Project2
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 1/41
8
Managerial Controls
Practical Security Considerations
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a
nail.
Abraham Harold Maslow, 1908–1970
The previous chapter provided an overview of the security standards and frame-
work landscape, and illustrated the importance of adhering to a set of security
controls to enhance security and demonstrating compliance to the organization
and to the auditors. Each of the different standards has controls at different levels
of detail. The standards chosen by an organization may be aligned to a particular
vertical industry or generally applicable across industries as shown in Table 8.1.
Security Control Convergence
The next three chapters cover the minimum controls that should be considered
for a functioning information security program. These chapters cover the detailed
controls for the managerial, operational, and technical classes of controls across
18 families of controls. The basis of the controls is from the National Institute of
Standards and Technology (NIST) 800-53 Recommended Controls for Federal
Topics Start Learning Search 50,000+ courses, events, titles, … What's New
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 2/41
Information Systems and Organizations. Although these controls were developed
with the U.S. government in mind, this control set forms one of the most compre-
hensive, detailed control specifications that currently exist. An organization may
decide that this level of control is not necessary for its organization. However, it is
very useful to start with these controls and by performing a risk assessment of the
control, determine whether the control is necessary. If the controls are ap-
proached in this manner, which could also be referred to as a bottom-up ap-
proach, it is unlikely that key controls will be missed.
As noted in the previous chapter on controls, a preferred approach would be to
use the NIST 800-53 security controls in conjunction with ISO/IEC 27001 controls
(from Annex A; published by the International Organization for Standardization
and the International Electrotechnical Commission), the COBIT controls, and the
security requirements that are specified for the specific industry. If the controls
are used in this manner, the best of all worlds can be achieved. COBIT (Control
Objectives for Information and related Technology) can be used to supply the
overall information technology (IT) framework and provide the accepted struc-
ture for future auditing of the framework to establish compliance (i.e., Sarbanes–
Oxley). ISO 27001 can provide the notion of a formalized information security
management system (ISMS) and a description of the processes that could be cho-
sen to make up the ISMS. The NIST 800-53 controls can take the controls to a
lower, more granular level to support the security processes as well as provide
some criteria for assessing the lower level controls via the 800-53A special publi-
cation providing auditors guidance on assessing the controls. Finally, the vertical
industry set of controls, such as the Health Insurance Portability and
Accountability Act (HIPAA) Final Security Rule can provide the higher-level re-
quirements necessary to be in compliance with the promulgated regulation. Each
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 3/41
of these standards, control frameworks, or regulations are not in conflict with one
another but can be very complimentary. Granted they exist at different levels of
detail, come from a different focus, and may have more or less stringent require-
ments from one another, by implementing the sum of these requirements, the se-
curity program can be made very effective and reduce the risk of loss. An illustra-
tion of an example relationship between NIST 800-53, COBIT, ISO 27001, and
HIPAA are shown in Figure 8.1.
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 4/41
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 5/41
Figure 8.1 NIST 800-53, COBIT, and ISO 27001 relationship example.
Controls may be tailored to fit the needs of the organization and controls may
or may not be applicable. For example, an organization that outsources the data
center processing to another organization may not have to set up contracts and
testing of disaster recovery with another off-site data center. However the organi-
zation would need to ensure that the function is being provided by the data cen-
ter that they are contracting their workload to. The organization should be asking
how often the data is being backed up, how often is it restored, and how often dis-
aster recovery tests are performed. It may be asked to participate in the tests for
the contracted data center. In other words, it is important to review the intent of
the control, and then determine who, what, where, why, and when the control is
being performed.
Security Control Methodology
The controls in the next three chapters are presented by (1) a discussion of the
control family area (e.g., access control) and the practical security considerations
for addressing this family are;, (2) a table showing the mapping between the NIST
800-53 control and ISO/IEC 27001, COBIT 4.1, and HIPAA as an example of a verti-
cal industry mapping. In some cases, there was no related ISO/IEC 27001 mapping,
and this is noted in the table. When there was a COBIT mapping, this is noted.
Likewise, when there was no specific HIPAA reference, one was not noted.
The practical security considerations provide a discussion for each of the 18
control families as a guide for approaching the creation of controls within each
area. The 18 control families are shown in Table 8.2. The size and resources of the
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 6/41
organization will dictate how much can be invested within each control. Larger
companies are expected to devote more resources to the security controls and im-
plement more automated solutions to address the issues. Smaller organizations
need to decide what is feasible to adequately protect the resources and may need
to engage external resources to provide the adequate protection. For example, a
small community bank may not be able to afford an in-house staff to perform vul-
nerability assessment testing on the infrastructure, but may be able to secure the
Internet entry point into the organization and ensure that the 15 employees re-
ceive adequate information security awareness training. This approach would not
be sufficient for an organization of 40,000 employees spread across 100 locations.
