Question
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 1/90
10
Operational Controls
Practical Security Considerations
There is no such thing as a free lunch.
Attributed to Milton Friedman, 1912–2006
The controls specified in this chapter are the operational controls or
those controls that govern the ongoing operational processes impacting
security spanning multiple departments. This chapter, along with the pre-
ceding security control chapters (Chapter 8 on managerial controls and
Chapter 9 on technical controls) complete the controls necessary for
building the foundation for an information security program. Each listing
of the operational control family is preceded with some practical security
considerations for reviewing the family of controls. These controls are
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 2/90
also mapped to COBIT 4.1, ISO 27001:2005, and Health Insurance
Portability and Accountability Act (HIPAA) where a relationship between
them exists.
Awareness and Training Controls
The awareness and training control family (AT) shown in Table 10.1
serves to ensure that individuals within the organization have the appro-
priate level of training. All users of the organization need some level of
training, and this includes all management levels and all end users.
Records need to be maintained demonstrating that everyone has taken
the training. End users need awareness training primarily so that they
know what is expected of them, when a security breach has occurred,
and how to report the breach. Executive management will also need the
same training, potentially supplemented with training around risk man-
agement as it relates to security. Role-based training can provide techni-
cal staff with security-specific education, such as the network administra-
tor on securing a firewall, or the security analyst with Security
Information and Event Management (SIEM) training, or the server engi-
neer on securing Windows/Unix servers. Additionally, management may
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 3/90
need training for a new identity management system or handling termi-
nations. The entire organization may need additional refresher training
on a monthly basis.
End user awareness training should be provided prior to accessing the
computer system and on an annual basis at a minimum. In Chapter 12
more ideas for security training are provided.
Configuration Management Controls
The configuration management control family controls (CM), as shown in
Table 10.2, provide control of the configuration setting baselines and
their ongoing integrity. Once the baseline is decided upon, there should
be a periodic review to ensure that the baselines are being kept up with
the latest changes by the issuing agency (e.g., Defense Information
Systems Agency). The appropriate team members for the particular base-
line (server, desktop, firewall, database, mainframe, etc.) should meet
and determine the changes required to the baseline. The new baseline
can then be constructed and applied according to the baseline procedures
to all the devices of that type. Exceptions to the baseline standard need to
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 4/90
be documented. The deviations from the baseline can be captured with
automated tools, provided the upfront work has been done to populate
the tool with the existing baseline.
Change control is a difficult area to ensure that changes are properly
authorized for change and subsequently approved for production imple-
mentation prior to implementation. Programmers and those responsible
for the infrastructure components may be pressed for time to implement
a change and not receive proper approval beforehand. A change control
board (CCB) can be very beneficial in this case, with individuals tracking
the production implementations and following up on individuals that
have not received the appropriate approvals. Managing the change con-
trol process provides the traceability of subsequent changes to the
system.
Contingency Planning Controls
The contingency planning control family (CP) ensures that the systems
can be brought up in a reasonable amount of time in the event of a disas-
ter. These controls, shown in Table 10.3, typically require that some form
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 5/90
of testing be done to ensure that the system can be brought up in a rea-
sonable time. The testing identifies gaps in the documentation and high-
lights information that may have been left out, such as a file or the knowl-
edge of an administrator password that halted the testing. If an out-
sourced data center company handles these functions, testing should still
be performed to determine whether the network at the site will be avail-
able in the event of a disaster.
Business continuity plans should be written for each department to en-
sure they are ready in the event of a disaster, not only in terms of the
computing platform, but where will they work and how the equipment
will be configured or delivered to a remote location, or for a work-at-
home scenario.
Incident Response Controls
The incident response control family (IR), as shown in Table 10.4, ensures
that the organization has a predefined mechanism in place to respond to
an incident. Security incidents can range from not sending sensitive in-
formation encrypted through e-mail to having the infrastructure pene-
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 6/90
trated through the use of structured query language (SQL) injection on
the public facing website, for example. Not all incidents will be of the
magnitude to invoke the formation of a computer security incident re-
sponse team (CSIRT), however, the CSIRT procedure created by the orga-
nization should spell out the conditions by which the CSIRT team will be
invoked. A senior management crisis management team for significant
events, such as threats of violence, bomb threats, and emergency weather
conditions, should be established. These teams need to be in place prior
to the incidents occurring.
Incidents should be simulated by creating a scenario and walking
though what would be done in the event of a crisis or a technical outage
caused by an event, such as malware, antivirus, or an advanced persis-
tent threat (APT) targeted toward the organization.
Maintenance Controls
The maintenance control family (MA) shown in Table 10.5 ensures that
the equipment is properly maintained by having contracts in place, ser-
vice level agreements, spare parts available, and routine maintenance
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 7/90
performed. Exposing the device to the employees of an external vendor
carries the risk that the software, firmware, or data may be modified to
create a subsequent entry point into the system, or information could be
disclosed. The device also needs to be properly maintained and serviced
on a regular basis to ensure appropriate availability. Contracts should be
in place for spare parts availability, with 4 hours not being an unreason-
able time frame in most cases. In the case of workstations or desktops, for
most organizations, having alternate equipment on-site can alleviate the
need for immediate spare parts from a vendor. In this case, there should
be agreements with hardware manufacturers to replace the items under
warranty and documented procedures for handling the return of
equipment.
There should be contracts in place for each computing platform in the
environment. Mainframe contracts typically come in the form of a master
services agreement with an annual renewal signoff. Procedures should
also be in place for when vendors are required to service the equipment
on-site to ensure they are escorted, as well as procedures for vendor re-
mote access. Vendors that require infrequent connections to the equip-
ment could be granted one-time ID/passwords along with secure tokens to
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 8/90
access the equipment. The access should be also be logged, specifying the
individual using the ID and the business reason for the access.
Media Protection Controls
The media protection control family (MP) controls shown in Table 10.6
address information wherever it may be stored. As the perimeter of the
organization is disappearing with information moving closer to the end
user (i.e., the information resides on laptops, USB drives, compact disks,
DVDs, smartphones, and other types of flash memory chips), care must be
taken to ensure that only those authorized individuals have the ability to
copy information to these external sources. Due to the massive amount of
information that can be stored on a portable drive (multiterabytes), or a
USB stick (upward of 64 GB), these devices must be carefully managed.
Workstations can be locked down with technology to permit only cer-
tain users to write to an external device or CD/DVD writer. Due to the mo-
bile nature and size of these devices, an encryption method should be
chosen by the organization to encrypt either the media using the software
that comes with the USB drive or the files themselves prior to placing on
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 9/90
the media. At least 128-bit encryption, and AES-256 encryption is desir-
able. Some encryption products are FIPS 140-2 certified, which provides
the highest level of encryption and suitable for most organizations.
Policies regarding media disposal need to ensure that appropriate
tracking and sanitization of the devices is performed prior to disposal,
along with retention of the disposal records. The organization should be
able to know where the devices are located from birth to death of the de-
vice. This is no easy task in larger organizations where devices are reim-
aged frequently and redeployed to other users.
