Question

profilejimpop1998
Chapter10OperationalControls_PracticalSecurityConsiderations_InformationSecurityGovernanceSimplified.pdf

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 1/90

10

Operational Controls

Practical Security Considerations

There is no such thing as a free lunch.

Attributed to Milton Friedman, 1912–2006

The controls specified in this chapter are the operational controls or

those controls that govern the ongoing operational processes impacting

security spanning multiple departments. This chapter, along with the pre-

ceding security control chapters (Chapter 8 on managerial controls and

Chapter 9 on technical controls) complete the controls necessary for

building the foundation for an information security program. Each listing

of the operational control family is preceded with some practical security

considerations for reviewing the family of controls. These controls are

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 2/90

also mapped to COBIT 4.1, ISO 27001:2005, and Health Insurance

Portability and Accountability Act (HIPAA) where a relationship between

them exists.

Awareness and Training Controls

The awareness and training control family (AT) shown in Table 10.1

serves to ensure that individuals within the organization have the appro-

priate level of training. All users of the organization need some level of

training, and this includes all management levels and all end users.

Records need to be maintained demonstrating that everyone has taken

the training. End users need awareness training primarily so that they

know what is expected of them, when a security breach has occurred,

and how to report the breach. Executive management will also need the

same training, potentially supplemented with training around risk man-

agement as it relates to security. Role-based training can provide techni-

cal staff with security-specific education, such as the network administra-

tor on securing a firewall, or the security analyst with Security

Information and Event Management (SIEM) training, or the server engi-

neer on securing Windows/Unix servers. Additionally, management may

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 3/90

need training for a new identity management system or handling termi-

nations. The entire organization may need additional refresher training

on a monthly basis.

End user awareness training should be provided prior to accessing the

computer system and on an annual basis at a minimum. In Chapter 12

more ideas for security training are provided.

Configuration Management Controls

The configuration management control family controls (CM), as shown in

Table 10.2, provide control of the configuration setting baselines and

their ongoing integrity. Once the baseline is decided upon, there should

be a periodic review to ensure that the baselines are being kept up with

the latest changes by the issuing agency (e.g., Defense Information

Systems Agency). The appropriate team members for the particular base-

line (server, desktop, firewall, database, mainframe, etc.) should meet

and determine the changes required to the baseline. The new baseline

can then be constructed and applied according to the baseline procedures

to all the devices of that type. Exceptions to the baseline standard need to

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 4/90

be documented. The deviations from the baseline can be captured with

automated tools, provided the upfront work has been done to populate

the tool with the existing baseline.

Change control is a difficult area to ensure that changes are properly

authorized for change and subsequently approved for production imple-

mentation prior to implementation. Programmers and those responsible

for the infrastructure components may be pressed for time to implement

a change and not receive proper approval beforehand. A change control

board (CCB) can be very beneficial in this case, with individuals tracking

the production implementations and following up on individuals that

have not received the appropriate approvals. Managing the change con-

trol process provides the traceability of subsequent changes to the

system.

Contingency Planning Controls

The contingency planning control family (CP) ensures that the systems

can be brought up in a reasonable amount of time in the event of a disas-

ter. These controls, shown in Table 10.3, typically require that some form

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 5/90

of testing be done to ensure that the system can be brought up in a rea-

sonable time. The testing identifies gaps in the documentation and high-

lights information that may have been left out, such as a file or the knowl-

edge of an administrator password that halted the testing. If an out-

sourced data center company handles these functions, testing should still

be performed to determine whether the network at the site will be avail-

able in the event of a disaster.

Business continuity plans should be written for each department to en-

sure they are ready in the event of a disaster, not only in terms of the

computing platform, but where will they work and how the equipment

will be configured or delivered to a remote location, or for a work-at-

home scenario.

Incident Response Controls

The incident response control family (IR), as shown in Table 10.4, ensures

that the organization has a predefined mechanism in place to respond to

an incident. Security incidents can range from not sending sensitive in-

formation encrypted through e-mail to having the infrastructure pene-

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 6/90

trated through the use of structured query language (SQL) injection on

the public facing website, for example. Not all incidents will be of the

magnitude to invoke the formation of a computer security incident re-

sponse team (CSIRT), however, the CSIRT procedure created by the orga-

nization should spell out the conditions by which the CSIRT team will be

invoked. A senior management crisis management team for significant

events, such as threats of violence, bomb threats, and emergency weather

conditions, should be established. These teams need to be in place prior

to the incidents occurring.

Incidents should be simulated by creating a scenario and walking

though what would be done in the event of a crisis or a technical outage

caused by an event, such as malware, antivirus, or an advanced persis-

tent threat (APT) targeted toward the organization.

Maintenance Controls

The maintenance control family (MA) shown in Table 10.5 ensures that

the equipment is properly maintained by having contracts in place, ser-

vice level agreements, spare parts available, and routine maintenance

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 7/90

performed. Exposing the device to the employees of an external vendor

carries the risk that the software, firmware, or data may be modified to

create a subsequent entry point into the system, or information could be

disclosed. The device also needs to be properly maintained and serviced

on a regular basis to ensure appropriate availability. Contracts should be

in place for spare parts availability, with 4 hours not being an unreason-

able time frame in most cases. In the case of workstations or desktops, for

most organizations, having alternate equipment on-site can alleviate the

need for immediate spare parts from a vendor. In this case, there should

be agreements with hardware manufacturers to replace the items under

warranty and documented procedures for handling the return of

equipment.

There should be contracts in place for each computing platform in the

environment. Mainframe contracts typically come in the form of a master

services agreement with an annual renewal signoff. Procedures should

also be in place for when vendors are required to service the equipment

on-site to ensure they are escorted, as well as procedures for vendor re-

mote access. Vendors that require infrequent connections to the equip-

ment could be granted one-time ID/passwords along with secure tokens to

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 8/90

access the equipment. The access should be also be logged, specifying the

individual using the ID and the business reason for the access.

Media Protection Controls

The media protection control family (MP) controls shown in Table 10.6

address information wherever it may be stored. As the perimeter of the

organization is disappearing with information moving closer to the end

user (i.e., the information resides on laptops, USB drives, compact disks,

DVDs, smartphones, and other types of flash memory chips), care must be

taken to ensure that only those authorized individuals have the ability to

copy information to these external sources. Due to the massive amount of

information that can be stored on a portable drive (multiterabytes), or a

USB stick (upward of 64 GB), these devices must be carefully managed.

Workstations can be locked down with technology to permit only cer-

tain users to write to an external device or CD/DVD writer. Due to the mo-

bile nature and size of these devices, an encryption method should be

chosen by the organization to encrypt either the media using the software

that comes with the USB drive or the files themselves prior to placing on

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 9/90

the media. At least 128-bit encryption, and AES-256 encryption is desir-

able. Some encryption products are FIPS 140-2 certified, which provides

the highest level of encryption and suitable for most organizations.