The risk assessment for these two organizations would lead to different conclu-
sions. Clearly the security officer would like to spend as much money on the secu-
rity controls as possible, however, the reality of balancing the other company de-
mands with overspending on information security will limit the investment.
Therefore, the practical security discussion provides an interpretation of what the
NIST 800-53 controls, COBIT controls, ISO 27001 controls, and in this case the
HIPAA controls are really trying to achieve and some considerations for
implementation.
Security Assessment and Authorization Controls
The security assessment and authorization control family (CA) controls shown in
Table 8.3 ensures that the policies and procedures are developed and followed,
security controls are reviewed by the organization on a periodic basis, and that a
person in position of high enough authority has approved the security controls
for operation of the system. In effect this approval is contingent upon the accep-
tance of the risk assessment and the security control environment being adequate
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 7/41
to present a reasonable level of risk to the approver. Government entities will
have a formalized assessment and authorization process (formerly known as se-
curity certification and accreditation). However, each organization should de-
velop a process whereby the security controls and the residual risk are approved
and accepted by senior management. This creates awareness of the controls and
the risk that the organization is accepting.
The security assessments may be done internally or externally, depending upon
the expertise available to perform the assessments. In either case, the individuals
performing the assessment should be independent so that bias does not impact
the assessment. When gaps are found with the security controls, these need to be
documented formally through a document such as a plan of action and milestones
(POA&M). By reviewing the plans on a monthly basis, the organization can direct
the appropriate attention to the controls. A process should be developed for clos-
ing the plans upon receipt of the documentation demonstrating that the issue was
fixed, along with a reporting mechanism to management for items on the
monthly POA&M, especially those items showing delayed status or ones that have
missed the estimated implementation date.
The intent of these controls is to ensure that there is some oversight on the as-
sessment process and that the items that are determined to be gaps are promptly
closed. A goal of this process should be to close items within 90 days from issue
identification. Although not all issues will be able to be mitigated within that time-
frame, this can be set as a standard to address most security issues that an organi-
zation will face. For those items that could take longer, the process could be built
to require business justification and subsequent executive management approval
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 8/41
(i.e., from the chief technology officer, chief information officer, or chief executive
officer) for any initiatives that will take longer than 90 days to implement.
Planning Controls
The old adage “If you don’t know where you are going, all roads will lead you
there” certainly applies to the security planning control family (PL) shown in
Table 8.4. Security can happen by chaos, but as indicated by the Capability
Maturity Model Integration (CMMI), an organization can become more effective
by adopting a more proactive, planned approach.
The key document in this section is the systems security plan (SSP) containing
descriptions of the business, computing infrastructure, major applications, and
key controls that support the documentation of the environment. The document
needs to be updated annually or whenever there are significant changes in the
environment. These may be caused by changes in applications, outsourcing of in-
formation technology, mergers and acquisitions, adding a managed security ser-
vice provider (MSSP), and so forth. The plan should not be viewed as merely a
documentation exercise that is performed by one individual in the security de-
partment, but rather as an opportunity to engage individuals from different busi-
ness and IT departments to construct the plan. It is not uncommon for different
people to have different understandings of what systems are in place, technology
infrastructure, and security controls to support the business application or sup-
port system defined in the plan. In other words, the process of constructing the
plan can be an eye-opening experience.
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 9/41
The security team should also have a weekly meeting to discuss the current ini-
tiatives and their status, including a review of the dates and deliverables. For se-
curity to be viewed as an ongoing program versus a point-in-time initiative to re-
solve the issues created by a recent incident, then the security program should be
expected to be managed as a business. This can be as simple as creating a red-
green-yellow colored spreadsheet (for behind, completed, and in process) and
shared at a weekly meeting or as elaborate as using project management software
for each project and having a biweekly comprehensive review. What is important
is that there is a constant focus on what the activities are that are in process as
well as what activities need to be added within the next 0–6, 6–12, and 12–18
month time frames to keep them on the radar.
Risk Assessment Controls
Risk assessments are the topic of much discussion these days and rightfully so.