Media protection also extends to paper forms of information and poli-
cies and procedures to support clean desk policies (i.e., no visible confi-
dential information during the day, locked up during business off-hours),
shredding of documents, and which items are approved for dumpster dis-
posal. On-site shredding of paper, tapes, and CDs avoids the tracking of
information sent off-site and the risks of information being intercepted or
not being properly shredded.
Physical and Environmental Protection Controls
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 10/90
The physical and environmental protection control family (PE) controls
listed in Table 10.7 address the need for physical controls around the fa-
cility for employees, contractors, and visitors, as well as the environmen-
tal controls for the computing equipment in the local area networks
(LAN) rooms and data centers. Just as the logical access controls need to
be addressed with authorizations for access, periodic recertifi-cations,
terminating access, and restricting access to sensitive areas, the physical
access controls need these same controls. An organization may employ
multiple methods of achieving the physical controls, from security
guards, proximity readers, piggybacking policies, visitor sign-in, tempo-
rary badge issuance, guard stations, and so forth. One of the more diffi-
cult areas of managing the physical security for an organization is the
lack of integration between the physical security systems capturing the
ingress/egress to the buildings and the identity management systems au-
thorizing the approval. Manual reconciliation between the systems is nec-
essary to demonstrate that the access was removed from the physical sys-
tem. As companies merge, investments are required to merge the security
systems of multiple offices. Small offices may also not have the same ca-
pabilities as systems purchased for the larger offices and may need to be
managed separately.
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 11/90
The fire suppression, temperature, and water controls generally are fo-
cusing upon the data center and LAN room needs. Organizations need to
decide on how power outages will be addressed (uninterruptable power
supply [UPS]), and diesel generators, equipment that must also have con-
tracts and periodic servicing and testing. LAN closets need to be secured
to only staff requiring access to perform their jobs along with unused
ports disabled.
Personnel Security Controls
The personnel security control family (PS) controls listed in Table 10.8
seek to place human resource policies and procedures around the em-
ployees to ensure that the individuals have backgrounds without damag-
ing criminal histories, that their access is appropriately removed when
they are no longer working for the company or have transferred to a dif-
ferent division, and finally to ensure that they understand their responsi-
bilities with respect to the security controls while they are working for
the company and after they have left the company.
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 12/90
Background checks must be completed before the employee is permit-
ted to work for the company. To ensure that this happens, the informa-
tion security department could withhold the login ID and password until
the human resources department has provided evidence that the back-
ground check has been completed. This would serve as a secondary con-
trol to ensure the action took place. Individuals also need to be re-
screened on a periodic basis. The simplest way to achieve this is to per-
form rescreens on those determined to be in sensitive positions (e.g., the
information technology [IT] department, finance department, administra-
tors) at the same time. Otherwise, the overhead of tracking individuals
based upon anniversary dates, without an automated system to adminis-
ter this process, could be manually intensive. For any contractors that are
performing work on behalf of the company, the company may either re-
quest a background check, or require that the contracting firm provide
evidence that a background check has been completed and is satisfactory.
Sanction policies must be in place to provide enforcement of the con-
trols. The information security department should view itself as the
provider of the supporting evidence for the infraction; however, the inci-
dent is best handled between human resources or ethics/ compliance
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 13/90
with the individual and his or her manager. The security department can
provide support for the events that occurred.
Due to the strong linkage between the employees on-boarding, compli-
ance with security controls while an associate, and the termination proce-
dures and the access provisioning of the information security depart-
ment, an equally strong relationship between human resources and in-
formation security should be maintained. Documenting the information
flows between the human resource information systems (HRIS) and the
identity management system can identify gaps in the processes.
System and Information Integrity Controls
System and information integrity controls (SI) listed in Table 10.9 focus
on providing controls to protect the systems environment and handling
such issues as malicious code; spam; systems monitoring; flaw remedia-
tion; and ensuring that applications are coded correctly with appropriate
input validation, error handling, and consistent failure prevention.
Antivirus, malware, and spyware products should be installed at the en-
try points, such as servers, desktops, and firewalls, to restrict the entry of
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 14/90
malicious traffic, in addition to the security awareness programs on these
topics. Processes need to be built to manage the exceptions (e.g., when the
antivirus is not applied to the desktops within a specified frequency, such
as 1 to 3 days after distribution to the servers) to ensure that all desktops
are appropriately being addressed within the system. There may be is-
sues with the software pushing the updates or the asset inventory that
needs to be rectified. End users should be made aware of the effects of
malicious code as well as having the technical infrastructure to support
them in the event a wrong decision is made.
Application code must be written such that information that would be
useful to an intruder is not displayed. Input data needs to be validated to
avoid buffer overruns and other programming errors, which could pro-
vide elevated command line access. This all works in concert with the sys-
tems development life cycle process, whereby secure coding guidelines
would be established and certified to, either by attestation or the comple-
tion of a checklist indicating which guidelines were incorporated into the
development.
Table 10.1 Awareness and Training Controls
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 15/90
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Awareness
and
training
AT-1 Security Awareness and
Training Policy and Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined
frequency]:
a. A formal, documented
security awareness and training
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the security
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT DS7.1,
PCS
HIPAA
164.308(a) (5)
(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 16/90
awareness and training policy,
and associated security
awareness and training
controls.
Awareness
and
training
AT-2 Security Awareness
The organization provides basic
security awareness training to
all information system users
(including managers, senior
executives, and contractors) as
part of initial training for new
users, when required by system
changes, and [Assignment:
organization-defined frequency]
thereafter.
ISO/IEC 27001
A.6.2.2,
A.8.1.1,
A.8.2.2,
A.9.1.5,
A.10.4.1
COBIT P07.4
HIPAA
164.308(a) (5)
(i), 164.308(a)
(5)(ii)(B)
Awareness
and
training
AT-3 Security Training
The organization provides role-
based security-related training:
(i) before authorizing access to
the system or performing
ISO/IEC 27001
A.8.1.1,
A.8.2.2, A.9.1.5
COBIT P07.4,
DS7.2
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 17/90
assigned duties; (ii) when
required by system changes;
and (iii) [Assignment:
organization-defined frequency]
thereafter.
HIPAA
164.308(a) (5)
(i)
Awareness
and
training
AT-4 Security Training Records
The organization:
a. Documents and monitors
individual information system
security training activities
including basic security
awareness training and specific
information system security
training; and
b. Retains individual training
records for [Assignment:
organization-defined time
period].
ISO/IEC 27001
(None)
COBIT DS7.2
HIPAA
164.308(a) (5)
(i)
Awareness
and
AT-5 Contacts with Security
Groups and Associations The
ISO/IEC 27001
A.6.1.7
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 18/90
training organization establishes and
institutionalizes contact with
selected groups and associations
within the security community:
• To facilitate ongoing security
education and training for
organizational personnel;
• To share current security-
related information including
threats, vulnerabilities, and
incidents.