Policies regarding media disposal need to ensure that appropriate

tracking and sanitization of the devices is performed prior to disposal,

along with retention of the disposal records. The organization should be

able to know where the devices are located from birth to death of the de-

vice. This is no easy task in larger organizations where devices are reim-

aged frequently and redeployed to other users.

Media protection also extends to paper forms of information and poli-

cies and procedures to support clean desk policies (i.e., no visible confi-

dential information during the day, locked up during business off-hours),

shredding of documents, and which items are approved for dumpster dis-

posal. On-site shredding of paper, tapes, and CDs avoids the tracking of

information sent off-site and the risks of information being intercepted or

not being properly shredded.

Physical and Environmental Protection Controls

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 10/90

The physical and environmental protection control family (PE) controls

listed in Table 10.7 address the need for physical controls around the fa-

cility for employees, contractors, and visitors, as well as the environmen-

tal controls for the computing equipment in the local area networks

(LAN) rooms and data centers. Just as the logical access controls need to

be addressed with authorizations for access, periodic recertifi-cations,

terminating access, and restricting access to sensitive areas, the physical

access controls need these same controls. An organization may employ

multiple methods of achieving the physical controls, from security

guards, proximity readers, piggybacking policies, visitor sign-in, tempo-

rary badge issuance, guard stations, and so forth. One of the more diffi-

cult areas of managing the physical security for an organization is the

lack of integration between the physical security systems capturing the

ingress/egress to the buildings and the identity management systems au-

thorizing the approval. Manual reconciliation between the systems is nec-

essary to demonstrate that the access was removed from the physical sys-

tem. As companies merge, investments are required to merge the security

systems of multiple offices. Small offices may also not have the same ca-

pabilities as systems purchased for the larger offices and may need to be

managed separately.

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 11/90

The fire suppression, temperature, and water controls generally are fo-

cusing upon the data center and LAN room needs. Organizations need to

decide on how power outages will be addressed (uninterruptable power

supply [UPS]), and diesel generators, equipment that must also have con-

tracts and periodic servicing and testing. LAN closets need to be secured

to only staff requiring access to perform their jobs along with unused

ports disabled.

Personnel Security Controls

The personnel security control family (PS) controls listed in Table 10.8

seek to place human resource policies and procedures around the em-

ployees to ensure that the individuals have backgrounds without damag-

ing criminal histories, that their access is appropriately removed when

they are no longer working for the company or have transferred to a dif-

ferent division, and finally to ensure that they understand their responsi-

bilities with respect to the security controls while they are working for

the company and after they have left the company.

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 12/90

Background checks must be completed before the employee is permit-

ted to work for the company. To ensure that this happens, the informa-

tion security department could withhold the login ID and password until

the human resources department has provided evidence that the back-

ground check has been completed. This would serve as a secondary con-

trol to ensure the action took place. Individuals also need to be re-

screened on a periodic basis. The simplest way to achieve this is to per-

form rescreens on those determined to be in sensitive positions (e.g., the

information technology [IT] department, finance department, administra-

tors) at the same time. Otherwise, the overhead of tracking individuals

based upon anniversary dates, without an automated system to adminis-

ter this process, could be manually intensive. For any contractors that are

performing work on behalf of the company, the company may either re-

quest a background check, or require that the contracting firm provide

evidence that a background check has been completed and is satisfactory.

Sanction policies must be in place to provide enforcement of the con-

trols. The information security department should view itself as the

provider of the supporting evidence for the infraction; however, the inci-

dent is best handled between human resources or ethics/ compliance

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 13/90

with the individual and his or her manager. The security department can

provide support for the events that occurred.

Due to the strong linkage between the employees on-boarding, compli-

ance with security controls while an associate, and the termination proce-

dures and the access provisioning of the information security depart-

ment, an equally strong relationship between human resources and in-

formation security should be maintained. Documenting the information

flows between the human resource information systems (HRIS) and the

identity management system can identify gaps in the processes.

System and Information Integrity Controls

System and information integrity controls (SI) listed in Table 10.9 focus

on providing controls to protect the systems environment and handling

such issues as malicious code; spam; systems monitoring; flaw remedia-

tion; and ensuring that applications are coded correctly with appropriate

input validation, error handling, and consistent failure prevention.

Antivirus, malware, and spyware products should be installed at the en-

try points, such as servers, desktops, and firewalls, to restrict the entry of

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 14/90

malicious traffic, in addition to the security awareness programs on these

topics. Processes need to be built to manage the exceptions (e.g., when the

antivirus is not applied to the desktops within a specified frequency, such

as 1 to 3 days after distribution to the servers) to ensure that all desktops

are appropriately being addressed within the system. There may be is-

sues with the software pushing the updates or the asset inventory that

needs to be rectified. End users should be made aware of the effects of

malicious code as well as having the technical infrastructure to support

them in the event a wrong decision is made.

Application code must be written such that information that would be

useful to an intruder is not displayed. Input data needs to be validated to

avoid buffer overruns and other programming errors, which could pro-

vide elevated command line access. This all works in concert with the sys-

tems development life cycle process, whereby secure coding guidelines

would be established and certified to, either by attestation or the comple-

tion of a checklist indicating which guidelines were incorporated into the

development.

Table 10.1 Awareness and Training Controls

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 15/90

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Awareness

and

training

AT-1 Security Awareness and

Training Policy and Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined

frequency]:

a. A formal, documented

security awareness and training

policy that addresses purpose,

scope, roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the security

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT DS7.1,

PCS

HIPAA

164.308(a) (5)

(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 16/90

awareness and training policy,

and associated security

awareness and training

controls.

Awareness

and

training

AT-2 Security Awareness

The organization provides basic

security awareness training to

all information system users

(including managers, senior

executives, and contractors) as

part of initial training for new

users, when required by system

changes, and [Assignment:

organization-defined frequency]

thereafter.

ISO/IEC 27001

A.6.2.2,

A.8.1.1,

A.8.2.2,

A.9.1.5,

A.10.4.1

COBIT P07.4

HIPAA

164.308(a) (5)

(i), 164.308(a)

(5)(ii)(B)

Awareness

and

training

AT-3 Security Training

The organization provides role-

based security-related training:

(i) before authorizing access to

the system or performing

ISO/IEC 27001

A.8.1.1,

A.8.2.2, A.9.1.5

COBIT P07.4,

DS7.2

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 17/90

assigned duties; (ii) when

required by system changes;

and (iii) [Assignment:

organization-defined frequency]

thereafter.

HIPAA

164.308(a) (5)

(i)

Awareness

and

training

AT-4 Security Training Records

The organization:

a. Documents and monitors

individual information system

security training activities

including basic security

awareness training and specific

information system security

training; and

b. Retains individual training

records for [Assignment:

organization-defined time

period].

ISO/IEC 27001

(None)

COBIT DS7.2

HIPAA

164.308(a) (5)

(i)

Awareness

and

AT-5 Contacts with Security

Groups and Associations The

ISO/IEC 27001

A.6.1.7

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 18/90

training organization establishes and

institutionalizes contact with

selected groups and associations

within the security community:

• To facilitate ongoing security

education and training for

organizational personnel;

• To share current security-

related information including

threats, vulnerabilities, and

incidents.

