-defined

ISO/IEC 27001

(None)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 56/60

alternative action(s)]] when

anomalies are discovered.

System and

informatio

n integrity

SI-7 Software and Information

Integrity

The information system detects

unauthorized changes to software

and information.

ISO/IEC 27001

A.10.4.1,

A.12.2.2, A.12.2.3

COBIT

P02.4AI2.4,

DS5.9

HIPAA

164.312(c) (1),

164.312(c) (2),

164.312(e) (2)(i)

System and

informatio

n integrity

SI-8 Spam Protection

The organization:

a. Employs spam protection

mechanisms at information system

entry and exit points and at

workstations, servers, or mobile

computing devices on the network

to detect and take action on

unsolicited messages transported by

electronic mail, electronic mail

attachments, web accesses, or other

common means; and

b. Updates spam protection

mechanisms (including signature

ISO/IEC 27001

(None)

COBIT DS5.9

HIPAA

164.308(a) (5)(ii)

(B)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 57/60

definitions) when new releases are

available in accordance with

organizational configuration

management policy and procedures.

System and

informatio

n integrity

SI-9 Information Input Restrictions

The organization restricts the

capability to input information to

the information system to

authorized personnel.

ISO/IEC 27001

A.10.8.1,

A.11.1.1,

A.11.2.2, A.12.2.2

COBIT AC1, AC2

System and

informatio

n integrity

SI-10 Information Input Validation

The information system checks the

validity of information inputs.

ISO/IEC 27001

A.12.2.1,A.12.2.2

COBIT AC3,AC4,

AC6

System and

informatio

n integrity

Sl-ll Error Handling

The information system_

a. Identifies potentially security-

relevant error conditions;

b. Generates error messages that

provide information necessary for

corrective actions without revealing

[Assignment: organization-defined

sensitive or potentially harmful

information] in error logs and

administrative messages that could

be exploited by adversaries; and

ISO/IEC 27001

(None)

COBIT AC5

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 58/60

c. Reveals error messages only to

authorized personnel.

System and

informatio

n integrity

SI-12 Information Output Handling

and Retention

The organization handles and

retains both information within and

output from the information system

in accordance with applicable

federal laws, executive orders,

directives, policies, regulations,

standards, and operational

requirements.

ISO/IEC 27001

A.10.7.3,

A.15.1.3,

A.15.1.4, A.15.2.1

COBIT AC5,

DS11.1, DS11.6

System and

informatio

n integrity

SI-13 Predictable Failure Prevention

The organization:

a. Protects the information system

from harm by considering mean

time to failure for [Assignment:

organization-defined list of

information system components] in

specific environments of operation;

and

b. Provides substitute information

system components, when needed,

and a mechanism to exchange active

and standby roles of the

components.

ISO/IEC 27001

(None)

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 59/60

1.

2.

3.

4.

5.

6.

Suggested Reading

National Institute of Standards and Technology (NIST). August 2009. Special Publication

800-53 Rev 3: Recommended security controls for federal information systems and organi-

zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-

final_updated-errata_05-01-2010.pdf

IT Governance Institute. 2007. Mapping of NIST SP 800-53 Rev 1 with COBIT 4.1.

http://www.itgi.org

National Institute of Standards and Technology (NIST). October 2008. An introductory re-

source guide for implementing the Health Insurance Portability and Accountability Act

(HIPAA) security rule. http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-

Revisionl.pdf

International Organization for Standardization (ISO). ISO/IEC 27001:2005 Information

Security Management Systems—Requirements,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=42103

International Organization for Standardization (ISO). ISO/IEC 27002:2005 Information tech-

nology—Security techniques—Code of practice for information security management,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=50297

Department of Health and Human Services, Office of the Secretary. February 20, 2003. 45

CFR Parts 160, 162, and 164 Health insurance reform: Security standards; Final rule.

Federal Register 68(24).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityru-

lepdf.pdf

3/28/23, 3:46 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 60/60