The risk assessment should represent a documented meeting of the minds be-
tween information security and senior management. This is the process that, in
very simple terms, documents the risks to the organization, documents the miti-
gating controls, identifies the residual risk, and provides an understanding of
what needs to be done to bring the security profile of the organization in line with
its risk appetite. The risk management process was discussed extensively in
Chapter 5 and the risk assessment control family controls are depicted in Table
8.5.
Vulnerability scanning is performed as part of the risk assessment to provide
the status of the technical controls and where improvements need to be made.
The risk assessment may be performed on an annual basis; however, the vulnera-
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 10/41
bility scanning should be done more frequently due to the vulnerabilities intro-
duced daily that could impact the computing environment. A minimum quarterly
scanning frequency with a subsequent 90 fix-cycle to address the vulnerabilities
found during the scan would be preferred. If the organization is able to perform
the scanning on a weekly or daily basis through the use of automated tools, this
would be a good goal to strive toward. Once the process is in place and the initial
list of vulnerabilities is mitigated, the amount of time required to remove the sub-
sequent vulnerabilities should decrease and become more manageable. An orga-
nization may choose to use multiple tools to provide increased security, whereby
one tool might not pick up the same vulnerability as another.
As with the systems security plans, the risk assessment constitutes a key secu-
rity document and should be approved by senior management including the CEO,
CIO, and business owner of the system. The systems security department should
view itself as the facilitator of the risk assessment, but the final acceptance of risk
is whoever is designated within senior management to assume that role. Senior
management has a fiduciary responsibility to protect the organization’s resources
from loss, and the Risk Assessment document is a key document in its ability to
consciously understand and accept the appropriate level of risk.
System and Services Acquisition Controls
The system and services acquisition control family (SA) controls shown in Table
8.6 ensure that the computer code supporting the business environment, whether
running internally or externally, has been created by following a system develop-
ment life cycle whereby the appropriate security controls are analyzed, designed,
implemented, and tested according to a defined process.
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 11/41
Table 8.1 Vertical Industry Control Standard Alignment
STANDARD/CONTROL
FRAMEWORK/REGULATION
VERTICAL INDUSTRY
Health Insurance Portability and Accountability
Act (HIPAA) addressable and required standards
Health insurance
Payment Card Industry Data Security Standards Financial
National Institute of Standards and Technology
(NIST) Recommended Security Controls for
Federal Information Systems (800-53)
Government, federal
contractors (detailed controls
may be applied to all
industries) to support Federal
Information Security
Management Act (FISMA)
ISO/IEC 27001:2005 information security
management systems—Requirements and ISO
27002:2005 Information technology—Security
techniques—Code of practice for information
security management
International standard may be
applied to all industries
Control Objective for Information and related
Technology (COBIT)
International standard may be
applied to all industries; used
heavily to evaluate and
demonstrate compliance with
internal controls for Sarbanes–
Oxley regulation
Information Technology Infrastructure Library
(ITIL)
Adopted largely by IT
operational areas to improve
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 12/41
service, applicable across
industries
Federal Financial Institutions Examination
Council (FFIEC) IT Examination Handbook
(supports Gramm—Leach—BlileyAct)
Financial
North American Electric Reliability Corporation
(NERC) Critical Infrastructure Program (CIP)
U.S. bulk power systems
Software usage and licensing is also addressed to make sure that only the au-
thorized software in the appropriate quantities is running within the environ-
ment. This can be controlled by tracking spreadsheets, discovery tools, and re-
moving administrative access from most users machines and creating policies of
the approved software that may be requested from the desktop support team,
help desk, or the group managing the software licenses. Allowing end users to in-
stall software, even versions of approved software, on their own might introduce
vulnerabilities as they may be installing a version with vulnerabilities not inter-
nally reviewed or an older version. Software installs should be centrally con-
trolled for vulnerability management and license tracking. Having too many un-
used licenses installed costs the company money as well as the potential for fines
by the software vendors for not having enough licenses.
Table 8.2 NIST 800-53 18 Control Families
IDENTIFIERFAMILY CLASS
AC Access control Technical
AT Awareness and training Operational
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 13/41
AU Audit and accountability Technical
CA Security assessment and authorization Management
CM Configuration management Operational
CP Contingency planning Operational
IA Identification and authorization Technical
IR Incident response Operational
MA Maintenance Operational
MP Media protection Operational
PE Physical and environmental protection Operational
PL Planning Management
PS Personnel security Operational
RA Risk assessment Management
SA System and services acquisition Management
SC System and communications protectionTechnical
SI System and information integrity Operational
PM Program management Management
Source: NIST Special Publication 800-53 Revision 3, Table 1–1. August 2009. Includes May, 1,2010,
updates.