HIPAA
164.308(a) (5)
(i)
Table 10.2 Configuration Management Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Configuration
management
CM-1 Configuration
Management Policy and
Procedures
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 19/90
The organization develops,
disseminates, and
reviews/updates
[Assignment: organization
defined frequency]:
a. A formal, documented
configuration management
policy that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational
entities, and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
configuration management
policy and associated
configuration management
controls.
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.10.1.1,
A.10.1.2,
A.12.4.1,
A.12.5.1,
A.15.1.1,
A.15.2.1
COBIT ®
DS9.1,
PC5,P02.1,
AI6.1
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 20/90
Configuration
management
CM-2 Baseline Configuration
The organization develops,
documents, and maintains
under configuration control,
a current baseline
configuration of the
information system.
ISO/IEC 27001
COBIT DS9.1,
P01.6, P02.1
Configuration
management
CM-3 Configuration Change
Control The organization:
a. Determines the types of
changes to the information
system that are configuration
controlled;
b. Approves configuration-
controlled changes to the
system with explicit
consideration for security
impact analyses;
c. Documents approved
configuration-controlled
ISO/IEC 27001
A.10.1.1,
A.10.1.2,
A.10.3.2,
A.12.4.1,
A.12.5.1,
A.12.5.2,
A.12.5.3
COBIT DS9.2,
AI6.1, AI6.3
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 21/90
changes to the system;
d. Retains and reviews
records of configuration-
controlled changes to the
system;
e. Audits activities associated
with configuration-controlled
changes to the system; and
f. Coordinates and provides
oversight for configuration
change control activities
through [Assignment:
organization-defined
configuration change control
element (e.g., committee,
board] that convenes
[Selection (one or more):
[Assignment: organization-
defined frequency];
[Assignment: organization-
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 22/90
defined configuration change
conditions]].
Configuration
management
CM-4 Security Impact Analysis
The organization analyzes
changes to the information
system to determine potential
security impacts prior to
change implementation.
ISO/IEC 27001
A.10.1.2,
A.10.3.2,
A.12.4.1,
A.12.5.2,
A.12.5.3
COBIT DS5.5,
DS9.3
Configuration
management
CM-5 Access Restrictions for
Change
The organization defines,
documents, approves, and
enforces physical and logical
access restrictions associated
with changes to the
information system.
ISO/IEC 27001
A.10.1.2,
A.11.1.1,
A.11.6.1,
A.12.4.1,
A.12.4.3,
A.12.5.3
Configuration
management
CM-6 Configuration Settings
The organization:
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 23/90
a. Establishes and documents
mandatory configuration
settings for information
technology products
employed within the
information system using
[Assignment: organization-
defined security
configuration checklists] that
reflect the most restrictive
mode consistent with
operational requirements;
b. Implements the
configuration settings;
c. Identifies, documents, and
approves exceptions from the
mandatory configuration
settings for individual
components within the
information system based on
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 24/90
explicit operational
requirements; and
d. Monitors and controls
changes to the configuration
settings in accordance with
organizational policies and
procedures.
ISO/IEC 27001
(None)
Configuration
management
CM-7 Least Functionality
The organization configures
the information system to
provide only essential
capabilities and specifically
prohibits or restricts the use
of the following functions,
ports, protocols, and/or
services: [Assignment:
organization-defined list of
prohibited or restricted
functions, ports, protocols,
and/or services].
ISO/IEC 27001
(None)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 25/90
Configuration
management
CM-8 Information System
Component Inventory
The organization develops,
documents, and maintains an
inventory of information
system components that:
a. Accurately reflects the
current information system;
b. Is consistent with the
authorization boundary of
the information system;
c. Is at the level of granularity
deemed necessary for
tracking and reporting;
d. Includes [Assignment:
organization-defined
information deemed
necessary to achieve effective
property accountability]; and
e. Is available for review and
ISO/IEC 27001
A.7.1.1, A.7.1.2
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 26/90
audit by designated
organizational officials.
Configuration
management
CM-9 Configuration
Management Plan
The organization develops,
documents, and implements
a configuration management
plan for the information
system that:
a. Addresses roles,
responsibilities, and
configuration management
processes and procedures;
ISO/IEC 27001
A.6.1.3.
A.7.1.1,
A.7.1.2,
A.8.1.1,
A.10.1.1,
A.10.1.2,
A.10.3.2,
A.12.4.1,
A.12.4.3,
A.12.5.1,
A.12.5.2,
A.12.5.3
b. Defines the configuration
items for the information
system and when in the
system development life
cycle the configuration items
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 27/90
are placed under
configuration management;
and
c. Establishes the means for
identifying configuration
items throughout the system
development life cycle and a
process for managing the
configuration of the
configuration items.
Table 10.3 Contingency Planning Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Contingency
planning
CP-1 Contingency Planning
Policy And Procedures
The organization develops,
disseminates, and
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.9.1.4,
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 28/90
reviews/updates
[Assignment:
organization defined
frequency]:
a A formal, documented
contingency planning policy
that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
contingency planning policy
and associated contingency
planning controls.
A.10.1.1,
A.10.1.2,
A.14.1.1,
A.14.1.3,
A.15.1.1, A.15.2.1
COBIT ®
PC5,DS4.1
HIPAA
164.308(a)(7)(i)
Contingency
planning
CP-2 Contingency Plan
The organization:
ISO/IEC 27001
A.6.1.2, A.9.1.4,
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 29/90
a. Develops a contingency
plan for the information
system that:
• Identifies essential missions
and business functions and
associated contingency
requirements;
• Provides recovery
objectives, restoration
priorities, and metrics;
• Addresses contingency
roles, responsibilities,
assigned individuals with
contact information;
• Addresses maintaining
essential missions and
business functions despite an
information system
disruption, compromise, or
failure;
A.10.3.1,
A.14.1.1,
A.14.1.2,
A.14.1.3,
A.14.1.4, A.14.1.5
COBIT DS4.2
HIPAA
164.308(a) (7)(ii)
(B), 164.308(a)
(7)(ii) (C),
164.308(a)(7) (ii)
(E), 164.310(a)
(2)(i), 164.312(a)
(2)(ii)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 30/90
• Addresses eventual, full
information system
restoration without
deterioration of the security
measures originally planned
and implemented; and
• Is reviewed and approved
by designated officials within
the organization;
b. Distributes copies of the
contingency plan to
[Assignment: organization-
defined list of key
contingency personnel
(identified by name and/or
by role) and organizational
elements];
c. Coordinates contingency
planning activities with
incident handling activities;
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 31/90
d. Reviews the contingency
plan for the information
system [Assignment:
organization-defined
frequency];
e. Revises the contingency
plan to address changes to
the organization,
information system, or
environment of operation
and problems encountered
during contingency plan
implementation, execution,
or testing; and
f. Communicates contingency
plan changes to [Assignment:
organization-defined list of
key contingency personnel
(identified by name and/or
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 32/90
by role) and organizational
elements].