HIPAA

164.308(a) (5)

(i)

Table 10.2 Configuration Management Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Configuration

management

CM-1 Configuration

Management Policy and

Procedures

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 19/90

The organization develops,

disseminates, and

reviews/updates

[Assignment: organization

defined frequency]:

a. A formal, documented

configuration management

policy that addresses

purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational

entities, and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

configuration management

policy and associated

configuration management

controls.

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.10.1.1,

A.10.1.2,

A.12.4.1,

A.12.5.1,

A.15.1.1,

A.15.2.1

COBIT ®

DS9.1,

PC5,P02.1,

AI6.1

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 20/90

Configuration

management

CM-2 Baseline Configuration

The organization develops,

documents, and maintains

under configuration control,

a current baseline

configuration of the

information system.

ISO/IEC 27001

COBIT DS9.1,

P01.6, P02.1

Configuration

management

CM-3 Configuration Change

Control The organization:

a. Determines the types of

changes to the information

system that are configuration

controlled;

b. Approves configuration-

controlled changes to the

system with explicit

consideration for security

impact analyses;

c. Documents approved

configuration-controlled

ISO/IEC 27001

A.10.1.1,

A.10.1.2,

A.10.3.2,

A.12.4.1,

A.12.5.1,

A.12.5.2,

A.12.5.3

COBIT DS9.2,

AI6.1, AI6.3

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 21/90

changes to the system;

d. Retains and reviews

records of configuration-

controlled changes to the

system;

e. Audits activities associated

with configuration-controlled

changes to the system; and

f. Coordinates and provides

oversight for configuration

change control activities

through [Assignment:

organization-defined

configuration change control

element (e.g., committee,

board] that convenes

[Selection (one or more):

[Assignment: organization-

defined frequency];

[Assignment: organization-

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 22/90

defined configuration change

conditions]].

Configuration

management

CM-4 Security Impact Analysis

The organization analyzes

changes to the information

system to determine potential

security impacts prior to

change implementation.

ISO/IEC 27001

A.10.1.2,

A.10.3.2,

A.12.4.1,

A.12.5.2,

A.12.5.3

COBIT DS5.5,

DS9.3

Configuration

management

CM-5 Access Restrictions for

Change

The organization defines,

documents, approves, and

enforces physical and logical

access restrictions associated

with changes to the

information system.

ISO/IEC 27001

A.10.1.2,

A.11.1.1,

A.11.6.1,

A.12.4.1,

A.12.4.3,

A.12.5.3

Configuration

management

CM-6 Configuration Settings

The organization:

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 23/90

a. Establishes and documents

mandatory configuration

settings for information

technology products

employed within the

information system using

[Assignment: organization-

defined security

configuration checklists] that

reflect the most restrictive

mode consistent with

operational requirements;

b. Implements the

configuration settings;

c. Identifies, documents, and

approves exceptions from the

mandatory configuration

settings for individual

components within the

information system based on

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 24/90

explicit operational

requirements; and

d. Monitors and controls

changes to the configuration

settings in accordance with

organizational policies and

procedures.

ISO/IEC 27001

(None)

Configuration

management

CM-7 Least Functionality

The organization configures

the information system to

provide only essential

capabilities and specifically

prohibits or restricts the use

of the following functions,

ports, protocols, and/or

services: [Assignment:

organization-defined list of

prohibited or restricted

functions, ports, protocols,

and/or services].

ISO/IEC 27001

(None)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 25/90

Configuration

management

CM-8 Information System

Component Inventory

The organization develops,

documents, and maintains an

inventory of information

system components that:

a. Accurately reflects the

current information system;

b. Is consistent with the

authorization boundary of

the information system;

c. Is at the level of granularity

deemed necessary for

tracking and reporting;

d. Includes [Assignment:

organization-defined

information deemed

necessary to achieve effective

property accountability]; and

e. Is available for review and

ISO/IEC 27001

A.7.1.1, A.7.1.2

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 26/90

audit by designated

organizational officials.

Configuration

management

CM-9 Configuration

Management Plan

The organization develops,

documents, and implements

a configuration management

plan for the information

system that:

a. Addresses roles,

responsibilities, and

configuration management

processes and procedures;

ISO/IEC 27001

A.6.1.3.

A.7.1.1,

A.7.1.2,

A.8.1.1,

A.10.1.1,

A.10.1.2,

A.10.3.2,

A.12.4.1,

A.12.4.3,

A.12.5.1,

A.12.5.2,

A.12.5.3

b. Defines the configuration

items for the information

system and when in the

system development life

cycle the configuration items

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 27/90

are placed under

configuration management;

and

c. Establishes the means for

identifying configuration

items throughout the system

development life cycle and a

process for managing the

configuration of the

configuration items.

Table 10.3 Contingency Planning Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Contingency

planning

CP-1 Contingency Planning

Policy And Procedures

The organization develops,

disseminates, and

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.9.1.4,

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 28/90

reviews/updates

[Assignment:

organization defined

frequency]:

a A formal, documented

contingency planning policy

that addresses purpose,

scope, roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

contingency planning policy

and associated contingency

planning controls.

A.10.1.1,

A.10.1.2,

A.14.1.1,

A.14.1.3,

A.15.1.1, A.15.2.1

COBIT ®

PC5,DS4.1

HIPAA

164.308(a)(7)(i)

Contingency

planning

CP-2 Contingency Plan

The organization:

ISO/IEC 27001

A.6.1.2, A.9.1.4,

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 29/90

a. Develops a contingency

plan for the information

system that:

• Identifies essential missions

and business functions and

associated contingency

requirements;

• Provides recovery

objectives, restoration

priorities, and metrics;

• Addresses contingency

roles, responsibilities,

assigned individuals with

contact information;

• Addresses maintaining

essential missions and

business functions despite an

information system

disruption, compromise, or

failure;

A.10.3.1,

A.14.1.1,

A.14.1.2,

A.14.1.3,

A.14.1.4, A.14.1.5

COBIT DS4.2

HIPAA

164.308(a) (7)(ii)

(B), 164.308(a)

(7)(ii) (C),

164.308(a)(7) (ii)

(E), 164.310(a)

(2)(i), 164.312(a)

(2)(ii)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 30/90

• Addresses eventual, full

information system

restoration without

deterioration of the security

measures originally planned

and implemented; and

• Is reviewed and approved

by designated officials within

the organization;

b. Distributes copies of the

contingency plan to

[Assignment: organization-

defined list of key

contingency personnel

(identified by name and/or

by role) and organizational

elements];

c. Coordinates contingency

planning activities with

incident handling activities;

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 31/90

d. Reviews the contingency

plan for the information

system [Assignment:

organization-defined

frequency];

e. Revises the contingency

plan to address changes to

the organization,

information system, or

environment of operation

and problems encountered

during contingency plan

implementation, execution,

or testing; and

f. Communicates contingency

plan changes to [Assignment:

organization-defined list of

key contingency personnel

(identified by name and/or

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 32/90

by role) and organizational

elements].

