Project2

profilejimpop1998
Chapter8ManagerialChapter8Controls_PracticalSecurityConsiderations_InformationSecurityGovernanceSimplified.pdf

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 1/41

8

Managerial Controls

Practical Security Considerations

It is tempting, if the only tool you have is a hammer, to treat everything as if it were a

nail.

Abraham Harold Maslow, 1908–1970

The previous chapter provided an overview of the security standards and frame-

work landscape, and illustrated the importance of adhering to a set of security

controls to enhance security and demonstrating compliance to the organization

and to the auditors. Each of the different standards has controls at different levels

of detail. The standards chosen by an organization may be aligned to a particular

vertical industry or generally applicable across industries as shown in Table 8.1.

Security Control Convergence

The next three chapters cover the minimum controls that should be considered

for a functioning information security program. These chapters cover the detailed

controls for the managerial, operational, and technical classes of controls across

18 families of controls. The basis of the controls is from the National Institute of

Standards and Technology (NIST) 800-53 Recommended Controls for Federal

Topics Start Learning Search 50,000+ courses, events, titles, … What's New

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 2/41

Information Systems and Organizations. Although these controls were developed

with the U.S. government in mind, this control set forms one of the most compre-

hensive, detailed control specifications that currently exist. An organization may

decide that this level of control is not necessary for its organization. However, it is

very useful to start with these controls and by performing a risk assessment of the

control, determine whether the control is necessary. If the controls are ap-

proached in this manner, which could also be referred to as a bottom-up ap-

proach, it is unlikely that key controls will be missed.

As noted in the previous chapter on controls, a preferred approach would be to

use the NIST 800-53 security controls in conjunction with ISO/IEC 27001 controls

(from Annex A; published by the International Organization for Standardization

and the International Electrotechnical Commission), the COBIT controls, and the

security requirements that are specified for the specific industry. If the controls

are used in this manner, the best of all worlds can be achieved. COBIT (Control

Objectives for Information and related Technology) can be used to supply the

overall information technology (IT) framework and provide the accepted struc-

ture for future auditing of the framework to establish compliance (i.e., Sarbanes–

Oxley). ISO 27001 can provide the notion of a formalized information security

management system (ISMS) and a description of the processes that could be cho-

sen to make up the ISMS. The NIST 800-53 controls can take the controls to a

lower, more granular level to support the security processes as well as provide

some criteria for assessing the lower level controls via the 800-53A special publi-

cation providing auditors guidance on assessing the controls. Finally, the vertical

industry set of controls, such as the Health Insurance Portability and

Accountability Act (HIPAA) Final Security Rule can provide the higher-level re-

quirements necessary to be in compliance with the promulgated regulation. Each

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 3/41

of these standards, control frameworks, or regulations are not in conflict with one

another but can be very complimentary. Granted they exist at different levels of

detail, come from a different focus, and may have more or less stringent require-

ments from one another, by implementing the sum of these requirements, the se-

curity program can be made very effective and reduce the risk of loss. An illustra-

tion of an example relationship between NIST 800-53, COBIT, ISO 27001, and

HIPAA are shown in Figure 8.1.

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 4/41

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 5/41

Figure 8.1 NIST 800-53, COBIT, and ISO 27001 relationship example.

Controls may be tailored to fit the needs of the organization and controls may

or may not be applicable. For example, an organization that outsources the data

center processing to another organization may not have to set up contracts and

testing of disaster recovery with another off-site data center. However the organi-

zation would need to ensure that the function is being provided by the data cen-

ter that they are contracting their workload to. The organization should be asking

how often the data is being backed up, how often is it restored, and how often dis-

aster recovery tests are performed. It may be asked to participate in the tests for

the contracted data center. In other words, it is important to review the intent of

the control, and then determine who, what, where, why, and when the control is

being performed.

Security Control Methodology

The controls in the next three chapters are presented by (1) a discussion of the

control family area (e.g., access control) and the practical security considerations

for addressing this family are;, (2) a table showing the mapping between the NIST

800-53 control and ISO/IEC 27001, COBIT 4.1, and HIPAA as an example of a verti-

cal industry mapping. In some cases, there was no related ISO/IEC 27001 mapping,

and this is noted in the table. When there was a COBIT mapping, this is noted.

Likewise, when there was no specific HIPAA reference, one was not noted.

The practical security considerations provide a discussion for each of the 18

control families as a guide for approaching the creation of controls within each

area. The 18 control families are shown in Table 8.2. The size and resources of the

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 6/41

organization will dictate how much can be invested within each control. Larger

companies are expected to devote more resources to the security controls and im-

plement more automated solutions to address the issues. Smaller organizations

need to decide what is feasible to adequately protect the resources and may need

to engage external resources to provide the adequate protection. For example, a

small community bank may not be able to afford an in-house staff to perform vul-

nerability assessment testing on the infrastructure, but may be able to secure the

Internet entry point into the organization and ensure that the 15 employees re-

ceive adequate information security awareness training. This approach would not

be sufficient for an organization of 40,000 employees spread across 100 locations.

The risk assessment for these two organizations would lead to different conclu-

sions. Clearly the security officer would like to spend as much money on the secu-

rity controls as possible, however, the reality of balancing the other company de-

mands with overspending on information security will limit the investment.