Contingency
planning
CP-3 Contingency Training
The organization trains
personnel in their
contingency roles and
responsibilities with respect
to the information system
and provides refresher
training [Assignment:
organization defined
frequency].
ISO/IEC 27001
A.8.2.2, A.9.1.4,
A.14.1.3
COBIT DS4.6
HIPAA
164.308(a) (7)(ii)
(D)
Contingency
planning
CP-4 Contingency Plan Testing
and Exercises
The organization: a. Tests
and/or exercises the
contingency plan for the
information system
[Assignment: organization-
defined frequency] using
ISO/IEC 27001
A.6.1.2, A.9.1.4,
A.14.1.1,
A.14.1.3,
A.14.1.4, A.14.1.5
COBIT DS4.2,
DS4.5
HIPAA
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 33/90
[Assignment: organization-
defined tests and/or
exercises] to determine the
plan’s effectiveness and the
organization’s readiness to
execute the plan; and
164.308(a) (7)(ii)
(D)
b. Reviews the contingency
plan test/exercise results and
initiates corrective actions.
Contingency
planning
CP-6 Alternate Storage Site
The organization establishes
an alternate storage site
including necessary
agreements to permit the
storage and recovery of
information system backup
information.
ISO/IEC 27001
A.9.1.4,A.14.1.3
COBIT DS4.1,
DS4.9
HIPAA
164.308(a) (7)(ii)
(B), 164.310(a)
(2)(i)
Contingency
planning
CP-7 Alternate Processing Site
The organization:
a. Establishes an alternate
ISO/IEC 27001
A.9.1.4, A.14.1.3
COBIT DS4.1,
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 34/90
processing site including
necessary agreements to
permit the resumption of
information system
operations for essential
missions and business
functions within
[Assignment: organization-
defined time period
consistent with recovery time
objectives] when the primary
processing capabilities are
unavailable; and
b. Ensures that equipment
and supplies required to
resume operations are
available at the alternate site
or contracts are in place to
support delivery to the site in
time to support the
DS4.8
HIPAA
164.308(a) (7)(ii)
(B), 164.310(a)
(2)(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 35/90
organization-defined time
period for resumption.
Contingency
planning
CP-8 Telecommunications
Services The organization
establishes alternate
telecommunications services
including necessary
agreements to permit the
resumption of information
system operations for
essential missions and
business functions within
[Assignment: organization-
defined time period] when
the primary
telecommunications
capabilities are unavailable.
ISO/IEC 27001
A.9.1.4, A.10.6.1,
A.14.1.3
COBIT DS4.1,
HIPAA
164.308(a) (7)(ii)
(B)
Contingency
planning
CP-9 Information System
Backup The organization:
a. Conducts backups of user-
ISO/IEC 27001
A.9.1.4, A.10.5.1,
A.14.1.3, A.15.1.3
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 36/90
level information contained
in the information system
[Assignment; organization-
defined frequency consistent
with recovery time and
recovery point objectives];
b. Conducts backups of
system-level information
contained in the information
system [Assignment:
organization-defined
frequency consistent with
recovery time and recovery
point objectives];
c. Conducts backups of
information system
documentation including
security-related
documentation [Assignment:
organization-defined
COBIT DS4.2,
DS11.5
HIPAA
164.308(a) (7)(N)
(A), 164.310(d)
(2) (iv),
164.312(c) (1)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 37/90
frequency consistent with
recovery time and recovery
point objectives]; and
d. Protects the confidentiality
and integrity of backup
information at the storage
location.
Contingency
planning
CP-10 Information System
Recovery and Reconstitution
The organization provides
for the recovery and
reconstitution of the
information system to a
known state after a
disruption, compromise, or
failure.
ISO/IEC 27001
A.9.1.4, A.14.1.3
COBIT DS4.8,
DS11.5
HIPAA
164.308(a) (7)(ii)
(B), 164.308(a)
(7)(ii) (C)
Table 10.4 Incident Response Controls
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 38/90
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Incident
response
IR-1 Incident Response Policy And
Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented incident
response policy that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the incident
response policy and associated
incident response controls.
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.10.1.1,
A.13.1.1,
A.13.2.1,
A.15.1.1,
A.15.2.1
COBIT ®
P09.5, P09.6,
DS5.6, DS8.2,
PC5
HIPAA
164.308(a)(6)
(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 39/90
Incident
response
IR-2 Incident Response Training
The organization:
a. Trains personnel in their
incident response roles and
responsibilities with respect to the
information system; and
b. Provides refresher training
[Assignment: organization-defined
frequency].
ISO/IEC 27001
A.8.2.2
HIPAA
164.308(a) (6)
(i)
Incident
response
IR-3 Incident Response Testing and
Exercises
The organization tests and/or
exercises the incident response
capability for the information
system [Assignment: organization-
defined frequency] using
[Assignment: organization-defined
tests and/or exercises] to
determine the incident response
ISO/IEC 27001
(None)
HIPAA
164.308(a) (6)
(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 40/90
effectiveness and documents the
results.
Incident
response
IR-4 Incident Handling
The organization:
a. Implements an incident
handling capability for security
incidents that includes
preparation, detection and
analysis, containment,
eradication, and recovery;
ISO/IEC 27001
A.6.1.2,
A.13.2.2,
A.13.2.3
COBIT P09.5,
P09.6, DS8.2
HIPAA
164.308(a) (6)
(ii)
b. Coordinates incident handling
activities with contingency
planning activities; and
c. Incorporates lessons learned
from ongoing incident handling
activities into incident response
procedures, training, and
testing/exercises, and implements
the resulting changes accordingly.
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 41/90
Incident
response
IR-5 Incident Monitoring The
organization tracks and
documents information system
security incidents.
ISO/IEC 27001
(None)
COBIT DS8.2,
DS8.4
HIPAA
164.308(a) (6)
(ii),
164.308(a)(1)
(ii) (D)
Incident
response
IR-6 Incident Reporting The
organization:
a. Requires personnel to report
suspected security incidents to the
organizational incident response
capability within [Assignment:
organization-defined time-period];
and
b. Reports security incident
information to designated
authorities.
ISO/IEC 27001
A.6.1.6,
A.13.1.1
COBIT DS5.6
HIPAA
164.308(a)
(D(ii)(D),
164.308(a)(6)
(ii),
164.314(a)(2)
(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 42/90
Incident
response
IR-7 Incident Response Assistance
The organization provides an
incident response support
resource integral to the
organizational incident response
capability that offers advice and
assistance to users of the
information system for the
handling and reporting of security
incidents.
ISO/IEC 27001
(None)
COBIT DS8.1
HIPAA
164.308(a) (6)
(ii)
Incident
response
IR-8 Incident Response Plan
The organization: a. Develops an
incident response plan that:
• Provides the organization with a
roadmap for implementing its
incident response capability;
• Describes the structure and
organization of the incident
response capability.