Contingency

planning

CP-3 Contingency Training

The organization trains

personnel in their

contingency roles and

responsibilities with respect

to the information system

and provides refresher

training [Assignment:

organization defined

frequency].

ISO/IEC 27001

A.8.2.2, A.9.1.4,

A.14.1.3

COBIT DS4.6

HIPAA

164.308(a) (7)(ii)

(D)

Contingency

planning

CP-4 Contingency Plan Testing

and Exercises

The organization: a. Tests

and/or exercises the

contingency plan for the

information system

[Assignment: organization-

defined frequency] using

ISO/IEC 27001

A.6.1.2, A.9.1.4,

A.14.1.1,

A.14.1.3,

A.14.1.4, A.14.1.5

COBIT DS4.2,

DS4.5

HIPAA

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 33/90

[Assignment: organization-

defined tests and/or

exercises] to determine the

plan’s effectiveness and the

organization’s readiness to

execute the plan; and

164.308(a) (7)(ii)

(D)

b. Reviews the contingency

plan test/exercise results and

initiates corrective actions.

Contingency

planning

CP-6 Alternate Storage Site

The organization establishes

an alternate storage site

including necessary

agreements to permit the

storage and recovery of

information system backup

information.

ISO/IEC 27001

A.9.1.4,A.14.1.3

COBIT DS4.1,

DS4.9

HIPAA

164.308(a) (7)(ii)

(B), 164.310(a)

(2)(i)

Contingency

planning

CP-7 Alternate Processing Site

The organization:

a. Establishes an alternate

ISO/IEC 27001

A.9.1.4, A.14.1.3

COBIT DS4.1,

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 34/90

processing site including

necessary agreements to

permit the resumption of

information system

operations for essential

missions and business

functions within

[Assignment: organization-

defined time period

consistent with recovery time

objectives] when the primary

processing capabilities are

unavailable; and

b. Ensures that equipment

and supplies required to

resume operations are

available at the alternate site

or contracts are in place to

support delivery to the site in

time to support the

DS4.8

HIPAA

164.308(a) (7)(ii)

(B), 164.310(a)

(2)(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 35/90

organization-defined time

period for resumption.

Contingency

planning

CP-8 Telecommunications

Services The organization

establishes alternate

telecommunications services

including necessary

agreements to permit the

resumption of information

system operations for

essential missions and

business functions within

[Assignment: organization-

defined time period] when

the primary

telecommunications

capabilities are unavailable.

ISO/IEC 27001

A.9.1.4, A.10.6.1,

A.14.1.3

COBIT DS4.1,

HIPAA

164.308(a) (7)(ii)

(B)

Contingency

planning

CP-9 Information System

Backup The organization:

a. Conducts backups of user-

ISO/IEC 27001

A.9.1.4, A.10.5.1,

A.14.1.3, A.15.1.3

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 36/90

level information contained

in the information system

[Assignment; organization-

defined frequency consistent

with recovery time and

recovery point objectives];

b. Conducts backups of

system-level information

contained in the information

system [Assignment:

organization-defined

frequency consistent with

recovery time and recovery

point objectives];

c. Conducts backups of

information system

documentation including

security-related

documentation [Assignment:

organization-defined

COBIT DS4.2,

DS11.5

HIPAA

164.308(a) (7)(N)

(A), 164.310(d)

(2) (iv),

164.312(c) (1)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 37/90

frequency consistent with

recovery time and recovery

point objectives]; and

d. Protects the confidentiality

and integrity of backup

information at the storage

location.

Contingency

planning

CP-10 Information System

Recovery and Reconstitution

The organization provides

for the recovery and

reconstitution of the

information system to a

known state after a

disruption, compromise, or

failure.

ISO/IEC 27001

A.9.1.4, A.14.1.3

COBIT DS4.8,

DS11.5

HIPAA

164.308(a) (7)(ii)

(B), 164.308(a)

(7)(ii) (C)

Table 10.4 Incident Response Controls

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 38/90

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Incident

response

IR-1 Incident Response Policy And

Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented incident

response policy that addresses

purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the incident

response policy and associated

incident response controls.

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.10.1.1,

A.13.1.1,

A.13.2.1,

A.15.1.1,

A.15.2.1

COBIT ®

P09.5, P09.6,

DS5.6, DS8.2,

PC5

HIPAA

164.308(a)(6)

(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 39/90

Incident

response

IR-2 Incident Response Training

The organization:

a. Trains personnel in their

incident response roles and

responsibilities with respect to the

information system; and

b. Provides refresher training

[Assignment: organization-defined

frequency].

ISO/IEC 27001

A.8.2.2

HIPAA

164.308(a) (6)

(i)

Incident

response

IR-3 Incident Response Testing and

Exercises

The organization tests and/or

exercises the incident response

capability for the information

system [Assignment: organization-

defined frequency] using

[Assignment: organization-defined

tests and/or exercises] to

determine the incident response

ISO/IEC 27001

(None)

HIPAA

164.308(a) (6)

(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 40/90

effectiveness and documents the

results.

Incident

response

IR-4 Incident Handling

The organization:

a. Implements an incident

handling capability for security

incidents that includes

preparation, detection and

analysis, containment,

eradication, and recovery;

ISO/IEC 27001

A.6.1.2,

A.13.2.2,

A.13.2.3

COBIT P09.5,

P09.6, DS8.2

HIPAA

164.308(a) (6)

(ii)

b. Coordinates incident handling

activities with contingency

planning activities; and

c. Incorporates lessons learned

from ongoing incident handling

activities into incident response

procedures, training, and

testing/exercises, and implements

the resulting changes accordingly.

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 41/90

Incident

response

IR-5 Incident Monitoring The

organization tracks and

documents information system

security incidents.

ISO/IEC 27001

(None)

COBIT DS8.2,

DS8.4

HIPAA

164.308(a) (6)

(ii),

164.308(a)(1)

(ii) (D)

Incident

response

IR-6 Incident Reporting The

organization:

a. Requires personnel to report

suspected security incidents to the

organizational incident response

capability within [Assignment:

organization-defined time-period];

and

b. Reports security incident

information to designated

authorities.

ISO/IEC 27001

A.6.1.6,

A.13.1.1

COBIT DS5.6

HIPAA

164.308(a)

(D(ii)(D),

164.308(a)(6)

(ii),

164.314(a)(2)

(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 42/90

Incident

response

IR-7 Incident Response Assistance

The organization provides an

incident response support

resource integral to the

organizational incident response

capability that offers advice and

assistance to users of the

information system for the

handling and reporting of security

incidents.

ISO/IEC 27001

(None)

COBIT DS8.1

HIPAA

164.308(a) (6)

(ii)

Incident

response

IR-8 Incident Response Plan

The organization: a. Develops an

incident response plan that:

• Provides the organization with a

roadmap for implementing its

incident response capability;

• Describes the structure and

organization of the incident

response capability.