Program Management Controls
The program management (PM) control family was added in NIST 800-53 Rev3 to
provide the controls in support of managing an information security program
(see Table 8.7). The other controls could be viewed as tactical implementation of
security controls, whereby this control ensures that there is someone designated
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 14/41
with the role of information security and carries out the mission of managing the
information security program. The ISMS within ISO 27000 has long had the re-
quirements for the establishment of an information security program. Chapter 2
of this book discussed creating the information security strategy, and Chapters 3
and 4 addressed the management roles and responsibilities to achieve the appro-
priate structure and relationships to carry out the program.
Table 8.3 Security Assessment and Authorization Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Security
assessment
and
authorization
CA-1 Security Assessment and
Authorization Policies and
Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. Formal, documented security
assessment and authorization
policies that address purpose,
scope, roles, responsibilities,
management commitment,
coordination among organizational
entities, and compliance; and
b. Formal, documented procedures
to facilitate the implementation of
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3
A.6.1.4, A.8.1.1,
A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT P010.12
HIPAA 1
64.308(a) (8)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 15/41
the security assessment and
authorization policies and
associated security assessment and
authorization controls.
Security
assessment
and
authorization
Practical security considerations: CA-
2 Security Assessments The
organization:
a. Develops a security assessment
plan that describes the scope of the
assessment including:
• Security controls and control
enhancements under assessment
• Assessment procedures to be used
to determine security control
effectiveness
• Assessment environment,
assessment team, and assessment
roles and responsibilities
b. Assesses the security controls in
the information system
[Assignment: organization-defined
frequency] to determine the extent
to which the controls are
implemented correctly, operating as
intended, and producing the
desired outcome with respect to
ISO/IEC 27001
A.6.1.8,
A.10.3.2,
A.15.2.1,
A.15.2.2
COBIT DS5.5
HIPAA
164.308(a) (8)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 16/41
meeting the security requirements
for the system;
c. Produces a security assessment
report that documents the results of
the assessment; and
d. Provides the results of the
security control assessment, in
writing, to the authorizing official
or authorizing official designated
representative.
Security
assessment
and
authorization
Practical security considerations: CA-
3 Information System Connections
The organization:
a. Authorizes connections from the
information system to other
information systems outside of the
authorization boundary through
the use of interconnection security
agreements;
b. Documents, for each connection,
the interface characteristics,
security requirements, and the
nature of the information
communicated; and
c.Monitors the information system
connections on an ongoing basis
ISO/IEC 27001
A.6.2.1, A.6.2.3,
A.10.6.1,
A.10.8.1,
A.10.8.2,
A.10.8.5,
A.11.4.2
HIPAA
164.308(b) (1),
164.308(b) (4),
164.314(a) (2)
(ii)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 17/41
verifying enforcement of security
requirements.
Security
assessment
and
authorization
Practical security considerations: CA-
5 Plan of Action and Milestones The
organization:
a. Develops a plan of action and
milestones for the information
system to document the
organization’s planned remedial
actions to correct weaknesses or
deficiencies noted during the
assessment of the security controls
and to reduce or eliminate known
vulnerabilities in the system; and
b. Updates existing plan of action
and milestones [Assignment:
organization-defined frequency]
based on the findings from security
controls assessments, security
impact analyses, and continuous
monitoring activities.
Practical security considerations:
ISO/IEC 27001
(None)
COBIT ME2.7
Security
assessment
and
authorization
CA-6 Security Authorization
The organization:
a. Assigns a senior-level executive
or manager to the role of
ISO/IEC 27001
A.6.1.4,
A.10.3.2 COBIT
AI7.7, DS5.5
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 18/41
authorizing official for the
information system;
b. Ensures that the authorizing
official authorizes the information
system for processing before
commencing operations; and
c. Updates the security
authorization [Assignment:
organization-defined frequency].
HIPAA
164.308(a) (8),
164.308(a) (2)
Security
assessment
and
authorization
Practical Security Considerations:
CA-7 Continuous Monitoring The
organization establishes a
continuous monitoring strategy and
implements a continuous
monitoring program that includes:
a. A configuration management
process for the information system
and its constituent components;
b. A determination of the security
impact of changes to the
information system and
environment of operation;
c. Ongoing security control
assessments in accordance with the
organizational continuous
monitoring strategy; and
ISO/IEC 27001
A.6.1.8,
A.15.2.1,
A.15.2.2
COBIT P01.3,
DS5.5
HIPAA
164.308(a) (8),
164.308(a)
(D(ii)(D)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 19/41
d. Reporting the security state of
the information system to
appropriate organizational officials
[Assignment: organization-defined
frequency].