ISO/IEC 27001
(None)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 43/90
Table 10.5 Maintenance Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Maintenance MA-1 System Maintenance Policy
And Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented
information system maintenance
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
ISO/IEC
27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.9.2.4,
A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT ®
PC5
HIPAA
164.310(a)
(2)(iv)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 44/90
implementation of the
information system maintenance
policy and associated system
maintenance controls.
Maintenance MA-2 Controlled Maintenance
The organization:
a. Schedules, performs,
documents, and reviews records
of maintenance and repairs on
information system components
in accordance with manufacturer
or vendor specifications and/or
organizational requirements;
b. Controls all maintenance
activities, whether performed on
site or remotely and whether the
equipment is serviced on site or
removed to another location;
c. Requires that a designated
official explicitly approves the
ISO/IEC
27001
A.9.2.4
COBIT
AI2.10
HIPAA
164.310(a)
(2)(iv)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 45/90
removal of the information
system or system components
from organizational facilities for
off-site maintenance or repairs;
d. Sanitizes equipment to remove
all information from associated
media prior to removal from
organizational facilities for off-
site maintenance or repairs; and
e. Checks all potentially impacted
security controls to verify that the
controls are still functioning
properly following maintenance
or repair actions.
Maintenance MA-3 Maintenance Tools
The organization approves,
controls, monitors the use of, and
maintains on an ongoing basis,
information system maintenance
tools.
ISO/IEC
27001
A.9.2.4,
A.11.4.4
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 46/90
Supplemental guidance: The
intent of this control is to address
the security-related issues arising
from the hardware and software
brought into the information
system specifically for diagnostic
and repair actions (e.g., a
hardware or software packet
sniffer that is introduced for the
purpose of a particular
maintenance activity). Hardware
and/or software components that
may support information system
maintenance, yet are a part of the
system (e.g., the software
implementing “ping,” “Is,”
“ipconfig,” or the hardware and
software implementing the
monitoring port of an Ethernet
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 47/90
switch) are not covered by this
control. Related to MP-6.
Maintenance MA-4 Non-Local Maintenance
The organization:
a. Authorizes, monitors, and
controls non-local maintenance
and diagnostic activities;
b. Allows the use of non-local
maintenance and diagnostic tools
only as consistent with
organizational policy and
documented in the security plan
for the information system;
c. Employs strong identification
and authentication techniques in
the establishment of non-local
maintenance and diagnostic
sessions;
ISO/IEC
27001
A.9.2.4,
A.11.4.4
d. Maintains records for non-local
maintenance and diagnostic
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 48/90
activities; and
e. Terminates all sessions and
network connections when non-
local maintenance is completed.
Maintenance MA-5 Maintenance Personnel
The organization:
a. Establishes a process for
maintenance personnel
authorization and maintains a
current list of authorized
maintenance organizations or
personnel; and
b. Ensures that personnel
performing maintenance on the
information system have
required access authorizations or
designates organizational
personnel with required access
authorizations and technical
competence deemed necessary to
ISO/IEC
27001
A.9.2.4,
A.12.4.3
HIPAA
164.308(a)
(3)(ii)(A)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 49/90
supervise information system
maintenance when maintenance
personnel do not possess the
required access authorizations.
Maintenance MA-6 Timely Maintenance
The organization obtains
maintenance support and/or
spare parts for [Assignment:
organization-defined list of
security-critical information
system components and/or key
information technology
components] within [Assignment:
organization-defined time period]
of failure.
ISO/IEC
27001
A.9.2.4
HIPAA
164.310(a)
(2)(iv)
Table 10.6 Media Protection Controls
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 50/90
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Media
protection
MP-1 Media Protection Policy
And Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined
frequency]:
a. A formal, documented media
protection policy that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the media
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.10.1.1,
A.10.7.1,
A.10.7.2,
A.10.7.3,
A.11.1.1,
A.15.1.1,
A.15.1.3,
A.15.2.1
COBIT ®
DS11.1,
DS11.6, PC5
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 51/90
protection policy and associated
media protection controls.
HIPAA
164.310(d)(1)
Media
protection
MP-2 Media Access
The organization restricts
access to [Assignment:
organization-defined types of
digital and non-digital media] to
[Assignment: organization-
defined list of authorized
individuals] using [Assignment:
organization-defined security
measures].
ISO/IEC 27001
A.7.2.2,
A.10.7.1,
A.10.7.3
COBIT DS11.6
HIPAA
164.308(a) (3)
(ii)(A)
Media
protection
MP-3 Media Marking
The organization:
a. Marks, in accordance with
organizational policies and
procedures, removable
information system media and
information system output
indicating the distribution
ISO/IEC 27001
A.7.2.2,
A.10.7.1,
A.10.7.3
COBIT DS11.6
HIPAA
164.310(c),
164.310(d)(1)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 52/90
limitations, handling caveats,
and applicable security
markings (if any) of the
information; and
b. Exempts [Assignment:
organization-defined list of
removable media types] from
marking as long as the
exempted items remain within
[Assignment: organization-
defined controlled areas].
Media
protection
MP-4 Media Storage
The organization:
a. Physically controls and
securely stores [Assignment:
organization-defined types of
digital and non-digital media]
within [Assignment:
organization-defined controlled
areas] using [Assignment:
ISO/IEC 27001
A.10.7.1,
A.10.7.3,
A.10.7.4,
A.15.1.3
COBIT DS11.2,
DS11.6
HIPAA
164.310(c),
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 53/90
organization-defined security
measures];
b. Protects information system
media until the media are
destroyed or sanitized using
approved equipment,
techniques, and procedures.
164.310(d)(1),
164.310(d)(2)
(iv)
Media
protection
MP-5 Media Transport
The organization:
a. Protects and controls
[Assignment: organization-
defined types of digital and non-
digital media] during transport
outside of controlled areas
using [Assignment:
organization-defined security
measures];
b. Maintains accountability for
information system media
during transport outside of
ISO/IEC 27001
A.9.2.5,
A.9.2.7,
A.10.7.1,
A.10.7.3,
A.10.8.3
COBIT DS11.4,
DS11.6
HIPAA
164.310(d) (1),
164.310(d) (2)
(iii),
164.312(c)(1)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 54/90
controlled areas; and
c. Restricts the activities
associated with transport of
such media to authorized
personnel.
Media
protection
MP-6 Media Sanitization The
organization:
a. Sanitizes information system
media, both digital and
nondigital, prior to disposal,
release out of organizational
control, or release for reuse;
and
b. Employs sanitization
mechanisms with strength and
integrity commensurate with
the classification or sensitivity
of the information.