ISO/IEC 27001

(None)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 43/90

Table 10.5 Maintenance Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Maintenance MA-1 System Maintenance Policy

And Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented

information system maintenance

policy that addresses purpose,

scope, roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

ISO/IEC

27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.9.2.4,

A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT ®

PC5

HIPAA

164.310(a)

(2)(iv)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 44/90

implementation of the

information system maintenance

policy and associated system

maintenance controls.

Maintenance MA-2 Controlled Maintenance

The organization:

a. Schedules, performs,

documents, and reviews records

of maintenance and repairs on

information system components

in accordance with manufacturer

or vendor specifications and/or

organizational requirements;

b. Controls all maintenance

activities, whether performed on

site or remotely and whether the

equipment is serviced on site or

removed to another location;

c. Requires that a designated

official explicitly approves the

ISO/IEC

27001

A.9.2.4

COBIT

AI2.10

HIPAA

164.310(a)

(2)(iv)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 45/90

removal of the information

system or system components

from organizational facilities for

off-site maintenance or repairs;

d. Sanitizes equipment to remove

all information from associated

media prior to removal from

organizational facilities for off-

site maintenance or repairs; and

e. Checks all potentially impacted

security controls to verify that the

controls are still functioning

properly following maintenance

or repair actions.

Maintenance MA-3 Maintenance Tools

The organization approves,

controls, monitors the use of, and

maintains on an ongoing basis,

information system maintenance

tools.

ISO/IEC

27001

A.9.2.4,

A.11.4.4

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 46/90

Supplemental guidance: The

intent of this control is to address

the security-related issues arising

from the hardware and software

brought into the information

system specifically for diagnostic

and repair actions (e.g., a

hardware or software packet

sniffer that is introduced for the

purpose of a particular

maintenance activity). Hardware

and/or software components that

may support information system

maintenance, yet are a part of the

system (e.g., the software

implementing “ping,” “Is,”

“ipconfig,” or the hardware and

software implementing the

monitoring port of an Ethernet

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 47/90

switch) are not covered by this

control. Related to MP-6.

Maintenance MA-4 Non-Local Maintenance

The organization:

a. Authorizes, monitors, and

controls non-local maintenance

and diagnostic activities;

b. Allows the use of non-local

maintenance and diagnostic tools

only as consistent with

organizational policy and

documented in the security plan

for the information system;

c. Employs strong identification

and authentication techniques in

the establishment of non-local

maintenance and diagnostic

sessions;

ISO/IEC

27001

A.9.2.4,

A.11.4.4

d. Maintains records for non-local

maintenance and diagnostic

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 48/90

activities; and

e. Terminates all sessions and

network connections when non-

local maintenance is completed.

Maintenance MA-5 Maintenance Personnel

The organization:

a. Establishes a process for

maintenance personnel

authorization and maintains a

current list of authorized

maintenance organizations or

personnel; and

b. Ensures that personnel

performing maintenance on the

information system have

required access authorizations or

designates organizational

personnel with required access

authorizations and technical

competence deemed necessary to

ISO/IEC

27001

A.9.2.4,

A.12.4.3

HIPAA

164.308(a)

(3)(ii)(A)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 49/90

supervise information system

maintenance when maintenance

personnel do not possess the

required access authorizations.

Maintenance MA-6 Timely Maintenance

The organization obtains

maintenance support and/or

spare parts for [Assignment:

organization-defined list of

security-critical information

system components and/or key

information technology

components] within [Assignment:

organization-defined time period]

of failure.

ISO/IEC

27001

A.9.2.4

HIPAA

164.310(a)

(2)(iv)

Table 10.6 Media Protection Controls

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 50/90

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Media

protection

MP-1 Media Protection Policy

And Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined

frequency]:

a. A formal, documented media

protection policy that addresses

purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational entities,

and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the media

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.10.1.1,

A.10.7.1,

A.10.7.2,

A.10.7.3,

A.11.1.1,

A.15.1.1,

A.15.1.3,

A.15.2.1

COBIT ®

DS11.1,

DS11.6, PC5

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 51/90

protection policy and associated

media protection controls.

HIPAA

164.310(d)(1)

Media

protection

MP-2 Media Access

The organization restricts

access to [Assignment:

organization-defined types of

digital and non-digital media] to

[Assignment: organization-

defined list of authorized

individuals] using [Assignment:

organization-defined security

measures].

ISO/IEC 27001

A.7.2.2,

A.10.7.1,

A.10.7.3

COBIT DS11.6

HIPAA

164.308(a) (3)

(ii)(A)

Media

protection

MP-3 Media Marking

The organization:

a. Marks, in accordance with

organizational policies and

procedures, removable

information system media and

information system output

indicating the distribution

ISO/IEC 27001

A.7.2.2,

A.10.7.1,

A.10.7.3

COBIT DS11.6

HIPAA

164.310(c),

164.310(d)(1)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 52/90

limitations, handling caveats,

and applicable security

markings (if any) of the

information; and

b. Exempts [Assignment:

organization-defined list of

removable media types] from

marking as long as the

exempted items remain within

[Assignment: organization-

defined controlled areas].

Media

protection

MP-4 Media Storage

The organization:

a. Physically controls and

securely stores [Assignment:

organization-defined types of

digital and non-digital media]

within [Assignment:

organization-defined controlled

areas] using [Assignment:

ISO/IEC 27001

A.10.7.1,

A.10.7.3,

A.10.7.4,

A.15.1.3

COBIT DS11.2,

DS11.6

HIPAA

164.310(c),

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 53/90

organization-defined security

measures];

b. Protects information system

media until the media are

destroyed or sanitized using

approved equipment,

techniques, and procedures.

164.310(d)(1),

164.310(d)(2)

(iv)

Media

protection

MP-5 Media Transport

The organization:

a. Protects and controls

[Assignment: organization-

defined types of digital and non-

digital media] during transport

outside of controlled areas

using [Assignment:

organization-defined security

measures];

b. Maintains accountability for

information system media

during transport outside of

ISO/IEC 27001

A.9.2.5,

A.9.2.7,

A.10.7.1,

A.10.7.3,

A.10.8.3

COBIT DS11.4,

DS11.6

HIPAA

164.310(d) (1),

164.310(d) (2)

(iii),

164.312(c)(1)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 54/90

controlled areas; and

c. Restricts the activities

associated with transport of

such media to authorized

personnel.

Media

protection

MP-6 Media Sanitization The

organization:

a. Sanitizes information system

media, both digital and

nondigital, prior to disposal,

release out of organizational

control, or release for reuse;

and

b. Employs sanitization

mechanisms with strength and

integrity commensurate with

the classification or sensitivity

of the information.