Practical Security Considerations:
Table 8.4 Planning Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Planning PL-1 Security Planning Policy and
Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization-defined
frequency]:
a. A formal, documented security
planning policy that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
b. Formal, documented procedures
to facilitate the implementation of
ISO/IEC 27001 A.5.1.1,
A.5.1.2, A.6.1.1,
A.6.1.2, A.6.1.3,
A.8.1.1, A.10.1.1,
A.15.1.1, A.15.2.1
COBIT DS5.2, PC5
HIPAA 164.316(a)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 20/41
the security planning policy and
associated security planning
controls.
Planning PL-2 System Security Plan The
organization:
a. Develops a security plan for the
information system that
• Is consistent with the
organization’s enterprise
architecture;
• Explicitly defines the
authorization boundary for the
system;
• Describes the operational context
of the information system in terms
of missions and business
processes;
• Provides the security
categorization of the information
system including supporting
rationale;
• Describes the operational
environment for the information
system;
• Describes relationships with or
connections to other information
ISO/IEC 27001 (None)
COBIT P01.4, DS5.2
HIPAA 164.310(a) (2),
164.316(a) (ii)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 21/41
systems;
• Provides an overview of the
security requirements for the
system;
• Describes the security controls in
place or planned for meeting those
requirements including a rationale
for the tailoring and
supplementation decisions;
• Is reviewed and approved by the
authorizing official or designated
representative prior to plan
implementation;
b. Reviews the security plan for the
information system [Assignment:
organization-defined frequency];
and
c. Updates the plan to address
changes to the information system/
environment of operation or
problems identified during plan
implementation or security control
assessments.
Planning PL-4 Rules of Behavior The
organization:
a. Establishes and makes readily
ISO/IEC 27001 A.6.1.5,
A.6.2.2, A.7.1.3.
A.8.1.1, A.8.1.3,
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 22/41
available to all information system
users, the rules that describe their
responsibilities and expected
behavior with regard to
information and information
system usage; and
b. Receives signed
acknowledgment from users
indicating that they have read,
understand, and agree to abide by
the rules of behavior, before
authorizing access to information
and the information system.
A.8.2.1, A.9.1.5,
A.10.8.1, A.11.7.1,
A.11.7.2, A.12.4.1,
A.13.1.2,A.15.1.5
COBIT P06.5, DS5.2,
PC4
HIPAA 164.306(a) (4)
Planning PL-5 Privacy Impact Assessment
The organization conducts a
privacy impact assessment on the
information system in accordance
with OMB policy.
ISO/IEC 27001 A.15.1.4
Planning PL-6 Security-Related Activity
Planning The organization plans
and coordinates security-related
activities affecting the information
system before conducting such
activities in order to reduce the
impact on organizational
operations (i.e., mission, functions,
ISO/IEC 27001 A.6.1.2,
A.15.3.1
HIPAa 164.308(a)
(D(ii)(B), 164.310(a)
(2)(ii)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 23/41
image, and reputation),
organizational assets, and
individuals.
Table 8.5 Risk Assessment Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Risk
assessment
RA-1 Risk Assessment Policy and
Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization-defined
frequency]:
a. A formal, documented risk
assessment policy that addresses
purpose, scope, roles, responsibilities,
management commitment,
coordination among organizational
entities, and compliance; and
b. Formal, documented procedures to
facilitate the implementation of the
risk assessment policy and associated
risk assessment controls.
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.14.1.2,
A.15.1.1,
A.15.2.1
COBIT PC5,
P09.1
HIPAA
164.316(a),
164.308(a)(1)(i)
Risk
assessment
RA-2 Security Categorization
The organization:
ISO/IEC 27001
A.7.2.1, A.14.1.2
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 24/41
a. Categorizes information and the
information system in accordance
with applicable federal laws,
executive orders, directives, policies,
regulations, standards, and guidance;
b. Documents the security
categorization results (including
supporting rationale) in the security
plan for the information system; and
c. Ensures the security categorization
decision is reviewed and approved by
the authorizing Official or authorizing
official designated representative.