ISO/IEC 27001
A.9.2.6,
A.10.7.1,
A.10.7.2,
A.10.7.3
COBIT DS11.4,
DS11.6,
HIPAA
164.310(d) (1),
164.310(d) (2)
(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 55/90
Table 10.7 Physical and Environment Protection Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Physical and
environmental
protection
PE-1 Physical And
Environmental Protection
Policy And Procedures
The organization develops,
disseminates, and
reviews/updates
[Assignment: organization
defined frequency]:
a. A formal, documented
physical and environmental
protection policy that
addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities, and
ISO/IEC
27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
A.8.1.1,
A.9.1.4,
A.9.2.1,
A.9.2.2,
A.10.1.1,
A.11.1.1,
A.11.2.1,
A.11.2.2,
A.15.1.1,
A.15.2.1
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 56/90
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
physical and environmental
protection policy and
associated physical and
environmental protection
controls.
COBIT ®
DS12.1,
DS12.5, PC5
HIPAA
164.310(a)
(1)
164.310(a)
(2)(ii)
164.310(a)
(2)(iii)
Physical and
environmental
protection
PE-2 Physical Access
Authorizations The
organization:
a. Develops and keeps
current a list of personnel
with authorized access to the
facility where the
information system resides
(except for those areas within
the facility officially
ISO/IEC
27001
A.9.1.5,
A.11.2.1,
A.11.2.2,
A.11.2.4
COBIT
DS12.3
HIPAA
164.310(a)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 57/90
designated as publicly
accessible);
b. Issues authorization
credentials;
c. Reviews and approves the
access list and authorization
credentials [Assignment:
organization defined
frequency], removing from
the access list personnel no
longer requiring access.
(1),
164.310(a)
(2)(iii)
Physical and
environmental
protection
PE-3 Physical Access Control
The organization:
a. Enforces physical access
authorizations for all
physical access points
(including designated
entry/exit points) to the
facility where the
information system resides
ISO/IEC
27001
A.9.1.1,
A.9.1.2,
A.9.1.3,
A.9.1.5,
A.9.1.6,
A.11.3.2,
A.11.4.4
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 58/90
(excluding those areas within
the facility officially
designated as publicly
accessible);
COBIT
DS12.2
HIPAA
164.310(a)
(1),
164.310(a)
(2)(iii),
164.310(b),
164.310(c)
b. Verifies individual access
authorizations before
granting access to the facility;
c. Controls entry to the
facility containing the
information system using
physical access devices
and/or guards;
d. Controls access to areas
officially designated as
publicly accessible in
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 59/90
accordance with the
organization’s assessment of
risk;
e. Secures keys,
combinations, and other
physical access devices;
f. Inventories physical access
devices [Assignment:
organization-defined
frequency]; and
g. Changes combinations and
keys [Assignment:
organization-defined
frequency] and when keys
are lost, combinations are
compromised, or individuals
are transferred or
terminated.
Physical and
environmental
PE-4 Access Control for
Transmission Medium
ISO/IEC
27001
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 60/90
protection The organization controls
physical access to
information system
distribution and transmission
lines within organizational
facilities.
A.9.1.3,
A.9.1.5,
A.9.2.3
COBIT
DS5.7,
DS12.2
HIPAA
164.310(a)
(1),
164.310(c)
Physical and
environmental
protection
PE-5 Access Control for Output
Devices
The organization controls
physical access to
information system output
devices to prevent
unauthorized individuals
from obtaining the output.
ISO/IEC
27001
A.9.1.2,
A.9.1.3,
A.10.6.1,
A.11.3.2
COBIT
DS12.2
HIPAA
164.310(b),
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 61/90
164.310(c),
164.310(a)
(1)
Physical and
environmental
protection
PE-6 Monitoring Physical
Access The organization:
a. Monitors physical access to
the information system to
detect and respond to
physical security incidents;
b. Reviews physical access
logs [Assignment:
organization-defined
frequency]; and
ISO/IEC
27001
A.9.1.2,
A.9.1.5,
A.10.10.2
COBIT
DS12.3
HIPAA
164.310(a)
(2)(iii)
c. Coordinates results of
reviews and investigations
with the organization’s
incident response capability.
Physical and
environmental
protection
PE-7 Visitor Control
The organization controls
physical access to the
ISO/IEC
27001
A.9.1.2,
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 62/90
information system by
authenticating visitors before
authorizing access to the
facility where the
information system resides
other than areas designated
as publicly accessible.
A.9.1.5,
A.9.1.6
COBIT
DS12.3
HIPAA
164.310(a)
(2)(iii)
Physical and
environmental
protection
PE-8 Access Records
The organization:
a. Maintains visitor access
records to the facility where
the information system
resides (except for those
areas within the facility
officially designated as
publicly accessible); and
b. Reviews visitor access
records [Assignment:
organization-defined
frequency].
ISO/IEC
27001
A.9.1.5,
A.10.10.2,
A.15.2.1
COBIT
DS12.3
HIPAA
164.310(a)
(2)(iii)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 63/90
Physical and
environmental
protection
PE-9 Power Equipment and
Power Cabling
The organization protects
power equipment and power
cabling for the information
system from damage and
destruction.
ISO/IEC
27001
A.9.1.4,
A.9.2.2,
A.9.2.3
COBIT
DS12.4
Physical and
environmental
protection
PE-10 Emergency Shutoff The
organization:
a. Provides the capability of
shutting off power to the
information system or
individual system
components in emergency
situations;
b. Places emergency shutoff
switches or devices in
[Assignment: organization-
defined location by
information system or
ISO/IEC
27001
A.9.1.4
COBIT
DS12.4
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 64/90
system component] to
facilitate safe and easy access
for personnel; and
c. Protects emergency power
shutoff capability from
unauthorized activation.
Physical and
environmental
protection
PE-11 Emergency Power
The organization provides a
short-term uninterruptible
power supply to facilitate an
orderly shutdown of the
information system in the
event of a primary power
source loss.
Supplemental guidance: This
control, to include any
enhancements specified, may
be satisfied by similar
requirements fulfilled by
another organizational entity
ISO/IEC
27001
A.9.1.4,
A.9.2.2
COBIT
DS12.4
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 65/90
other than the information
security program.
Organizations avoid
duplicating actions already
covered.
Physical and
environmental
protection
PE-12 Emergency Lighting
The organization employs
and maintains automatic
emergency lighting for the
information system that
activates in the event of a
power outage or disruption,
and that covers emergency
exits and evacuation routes
within the facility.
ISO/IEC
27001
A.9.2.2
COBIT
DS12.4
Physical and
environmental
protection
PE-13 Fire Protection
The organization employs
and maintains fire
suppression and detection
devices/systems for the
ISO/IEC
27001
A.9.1.4
COBIT
DS12.4
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 66/90
information system that are
supported by an independent
energy source.
Physical and
environmental
protection
PE-14 Temperature and
Humidity Controls
The organization:
a. Maintains temperature
and humidity levels within
the facility where the
information system resides at
[Assignment: organization-
defined acceptable levels];
and
b. Monitors temperature and
humidity levels [Assignment:
organization-defined
frequency].