ISO/IEC 27001

A.9.2.6,

A.10.7.1,

A.10.7.2,

A.10.7.3

COBIT DS11.4,

DS11.6,

HIPAA

164.310(d) (1),

164.310(d) (2)

(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 55/90

Table 10.7 Physical and Environment Protection Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Physical and

environmental

protection

PE-1 Physical And

Environmental Protection

Policy And Procedures

The organization develops,

disseminates, and

reviews/updates

[Assignment: organization

defined frequency]:

a. A formal, documented

physical and environmental

protection policy that

addresses purpose, scope,

roles, responsibilities,

management commitment,

coordination among

organizational entities, and

ISO/IEC

27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

A.8.1.1,

A.9.1.4,

A.9.2.1,

A.9.2.2,

A.10.1.1,

A.11.1.1,

A.11.2.1,

A.11.2.2,

A.15.1.1,

A.15.2.1

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 56/90

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

physical and environmental

protection policy and

associated physical and

environmental protection

controls.

COBIT ®

DS12.1,

DS12.5, PC5

HIPAA

164.310(a)

(1)

164.310(a)

(2)(ii)

164.310(a)

(2)(iii)

Physical and

environmental

protection

PE-2 Physical Access

Authorizations The

organization:

a. Develops and keeps

current a list of personnel

with authorized access to the

facility where the

information system resides

(except for those areas within

the facility officially

ISO/IEC

27001

A.9.1.5,

A.11.2.1,

A.11.2.2,

A.11.2.4

COBIT

DS12.3

HIPAA

164.310(a)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 57/90

designated as publicly

accessible);

b. Issues authorization

credentials;

c. Reviews and approves the

access list and authorization

credentials [Assignment:

organization defined

frequency], removing from

the access list personnel no

longer requiring access.

(1),

164.310(a)

(2)(iii)

Physical and

environmental

protection

PE-3 Physical Access Control

The organization:

a. Enforces physical access

authorizations for all

physical access points

(including designated

entry/exit points) to the

facility where the

information system resides

ISO/IEC

27001

A.9.1.1,

A.9.1.2,

A.9.1.3,

A.9.1.5,

A.9.1.6,

A.11.3.2,

A.11.4.4

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 58/90

(excluding those areas within

the facility officially

designated as publicly

accessible);

COBIT

DS12.2

HIPAA

164.310(a)

(1),

164.310(a)

(2)(iii),

164.310(b),

164.310(c)

b. Verifies individual access

authorizations before

granting access to the facility;

c. Controls entry to the

facility containing the

information system using

physical access devices

and/or guards;

d. Controls access to areas

officially designated as

publicly accessible in

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 59/90

accordance with the

organization’s assessment of

risk;

e. Secures keys,

combinations, and other

physical access devices;

f. Inventories physical access

devices [Assignment:

organization-defined

frequency]; and

g. Changes combinations and

keys [Assignment:

organization-defined

frequency] and when keys

are lost, combinations are

compromised, or individuals

are transferred or

terminated.

Physical and

environmental

PE-4 Access Control for

Transmission Medium

ISO/IEC

27001

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 60/90

protection The organization controls

physical access to

information system

distribution and transmission

lines within organizational

facilities.

A.9.1.3,

A.9.1.5,

A.9.2.3

COBIT

DS5.7,

DS12.2

HIPAA

164.310(a)

(1),

164.310(c)

Physical and

environmental

protection

PE-5 Access Control for Output

Devices

The organization controls

physical access to

information system output

devices to prevent

unauthorized individuals

from obtaining the output.

ISO/IEC

27001

A.9.1.2,

A.9.1.3,

A.10.6.1,

A.11.3.2

COBIT

DS12.2

HIPAA

164.310(b),

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 61/90

164.310(c),

164.310(a)

(1)

Physical and

environmental

protection

PE-6 Monitoring Physical

Access The organization:

a. Monitors physical access to

the information system to

detect and respond to

physical security incidents;

b. Reviews physical access

logs [Assignment:

organization-defined

frequency]; and

ISO/IEC

27001

A.9.1.2,

A.9.1.5,

A.10.10.2

COBIT

DS12.3

HIPAA

164.310(a)

(2)(iii)

c. Coordinates results of

reviews and investigations

with the organization’s

incident response capability.

Physical and

environmental

protection

PE-7 Visitor Control

The organization controls

physical access to the

ISO/IEC

27001

A.9.1.2,

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 62/90

information system by

authenticating visitors before

authorizing access to the

facility where the

information system resides

other than areas designated

as publicly accessible.

A.9.1.5,

A.9.1.6

COBIT

DS12.3

HIPAA

164.310(a)

(2)(iii)

Physical and

environmental

protection

PE-8 Access Records

The organization:

a. Maintains visitor access

records to the facility where

the information system

resides (except for those

areas within the facility

officially designated as

publicly accessible); and

b. Reviews visitor access

records [Assignment:

organization-defined

frequency].

ISO/IEC

27001

A.9.1.5,

A.10.10.2,

A.15.2.1

COBIT

DS12.3

HIPAA

164.310(a)

(2)(iii)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 63/90

Physical and

environmental

protection

PE-9 Power Equipment and

Power Cabling

The organization protects

power equipment and power

cabling for the information

system from damage and

destruction.

ISO/IEC

27001

A.9.1.4,

A.9.2.2,

A.9.2.3

COBIT

DS12.4

Physical and

environmental

protection

PE-10 Emergency Shutoff The

organization:

a. Provides the capability of

shutting off power to the

information system or

individual system

components in emergency

situations;

b. Places emergency shutoff

switches or devices in

[Assignment: organization-

defined location by

information system or

ISO/IEC

27001

A.9.1.4

COBIT

DS12.4

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 64/90

system component] to

facilitate safe and easy access

for personnel; and

c. Protects emergency power

shutoff capability from

unauthorized activation.

Physical and

environmental

protection

PE-11 Emergency Power

The organization provides a

short-term uninterruptible

power supply to facilitate an

orderly shutdown of the

information system in the

event of a primary power

source loss.

Supplemental guidance: This

control, to include any

enhancements specified, may

be satisfied by similar

requirements fulfilled by

another organizational entity

ISO/IEC

27001

A.9.1.4,

A.9.2.2

COBIT

DS12.4

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 65/90

other than the information

security program.

Organizations avoid

duplicating actions already

covered.

Physical and

environmental

protection

PE-12 Emergency Lighting

The organization employs

and maintains automatic

emergency lighting for the

information system that

activates in the event of a

power outage or disruption,

and that covers emergency

exits and evacuation routes

within the facility.

ISO/IEC

27001

A.9.2.2

COBIT

DS12.4

Physical and

environmental

protection

PE-13 Fire Protection

The organization employs

and maintains fire

suppression and detection

devices/systems for the

ISO/IEC

27001

A.9.1.4

COBIT

DS12.4

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 66/90

information system that are

supported by an independent

energy source.

Physical and

environmental

protection

PE-14 Temperature and

Humidity Controls

The organization:

a. Maintains temperature

and humidity levels within

the facility where the

information system resides at

[Assignment: organization-

defined acceptable levels];

and

b. Monitors temperature and

humidity levels [Assignment:

organization-defined

frequency].