COBIT P09.2
HIPAA
164.308(a) (D(ii)
(A),
164.308(a)(7)(ii)
(E)
Risk
assessment
RA-3 Risk Assessment
The organization:
a. Conducts an assessment of risk,
including the likelihood and
magnitude of harm, from the
unauthorized access, use, disclosure,
disruption, modification, or
destruction of the information system
and the information it processes,
stores, or transmits;
b. Documents risk assessment results
in [Selection: security plan; risk
assessment report; Assignment:
ISO/IEC 27001
A.6.2.1, A.10.2.3,
A.12.6.1,
A.14.1.2
COBIT P09.3,
P09.4, Al1.1
HIPAA
164.316(a),
164.308(a)(1)(ii)
(A)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 25/41
organization-defined document];
c. Reviews risk assessment results
[Assignment: organization-defined
frequency]; and
d. Updates the risk assessment
[Assignment: organization-defined
frequency] or whenever there are
significant changes to the information
system or environment of operation
(including the identification of new
threats and vulnerabilities), or other
conditions that may impact the
security state of the system.
Risk
assessment
RA-5 Vulnerability Scanning
The organization:
a. Scans for vulnerabilities in the
information system and hosted
applications [Assignment:
organization-defined frequency
and/or randomly in accordance with
organization-defined process] and
when new vulnerabilities potentially
affecting the system/ applications are
identified and reported;
b. Employs vulnerability scanning tools
and techniques that promote
ISO/IEC 27001
A.12.6.1,
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 26/41
interoperability among tools and
automate parts of the vulnerability
management process by using
standards for:
• Enumerating platforms, software
flaws, and improper configurations;
• Formatting and making transparent,
checklists and test procedures; and
• Measuring vulnerability impact
c. Analyzes vulnerability scan reports
and results from security control
assessments;
d. Remediates legitimate
vulnerabilities [Assignment:
organization-defined response times]
in accordance with an organizational
assessment of risk; and
e. Shares information obtained from
the vulnerability scanning process
and security control assessments with
designated personnel throughout the
organization to help eliminate similar
vulnerabilities in other information
systems (i.e., systemic weaknesses or
deficiencies).
A.15.2.2
COBIT P09.3,
DS5.5
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 27/41
Table 8.6 System and Services Acquisition Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
System and
services
acquisition
SA-1 System and Services Acquisition
Policy and Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. A formal, documented system and
services acquisition policy that
includes information security
considerations and that addresses
purpose, scope, roles, responsibilities,
management commitment,
coordination among organizational
entities, and compliance; and
b. Formal, documented procedures to
facilitate the implementation of the
system and services acquisition policy
and associated system and services
acquisition controls.
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.6.2.1, A.8.1.1,
A.10.1.1,
A.12.1.1,
A.12.5.5,
A.15.1.1,
A.15.2.1
COBIT AI2.5,
AI5.1, PC5
System and
services
acquisition
SA-2 Allocation of Resources
The organization:
a. Includes a determination of
ISO/IEC 27001
A.6.1.2, A.10.3.1
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 28/41
information security requirements for
the information system in
mission/business process planning;
b. Determines, documents, and
allocates the resources required to
protect the information system as part
of its capital planning and investment
control process; and
c. Establishes a discrete line item for
information security in organizational
programming and budgeting
documentation.
COBIT P01.1,
P05.2
System and
services
acquisition
SA-3 Life Cycle Support
The organization: a. Manages the
information system using a system
development life cycle methodology
that includes information security
considerations;
b. Defines and documents information
system security roles and
responsibilities throughout the system
development life cycle; and
c. Identifies individuals having
information system security roles and
responsibilities.
ISO/IEC 27001
A.12.1.1
COBIT P08.3,
AI2.7
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 29/41
System and
services
acquisition
SA-4 Acquisitions
The organization includes the
following requirements and/or
specifications, explicitly or by
reference, in information system
acquisition contracts based on an
assessment of risk and in accordance
with applicable federal laws,
executive orders, directives, policies,
regulations, and standards:
a. Security functional requirements/
specifications;
b. Security-related documentation
requirements; and
c. Developmental and evaluation-
related assurance requirements.
ISO/IEC 27001
A.12.1.1,
A.12.5.5
COBIT AI2.4,
AI5.4
HIPAA
164.314(a) (2)(i)
System and
services
acquisition
SA-5 Information System
Documentation
The organization:
a. Obtains, protects as required, and
makes available to authorized
personnel, administrator
documentation for the information
system that describes:
• Secure configuration, installation,
and operation of the information
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 30/41
system;
• Effective use and maintenance of
security features/functions; and
• Known vulnerabilities regarding
configuration and use of
administrative (i.e., privileged)
functions; and
b. Obtains, protects as required, and
makes available to authorized
personnel, user documentation for the
information system that describes:
• User-accessible security
features/functions and how to
effectively use those security
features/functions;
• Methods for user interaction with
the information system, which
enables individuals to use the system
in a more secure manner; and
• User responsibilities in maintaining
the security of the information and
information system; and
c. Documents attempts to obtain
information system documentation
when such documentation is either
unavailable or nonexistent.