ISO/IEC
27001
A.9.2.2
COBIT
DS12.4
Physical and
environmental
protection
PE-15 Water Damage
Protection
The organization protects the
ISO/IEC
27001
A.9.1.4
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 67/90
information system from
damage resulting from water
leakage by providing master
shutoff valves that are
accessible, working properly,
and known to key personnel.
COBIT
DS12.4
Physical and
environmental
protection
PE-16 Delivery and Removal
The organization authorizes,
monitors, and controls
[Assignment: organization-
defined types of information
system components] entering
and exiting the facility, and
maintains records of those
items.
ISO/IEC
27001
A.9.1.6,
A.9.2.7,
A.10.7.1
COBIT
DS12.2
Physical and
environmental
protection
PE-17 Alternate Work Site
The organization:
a. Employs [Assignment:
organization-defined
management, operational,
ISO/IEC
27001
A.9.2.5,
A.11.7.2
HIPAA
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 68/90
and technical information
system security controls] at
alternate work sites;
b. Assesses as feasible, the
effectiveness of security
controls at alternate work
sites; and
c. Provides a means for
employees to communicate
with information security
personnel in case of security
incidents or problems.
164.310(a)
(2)(i)
Physical and
environmental
protection
PE-18 Location of Information
System Components
The organization positions
information system
components within the
facility to minimize potential
damage from physical and
environmental hazards and
ISO/IEC
27001
A.9.2.1,
A.11.3.2
COBIT
DS12.1
HIPAA
164.310(c)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 69/90
to minimize the opportunity
for unauthorized access.
Physical and
environmental
protection
PE-19 Information Leakage
The organization protects the
information system from
information leakage due to
electromagnetic signals
emanations.
ISO/IEC
27001
A.12.5.4
COBIT
DS12.2
Table 10.8 Personnel Security Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Personnel
security
PS-1 Personnel Security Policy
and Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.15.1.1, A.15.2.1
COBIT ® PC5,
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 70/90
frequency]:
a. A formal, documented
personnel security policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
personnel security policy and
associated personnel security
controls.
P04.6, P07.3
HIPAA
164.308(a)(3)(ii)
(A)
164.308(a)(3)(ii)
(B)
164.308(a)(3)(ii)
(C)
Personnel
security
PS-2 Position Categorization
The organization:
a. Assigns a risk designation to
all positions;
b. Establishes screening criteria
for individuals filling those
ISO/IEC 27001
A.8.1.1
COBIT P04.13,
P07.3
HIPAA
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 71/90
positions; and
c. Reviews and revises position
risk designations [Assignment:
organization-defined
frequency].
164.308(a) (3)(ii)
(B)
Personnel
security
PS-3 Personnel Screening
The organization:
a. Screens individuals prior to
authorizing access to the
information system; and
b. Rescreens individuals
according to [Assignment:
organization-defined list of
conditions requiring
rescreening and, where
rescreening is so indicated, the
frequency of such rescreening].
ISO/IEC 27001
A.8.1.2
COBIT P07.6
HIPAA
164.308(a) (3)(ii)
(B)
Personnel
security
PS-4 Personnel Termination
The organization, upon
termination of individual
ISO/IEC 27001
A.8.3.1, A.8.3.2,
A.8.3.3
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 72/90
employment:
a. Terminates information
system access;
b. Conducts exit interviews;
c. Retrieves all security-related
organizational information
system-related property; and
d. Retains access to
organizational information and
information systems formerly
controlled by terminated
individual.
COBIT P07.8
HIPAA
164.308(a) (3)(ii)
(C)
Personnel
security
PS-5 Personnel Transfer
The organization reviews
logical and physical access
authorizations to information
systems/facilities when
personnel are reassigned or
transferred to other positions
within the organization and
ISO/IEC 27001
A.8.3.1, A.8.3.2,
A.8.3.3
COBIT P07.8
HIPAA
164.308(a) (3)(ii)
(C)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 73/90
initiates [Assignment:
organization-defined transfer
or reassignment actions] within
[Assignment: organization-
defined time period following
the formal transfer action].
Personnel
security
PS-6 Access Agreements
The organization:
a. Ensures that individuals
requiring access to
organizational information and
information systems sign
appropriate access agreements
prior to being granted access;
and
b. Reviews/updates the access
agreements [Assignment:
organization-defined
frequency].
ISO/IEC 27001
A.6.1.5, A.8.1.1,
A.8.1.3, A.8.2.1,
A.9.1.5, A.10.8.1,
A.11.7.1,
A.11.7.2, A.15.1.5
COBIT DS5.4
HIPAA
164.308(a) (3)(ii)
(A), 164.308(a)
(3)(ii) (B),
164.308(a) (4)(ii)
(B), 164.310(b),
164.310(d)(2)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 74/90
(iii), 164.314(a)
(1), 164.314(a)
(2)(i), 164.314(a)
(2)(ii)
Personnel
security
PS-7 Third-Party Personnel
Security
The organization:
a. Establishes personnel
security requirements
including security roles and
responsibilities for third-party
providers;
b. Documents personnel
security requirements; and
c. Monitors provider
compliance.
ISO/IEC 27001
A.6.2.3, A.8.1.1,
A.8.2.1, A.8.1.3
COBIT P04.14,
DS2.2
HIPAA
164.308(a) (3)(ii)
(A), 164.308(a)
(4)(ii) (B),
164.308(b) (1),
164.314(a) (1),
164.314(a) (2)(i),
Personnel
security
PS-8 Personnel Sanctions
The organization employs a
formal sanctions process for
personnel failing to comply
164.314(a)(2)(ii)
ISO/IEC 27001
A.8.2.3, A.15.1.5
HIPAA
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 75/90
with established information
security policies and
procedures.
164.308(a) (1)(ii)
(C)
Table 10.9 System and information integrity controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
System and
informatio
n integrity
Sl-1 System And Information
Integrity Policy And
Procedures
The organization develops,
disseminates, and
reviews/updates
[Assignment: organization
defined frequency]:
a. A formal, documented
system and information
integrity policy that
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT ® P02.4,
PC5
HIPAA
164.312(c)(1)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 76/90
addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the system
and information integrity
policy and associated system
and information integrity
controls.
System and
informatio
n integrity
SI-2 Flaw Remediation
The organization:
a. Identifies, reports, and
corrects information system
flaws;
b. Tests software updates
related to flaw remediation
ISO/IEC 27001
A.10.10.5,
A.12.5.2,
A.12.6.1,A.13.1.2
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 77/90
for effectiveness and
potential side effects on
organizational information
systems before installation;
and
c. Incorporates flaw
remediation into the
organizational configuration
management process.