ISO/IEC

27001

A.9.2.2

COBIT

DS12.4

Physical and

environmental

protection

PE-15 Water Damage

Protection

The organization protects the

ISO/IEC

27001

A.9.1.4

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 67/90

information system from

damage resulting from water

leakage by providing master

shutoff valves that are

accessible, working properly,

and known to key personnel.

COBIT

DS12.4

Physical and

environmental

protection

PE-16 Delivery and Removal

The organization authorizes,

monitors, and controls

[Assignment: organization-

defined types of information

system components] entering

and exiting the facility, and

maintains records of those

items.

ISO/IEC

27001

A.9.1.6,

A.9.2.7,

A.10.7.1

COBIT

DS12.2

Physical and

environmental

protection

PE-17 Alternate Work Site

The organization:

a. Employs [Assignment:

organization-defined

management, operational,

ISO/IEC

27001

A.9.2.5,

A.11.7.2

HIPAA

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 68/90

and technical information

system security controls] at

alternate work sites;

b. Assesses as feasible, the

effectiveness of security

controls at alternate work

sites; and

c. Provides a means for

employees to communicate

with information security

personnel in case of security

incidents or problems.

164.310(a)

(2)(i)

Physical and

environmental

protection

PE-18 Location of Information

System Components

The organization positions

information system

components within the

facility to minimize potential

damage from physical and

environmental hazards and

ISO/IEC

27001

A.9.2.1,

A.11.3.2

COBIT

DS12.1

HIPAA

164.310(c)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 69/90

to minimize the opportunity

for unauthorized access.

Physical and

environmental

protection

PE-19 Information Leakage

The organization protects the

information system from

information leakage due to

electromagnetic signals

emanations.

ISO/IEC

27001

A.12.5.4

COBIT

DS12.2

Table 10.8 Personnel Security Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Personnel

security

PS-1 Personnel Security Policy

and Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.15.1.1, A.15.2.1

COBIT ® PC5,

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 70/90

frequency]:

a. A formal, documented

personnel security policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational entities,

and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

personnel security policy and

associated personnel security

controls.

P04.6, P07.3

HIPAA

164.308(a)(3)(ii)

(A)

164.308(a)(3)(ii)

(B)

164.308(a)(3)(ii)

(C)

Personnel

security

PS-2 Position Categorization

The organization:

a. Assigns a risk designation to

all positions;

b. Establishes screening criteria

for individuals filling those

ISO/IEC 27001

A.8.1.1

COBIT P04.13,

P07.3

HIPAA

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 71/90

positions; and

c. Reviews and revises position

risk designations [Assignment:

organization-defined

frequency].

164.308(a) (3)(ii)

(B)

Personnel

security

PS-3 Personnel Screening

The organization:

a. Screens individuals prior to

authorizing access to the

information system; and

b. Rescreens individuals

according to [Assignment:

organization-defined list of

conditions requiring

rescreening and, where

rescreening is so indicated, the

frequency of such rescreening].

ISO/IEC 27001

A.8.1.2

COBIT P07.6

HIPAA

164.308(a) (3)(ii)

(B)

Personnel

security

PS-4 Personnel Termination

The organization, upon

termination of individual

ISO/IEC 27001

A.8.3.1, A.8.3.2,

A.8.3.3

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 72/90

employment:

a. Terminates information

system access;

b. Conducts exit interviews;

c. Retrieves all security-related

organizational information

system-related property; and

d. Retains access to

organizational information and

information systems formerly

controlled by terminated

individual.

COBIT P07.8

HIPAA

164.308(a) (3)(ii)

(C)

Personnel

security

PS-5 Personnel Transfer

The organization reviews

logical and physical access

authorizations to information

systems/facilities when

personnel are reassigned or

transferred to other positions

within the organization and

ISO/IEC 27001

A.8.3.1, A.8.3.2,

A.8.3.3

COBIT P07.8

HIPAA

164.308(a) (3)(ii)

(C)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 73/90

initiates [Assignment:

organization-defined transfer

or reassignment actions] within

[Assignment: organization-

defined time period following

the formal transfer action].

Personnel

security

PS-6 Access Agreements

The organization:

a. Ensures that individuals

requiring access to

organizational information and

information systems sign

appropriate access agreements

prior to being granted access;

and

b. Reviews/updates the access

agreements [Assignment:

organization-defined

frequency].

ISO/IEC 27001

A.6.1.5, A.8.1.1,

A.8.1.3, A.8.2.1,

A.9.1.5, A.10.8.1,

A.11.7.1,

A.11.7.2, A.15.1.5

COBIT DS5.4

HIPAA

164.308(a) (3)(ii)

(A), 164.308(a)

(3)(ii) (B),

164.308(a) (4)(ii)

(B), 164.310(b),

164.310(d)(2)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 74/90

(iii), 164.314(a)

(1), 164.314(a)

(2)(i), 164.314(a)

(2)(ii)

Personnel

security

PS-7 Third-Party Personnel

Security

The organization:

a. Establishes personnel

security requirements

including security roles and

responsibilities for third-party

providers;

b. Documents personnel

security requirements; and

c. Monitors provider

compliance.

ISO/IEC 27001

A.6.2.3, A.8.1.1,

A.8.2.1, A.8.1.3

COBIT P04.14,

DS2.2

HIPAA

164.308(a) (3)(ii)

(A), 164.308(a)

(4)(ii) (B),

164.308(b) (1),

164.314(a) (1),

164.314(a) (2)(i),

Personnel

security

PS-8 Personnel Sanctions

The organization employs a

formal sanctions process for

personnel failing to comply

164.314(a)(2)(ii)

ISO/IEC 27001

A.8.2.3, A.15.1.5

HIPAA

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 75/90

with established information

security policies and

procedures.

164.308(a) (1)(ii)

(C)

Table 10.9 System and information integrity controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

System and

informatio

n integrity

Sl-1 System And Information

Integrity Policy And

Procedures

The organization develops,

disseminates, and

reviews/updates

[Assignment: organization

defined frequency]:

a. A formal, documented

system and information

integrity policy that

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT ® P02.4,

PC5

HIPAA

164.312(c)(1)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 76/90

addresses purpose, scope,

roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the system

and information integrity

policy and associated system

and information integrity

controls.

System and

informatio

n integrity

SI-2 Flaw Remediation

The organization:

a. Identifies, reports, and

corrects information system

flaws;

b. Tests software updates

related to flaw remediation

ISO/IEC 27001

A.10.10.5,

A.12.5.2,

A.12.6.1,A.13.1.2

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 77/90

for effectiveness and

potential side effects on

organizational information

systems before installation;

and

c. Incorporates flaw

remediation into the

organizational configuration

management process.