ISO/IEC 27001
A.10.7.4,
A.15.1.3
COBIT DS5.7
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 31/41
System and
services
acquisition
SA-6 Software Usage Restrictions
The organization:
a. Uses software and associated
documentation in accordance with
contract agreements and copyright
laws;
b. Employs tracking systems for
software and associated
documentation protected by quantity
licenses to control copying and
distribution; and
c. Controls and documents the use of
peer-to-peer file sharing technology to
ensure that this capability is not used
for the unauthorized distribution,
display, performance, or reproduction
of copyrighted work.
ISO/IEC 2700
A.12.4.1,
A.12.5.5,
A.15.1.2
COBIT DS9.3
System and
services
acquisition
SA-7 User-Installed Software
The organization enforces explicit
rules
governing the installation of software
by users.
ISO/IEC 27001
A.12.4.1,
A.12.5.5,
A.15.1.5
COBIT DS9.3
System and
services
acquisition
SA-8 Security Engineering Principles
The organization applies information
system security engineering principles
in the specification, design,
ISO/IEC 27001
A.10.4.1,
A.10.4.2,
A.11.4.5,
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 32/41
development, implementation, and
modification of the information
system.
A.12.5.5
COBIT AI2.4
System and
services
acquisition
SA-9 External Information System
Services
The organization:
a. Requires that providers of external
information system services comply
with organizational information
security requirements and employ
appropriate security controls in
accordance with applicable federal
laws, executive orders, directives,
policies, regulations, standards, and
guidance;
b. Defines and documents government
oversight and user roles and
responsibilities with regard to
external information system services;
and
c. Monitors security control
compliance by external service
providers.
ISO/IEC 27001
A.6.1.5, A.6.2.1,
A.6.2.3, A.8.1.1,
A.8.2.1, A.10.2.1,
A.10.2.2,
A.10.2.3,
A.10.6.2,
A.10.8.2,
A.12.5.5
COBIT DS1.6,
DS2.3, ME3.1,
ME3.3
HIPAA
164.308(b) (4),
164.314(a) (1),
164.314(a) (2)
(i), 164.314(a)
(2)(ii)
System and
services
acquisition
SA-10 Developer Configuration
Management The organization
requires that information system
ISO/IEC 27001
A.12.4.3,
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 33/41
developers/integrators:
a. Perform configuration management
during information system design,
development, implementation, and
operation;
b. Manage and control changes to the
information system;
c. Implement only organization-
approved changes;
d. Document approved changes to the
information system; and
e. Track security flaws and flaw
resolution.
A.12.5.1,
A.12.5.5
System and
services
acquisition
SA-11 Developer Security Testing The
organization requires that
information system developers/
integrators, in consultation with
associated security personnel
(including security engineers):
a. Create and implement a security
test and evaluation plan;
b. Implement a verifiable flaw
remediation process to correct
weaknesses and deficiencies
identified during the security testing
and evaluation process; and
ISO/IEC 27001
A.10.3.2,
A.12.5.5
COBIT AI2.8
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 34/41
c. Document the results of the security
testing/evaluation and flaw
remediation processes.
System and
services
acquisition
SA-12 Supply Chain Protection
The organization protects against
supply chain threats by employing
[Assignment; organization-defined list
of measures to protect against supply
chain threats] as part of a
comprehensive, defense-in-breadth
information security strategy.
ISO/IEC 27001
A.12.5.5
System and
services
acquisition
SA-13 Trustworthiness
The organization requires that the
information system meets
[Assignment: organization-defined
level of trustworthiness].
ISO/IEC 27001
A.12.5.5
System and
services
acquisition
SA-14 Critical Information System
Components
The organization:
a. Determines [Assignment:
organization-defined list of critical
information system components that
require re-implementation]; and
b. Re-implements or custom develops
such information system components.