System and
informatio
n integrity
SI-3 Malicious Code Protection
The organization:
a. Employs malicious code
protection mechanisms at
information system entry and
exit points and at
workstations, servers, or
mobile computing devices on
the network to detect and
eradicate malicious code:
• Transported by electronic
ISO/IEC 27001
A.10.4.1
COBIT DS5.9
HIPAA
164.308(a) (5)(ii)
(B)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 78/90
mail, electronic mail
attachments, Web accesses,
removable media, or other
common means; or
• Inserted through the
exploitation of information
system vulnerabilities;
b. Updates malicious code
protection mechanisms
(including signature
definitions) whenever new
releases are available in
accordance with
organizational configuration
management policy and
procedures;
c. Configures malicious code
protection mechanisms to:
• Perform periodic scans of
the information system
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 79/90
[Assignment: organization-
defined frequency] and real-
time scans of files from
external sources as the files
are downloaded, opened, or
executed in accordance with
organizational security
policy; and
• [Selection (one or more):
block malicious code;
quarantine malicious code;
send alert to administrator;
[Assignment: organization-
defined action]] in response
to malicious code detection;
and
d. Addresses the receipt of
false positives during
malicious code detection and
eradication and the resulting
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 80/90
potential impact on the
availability of the
information system.
System and
informatio
n integrity
SI-4 Information System
Monitoring The organization:
a. Monitors events on the
information system in
accordance with
[Assignment: organization
defined monitoring
objectives] and detects
information system attacks;
b. Identifies unauthorized use
of the information system;
ISO/IEC 27001
A.10.10.2,
A.13.1.1,
A.13.1.2
COBIT P02.4,
DS5.5, DS5.10
HIPAA
164.308(a) (5)(ii)
(B), 164.308(a)
(1)(ii) (D)
c. Deploys monitoring devices:
(i) strategically within the
information system to collect
organization-determined
essential information; and (ii)
at ad hoc locations within the
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 81/90
system to track specific types
of transactions of interest to
the organization;
d. Heightens the level of
information system
monitoring activity whenever
there is an indication of
increased risk to
organizational operations
and assets, individuals, other
organizations, or the nation
based on law enforcement
information, intelligence
information, or other
credible sources of
information; and
e. Obtains legal opinion with
regard to information system
monitoring activities in
accordance with applicable
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 82/90
federal laws, executive
orders, directives, policies, or
regulations.
System and
informatio
n integrity
SI-5 Security Alerts,
Advisories, and Directives
The organization:
a. Receives information
system security alerts,
advisories, and directives
from designated external
organizations on an ongoing
basis;
b. Generates internal security
alerts, advisories, and
directives as deemed
necessary;
c. Disseminates security
alerts, advisories, and
directives to [Assignment:
organization-defined list of
ISO/IEC 27001
A.6.1.6, A.12.6.1,
A.13.1.1,A.13.1.2
HIPAA
164.308(a) (5)(ii)
(A)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 83/90
personnel (identified by
name and/or by role)]; and
d. Implements security
directives in accordance with
established time frames, or
notifies the issuing
organization of the degree of
noncompliance.
System and
informatio
n integrity
SI-6 Security Functionality
Verification
The information system
verifies the correct operation
of security functions
[Selection (one or more):
[Assignment: organization-
defined system transitional
states]; upon command by
user with appropriate
privilege; periodically every
[Assignment: organization-
ISO/IEC 27001
(None)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 84/90
defined time-period]] and
[Selection (one or more):
notifies system
administrator; shuts the
system down; restarts the
system; [Assignment:
organization-defined
alternative action(s)]] when
anomalies are discovered.
System and
informatio
n integrity
SI-7 Software and Information
Integrity
The information system
detects unauthorized changes
to software and information.
ISO/IEC 27001
A.10.4.1,
A.12.2.2,
A.12.2.3
COBIT
P02.4AI2.4,
DS5.9
HIPAA
164.312(c) (1),
164.312(c) (2),
164.312(e) (2)(i)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 85/90
System and
informatio
n integrity
SI-8 Spam Protection
The organization:
a. Employs spam protection
mechanisms at information
system entry and exit points
and at workstations, servers,
or mobile computing devices
on the network to detect and
take action on unsolicited
messages transported by
electronic mail, electronic
mail attachments, web
accesses, or other common
means; and
b. Updates spam protection
mechanisms (including
signature definitions) when
new releases are available in
accordance with
organizational configuration
ISO/IEC 27001
(None)
COBIT DS5.9
HIPAA
164.308(a) (5)(ii)
(B)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 86/90
management policy and
procedures.
System and
informatio
n integrity
SI-9 Information Input
Restrictions
The organization restricts the
capability to input
information to the
information system to
authorized personnel.
ISO/IEC 27001
A.10.8.1,
A.11.1.1,
A.11.2.2,
A.12.2.2
COBIT AC1, AC2
System and
informatio
n integrity
SI-10 Information Input
Validation
The information system
checks the validity of
information inputs.
ISO/IEC 27001
A.12.2.1,A.12.2.2
COBIT AC3,AC4,
AC6
System and
informatio
n integrity
Sl-ll Error Handling
The information system_
a. Identifies potentially
security-relevant error
conditions;
b. Generates error messages
ISO/IEC 27001
(None)
COBIT AC5
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 87/90
that provide information
necessary for corrective
actions without revealing
[Assignment: organization-
defined sensitive or
potentially harmful
information] in error logs
and administrative messages
that could be exploited by
adversaries; and
c. Reveals error messages
only to authorized personnel.
System and
informatio
n integrity
SI-12 Information Output
Handling and Retention
The organization handles and
retains both information
within and output from the
information system in
accordance with applicable
federal laws, executive
ISO/IEC 27001
A.10.7.3,
A.15.1.3,
A.15.1.4,
A.15.2.1
COBIT AC5,
DS11.1, DS11.6
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 88/90
orders, directives, policies,
regulations, standards, and
operational requirements.
System and
informatio
n integrity
SI-13 Predictable Failure
Prevention The organization:
a. Protects the information
system from harm by
considering mean time to
failure for [Assignment:
organization-defined list of
information system
components] in specific
environments of operation;
and
b. Provides substitute
information system
components, when needed,
and a mechanism to
exchange active and standby
roles of the components.
ISO/IEC 27001
(None)
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 89/90
1.
2.
3.
4.
5.
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special
Publication 800-53 Rev 3: Recommended security controls for federal information
systems and organizations. http://csrc.nist.gov/publications/nistpubs/800-53-
Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
IT Governance Institute. 2007. Mapping of NIST SP 800-53 Rev 1 with COBIT 4.1.
http://www.itgi.org
National Institute of Standards and Technology (NIST). October 2008. An introduc-
tory resource guide for implementing the Health Insurance Portability and
Accountability Act (HIPAA) security rule.
http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-Revisionl.pdf
International Organization for Standardization (ISO). ISO/IEC 27001:2005
Information Security Management Systems—Requirements,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
International Organization for Standardization (ISO). ISO/IEC 27002:2005
Information technology—Security techniques—Code of practice for information
4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 90/90
6.
security management,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
Department of Health and Human Services, Office of the Secretary. February 20,
2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security standards;
Final rule. Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityru-
lepdf.pdf