System and

informatio

n integrity

SI-3 Malicious Code Protection

The organization:

a. Employs malicious code

protection mechanisms at

information system entry and

exit points and at

workstations, servers, or

mobile computing devices on

the network to detect and

eradicate malicious code:

• Transported by electronic

ISO/IEC 27001

A.10.4.1

COBIT DS5.9

HIPAA

164.308(a) (5)(ii)

(B)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 78/90

mail, electronic mail

attachments, Web accesses,

removable media, or other

common means; or

• Inserted through the

exploitation of information

system vulnerabilities;

b. Updates malicious code

protection mechanisms

(including signature

definitions) whenever new

releases are available in

accordance with

organizational configuration

management policy and

procedures;

c. Configures malicious code

protection mechanisms to:

• Perform periodic scans of

the information system

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 79/90

[Assignment: organization-

defined frequency] and real-

time scans of files from

external sources as the files

are downloaded, opened, or

executed in accordance with

organizational security

policy; and

• [Selection (one or more):

block malicious code;

quarantine malicious code;

send alert to administrator;

[Assignment: organization-

defined action]] in response

to malicious code detection;

and

d. Addresses the receipt of

false positives during

malicious code detection and

eradication and the resulting

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 80/90

potential impact on the

availability of the

information system.

System and

informatio

n integrity

SI-4 Information System

Monitoring The organization:

a. Monitors events on the

information system in

accordance with

[Assignment: organization

defined monitoring

objectives] and detects

information system attacks;

b. Identifies unauthorized use

of the information system;

ISO/IEC 27001

A.10.10.2,

A.13.1.1,

A.13.1.2

COBIT P02.4,

DS5.5, DS5.10

HIPAA

164.308(a) (5)(ii)

(B), 164.308(a)

(1)(ii) (D)

c. Deploys monitoring devices:

(i) strategically within the

information system to collect

organization-determined

essential information; and (ii)

at ad hoc locations within the

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 81/90

system to track specific types

of transactions of interest to

the organization;

d. Heightens the level of

information system

monitoring activity whenever

there is an indication of

increased risk to

organizational operations

and assets, individuals, other

organizations, or the nation

based on law enforcement

information, intelligence

information, or other

credible sources of

information; and

e. Obtains legal opinion with

regard to information system

monitoring activities in

accordance with applicable

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 82/90

federal laws, executive

orders, directives, policies, or

regulations.

System and

informatio

n integrity

SI-5 Security Alerts,

Advisories, and Directives

The organization:

a. Receives information

system security alerts,

advisories, and directives

from designated external

organizations on an ongoing

basis;

b. Generates internal security

alerts, advisories, and

directives as deemed

necessary;

c. Disseminates security

alerts, advisories, and

directives to [Assignment:

organization-defined list of

ISO/IEC 27001

A.6.1.6, A.12.6.1,

A.13.1.1,A.13.1.2

HIPAA

164.308(a) (5)(ii)

(A)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 83/90

personnel (identified by

name and/or by role)]; and

d. Implements security

directives in accordance with

established time frames, or

notifies the issuing

organization of the degree of

noncompliance.

System and

informatio

n integrity

SI-6 Security Functionality

Verification

The information system

verifies the correct operation

of security functions

[Selection (one or more):

[Assignment: organization-

defined system transitional

states]; upon command by

user with appropriate

privilege; periodically every

[Assignment: organization-

ISO/IEC 27001

(None)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 84/90

defined time-period]] and

[Selection (one or more):

notifies system

administrator; shuts the

system down; restarts the

system; [Assignment:

organization-defined

alternative action(s)]] when

anomalies are discovered.

System and

informatio

n integrity

SI-7 Software and Information

Integrity

The information system

detects unauthorized changes

to software and information.

ISO/IEC 27001

A.10.4.1,

A.12.2.2,

A.12.2.3

COBIT

P02.4AI2.4,

DS5.9

HIPAA

164.312(c) (1),

164.312(c) (2),

164.312(e) (2)(i)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 85/90

System and

informatio

n integrity

SI-8 Spam Protection

The organization:

a. Employs spam protection

mechanisms at information

system entry and exit points

and at workstations, servers,

or mobile computing devices

on the network to detect and

take action on unsolicited

messages transported by

electronic mail, electronic

mail attachments, web

accesses, or other common

means; and

b. Updates spam protection

mechanisms (including

signature definitions) when

new releases are available in

accordance with

organizational configuration

ISO/IEC 27001

(None)

COBIT DS5.9

HIPAA

164.308(a) (5)(ii)

(B)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 86/90

management policy and

procedures.

System and

informatio

n integrity

SI-9 Information Input

Restrictions

The organization restricts the

capability to input

information to the

information system to

authorized personnel.

ISO/IEC 27001

A.10.8.1,

A.11.1.1,

A.11.2.2,

A.12.2.2

COBIT AC1, AC2

System and

informatio

n integrity

SI-10 Information Input

Validation

The information system

checks the validity of

information inputs.

ISO/IEC 27001

A.12.2.1,A.12.2.2

COBIT AC3,AC4,

AC6

System and

informatio

n integrity

Sl-ll Error Handling

The information system_

a. Identifies potentially

security-relevant error

conditions;

b. Generates error messages

ISO/IEC 27001

(None)

COBIT AC5

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 87/90

that provide information

necessary for corrective

actions without revealing

[Assignment: organization-

defined sensitive or

potentially harmful

information] in error logs

and administrative messages

that could be exploited by

adversaries; and

c. Reveals error messages

only to authorized personnel.

System and

informatio

n integrity

SI-12 Information Output

Handling and Retention

The organization handles and

retains both information

within and output from the

information system in

accordance with applicable

federal laws, executive

ISO/IEC 27001

A.10.7.3,

A.15.1.3,

A.15.1.4,

A.15.2.1

COBIT AC5,

DS11.1, DS11.6

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 88/90

orders, directives, policies,

regulations, standards, and

operational requirements.

System and

informatio

n integrity

SI-13 Predictable Failure

Prevention The organization:

a. Protects the information

system from harm by

considering mean time to

failure for [Assignment:

organization-defined list of

information system

components] in specific

environments of operation;

and

b. Provides substitute

information system

components, when needed,

and a mechanism to

exchange active and standby

roles of the components.

ISO/IEC 27001

(None)

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 89/90

1.

2.

3.

4.

5.

Suggested Reading

National Institute of Standards and Technology (NIST). August 2009. Special

Publication 800-53 Rev 3: Recommended security controls for federal information

systems and organizations. http://csrc.nist.gov/publications/nistpubs/800-53-

Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

IT Governance Institute. 2007. Mapping of NIST SP 800-53 Rev 1 with COBIT 4.1.

http://www.itgi.org

National Institute of Standards and Technology (NIST). October 2008. An introduc-

tory resource guide for implementing the Health Insurance Portability and

Accountability Act (HIPAA) security rule.

http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-Revisionl.pdf

International Organization for Standardization (ISO). ISO/IEC 27001:2005

Information Security Management Systems—Requirements,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=42103

International Organization for Standardization (ISO). ISO/IEC 27002:2005

Information technology—Security techniques—Code of practice for information

4/30/23, 12:19 PM Chapter 10 Operational Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/021-9781466551282-010.xhtml 90/90

6.

security management,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=50297

Department of Health and Human Services, Office of the Secretary. February 20,

2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security standards;

Final rule. Federal Register 68(24).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityru-

lepdf.pdf