ISO/IEC 27001
(None)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 35/41
Table 8.7 Program Management Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Program
management
PM-1 Information Security Program
Plan The organization:
a. Develops and disseminates an
organization-wide information security
program plan that:
• Provides an overview of the
requirements for the security program
and a description of the security
program management controls and
common controls in place or planned
for meeting those requirements;
• Provides sufficient information about
the program management controls and
common controls (including
specification of parameters for any
assignment and selection operations
either explicitly or by reference) to
enable an implementation that is
unambiguously compliant with the
intent of the plan and a determination
of the risk to be incurred if the plan is
implemented as intended;
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3
A.8.1.1,
A.15.1.1,
A.15.2.1
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 36/41
• Includes roles, responsibilities,
management commitment,
coordination among organizational
entities, and compliance;
• Is approved by a senior official with
responsibility and accountability for
the risk being incurred to
organizational operations (including
mission, functions, image, and
reputation), organizational assets,
individuals, other organizations, and
the nation;
b. Reviews the organization-wide
information security program plan
[Assignment: organization-defined
frequency]; and
c. Revises the plan to address
organizational changes and problems
identified during plan implementation
or security control assessments.
Program
management
PM-2 Senior Information Security
Officer
The organization appoints a senior
information security officer with the
mission and resources to coordinate,
develop, implement, and maintain an
ISO/IEC 27001
A.6.1.1,
A.6.1.2,
A.6.1.3
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 37/41
organization-wide information security
program.
Program
management
PM-3 Information Security Resources
The organization:
a. Ensures that all capital planning and
investment requests include the
resources needed to implement the
information security program and
documents all exceptions to this
requirement;
b. Employs a business case/Exhibit
300/Exhibit 53 to record the resources
required; and
c. Ensures that information security
resources are available for expenditure
as planned.
ISO/IEC 27001
(None)
Program
management
PM-4 Plan of Action and Milestones
Process
The organization implements a process
for ensuring that plans of action and
milestones for the security program
and the associated organizational
information systems are maintained
and document the remedial
information security actions to mitigate
risk to organizational operations and
ISO/IEC 27001
(None)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 38/41
assets, individuals, other organizations,
and the nation.
Program
management
PM-5 Information System Inventory The
organization develops and
maintains an inventory of its
information systems.
ISO/IEC 27001
A.7.1.1,
A.7.1.2
Program
management
PM-6 Information Security Measures of
Performance
The organization develops, monitors,
and reports on the results of
information security measures of
performance.
ISO/IEC 27001
(None)
Program
management
PM-7 Enterprise Architecture
The organization develops an
enterprise architecture with
consideration for information security
and the resulting risk to organizational
operations, organizational assets,
individuals, other organizations, and
the nation.
ISO/IEC 27001
(None)
Program
management
PM-8 Critical Infrastructure Plan
The organization addresses
information security issues in the
development, documentation, and
updating of a critical infrastructure
and key resources protection plan.
ISO/IEC 27001
(None)
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 39/41
Program
management
PM-9 Risk Management Strategy The
organization:
a. Develops a comprehensive strategy
to manage risk to organizational
operations and assets, individuals,
other organizations, and the nation
associated with the operation and use
of information systems; and
b. Implements that strategy
consistently across the organization.
ISO/IEC 27001
A.6.2.1,
A.14.1.2
Program
management
PM-10 Security Authorization Process
The organization:
a. Manages (i.e., documents, tracks, and
reports) the security state of
organizational information systems
through security authorization
processes;
b. Designates individuals to fulfill
specific roles and responsibilities
within the organizational risk
management process; and
c. Fully integrates the security
authorization processes into an
organization-wide risk management
program.
ISO/IEC 27001
A.6.1.4
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 40/41
1.
2.
Program
management
PM-11 Mission/Business Process
Definition
The organization:
a. Defines mission/business processes
with consideration for information
security and the resulting risk to
organizational operations,
organizational assets, individuals,
other organizations, and the nation;
and
b. Determines information protection
needs arising from the defined
mission/business processes and revises
the processes as necessary, until an
achievable set of protection needs is
obtained.
ISO/IEC 27001
(None)
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special Publication
800-53 Rev3: Recommended security controls for federal information systems and organi-
zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf
IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT® 4.1.
http://www.itgi.org
3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 41/41
3.
4.
5.
6.
7.
National Institute of Standards and Technology (NIST). October 2008. An introductory re-
source guide for implementing the Health Insurance Portability and Accountability Act
(HIPAA) Security Rule. http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-
Revisionl.pdf
International Organization for Standardization (ISO). ISO/IEC 27001:2005 Information secu-
rity management systems—Requirements.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
International Organization for Standardization (ISO). ISO/IEC 27002:2005 Information tech-
nology—Security techniques—Code of practice for information security management,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
Department of Health and Human Services, Office of the Secretary. February 20, 2003. 45
CFR Parts 160, 162, and 164 Health insurance reform: Security standards; Final rule.
Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
Capability Maturity Model Integration (CMMI), http://www.sei.cmu.edu/cmmi/