Therefore, the practical security discussion provides an interpretation of what the

NIST 800-53 controls, COBIT controls, ISO 27001 controls, and in this case the

HIPAA controls are really trying to achieve and some considerations for

implementation.

Security Assessment and Authorization Controls

The security assessment and authorization control family (CA) controls shown in

Table 8.3 ensures that the policies and procedures are developed and followed,

security controls are reviewed by the organization on a periodic basis, and that a

person in position of high enough authority has approved the security controls

for operation of the system. In effect this approval is contingent upon the accep-

tance of the risk assessment and the security control environment being adequate

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 7/41

to present a reasonable level of risk to the approver. Government entities will

have a formalized assessment and authorization process (formerly known as se-

curity certification and accreditation). However, each organization should de-

velop a process whereby the security controls and the residual risk are approved

and accepted by senior management. This creates awareness of the controls and

the risk that the organization is accepting.

The security assessments may be done internally or externally, depending upon

the expertise available to perform the assessments. In either case, the individuals

performing the assessment should be independent so that bias does not impact

the assessment. When gaps are found with the security controls, these need to be

documented formally through a document such as a plan of action and milestones

(POA&M). By reviewing the plans on a monthly basis, the organization can direct

the appropriate attention to the controls. A process should be developed for clos-

ing the plans upon receipt of the documentation demonstrating that the issue was

fixed, along with a reporting mechanism to management for items on the

monthly POA&M, especially those items showing delayed status or ones that have

missed the estimated implementation date.

The intent of these controls is to ensure that there is some oversight on the as-

sessment process and that the items that are determined to be gaps are promptly

closed. A goal of this process should be to close items within 90 days from issue

identification. Although not all issues will be able to be mitigated within that time-

frame, this can be set as a standard to address most security issues that an organi-

zation will face. For those items that could take longer, the process could be built

to require business justification and subsequent executive management approval

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 8/41

(i.e., from the chief technology officer, chief information officer, or chief executive

officer) for any initiatives that will take longer than 90 days to implement.

Planning Controls

The old adage “If you don’t know where you are going, all roads will lead you

there” certainly applies to the security planning control family (PL) shown in

Table 8.4. Security can happen by chaos, but as indicated by the Capability

Maturity Model Integration (CMMI), an organization can become more effective

by adopting a more proactive, planned approach.

The key document in this section is the systems security plan (SSP) containing

descriptions of the business, computing infrastructure, major applications, and

key controls that support the documentation of the environment. The document

needs to be updated annually or whenever there are significant changes in the

environment. These may be caused by changes in applications, outsourcing of in-

formation technology, mergers and acquisitions, adding a managed security ser-

vice provider (MSSP), and so forth. The plan should not be viewed as merely a

documentation exercise that is performed by one individual in the security de-

partment, but rather as an opportunity to engage individuals from different busi-

ness and IT departments to construct the plan. It is not uncommon for different

people to have different understandings of what systems are in place, technology

infrastructure, and security controls to support the business application or sup-

port system defined in the plan. In other words, the process of constructing the

plan can be an eye-opening experience.

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 9/41

The security team should also have a weekly meeting to discuss the current ini-

tiatives and their status, including a review of the dates and deliverables. For se-

curity to be viewed as an ongoing program versus a point-in-time initiative to re-

solve the issues created by a recent incident, then the security program should be

expected to be managed as a business. This can be as simple as creating a red-

green-yellow colored spreadsheet (for behind, completed, and in process) and

shared at a weekly meeting or as elaborate as using project management software

for each project and having a biweekly comprehensive review. What is important

is that there is a constant focus on what the activities are that are in process as

well as what activities need to be added within the next 0–6, 6–12, and 12–18

month time frames to keep them on the radar.

Risk Assessment Controls

Risk assessments are the topic of much discussion these days and rightfully so.

The risk assessment should represent a documented meeting of the minds be-

tween information security and senior management. This is the process that, in

very simple terms, documents the risks to the organization, documents the miti-

gating controls, identifies the residual risk, and provides an understanding of

what needs to be done to bring the security profile of the organization in line with

its risk appetite. The risk management process was discussed extensively in

Chapter 5 and the risk assessment control family controls are depicted in Table

8.5.

Vulnerability scanning is performed as part of the risk assessment to provide

the status of the technical controls and where improvements need to be made.

The risk assessment may be performed on an annual basis; however, the vulnera-

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 10/41

bility scanning should be done more frequently due to the vulnerabilities intro-

duced daily that could impact the computing environment. A minimum quarterly

scanning frequency with a subsequent 90 fix-cycle to address the vulnerabilities

found during the scan would be preferred. If the organization is able to perform

the scanning on a weekly or daily basis through the use of automated tools, this

would be a good goal to strive toward. Once the process is in place and the initial

list of vulnerabilities is mitigated, the amount of time required to remove the sub-

sequent vulnerabilities should decrease and become more manageable. An orga-

nization may choose to use multiple tools to provide increased security, whereby

one tool might not pick up the same vulnerability as another.

As with the systems security plans, the risk assessment constitutes a key secu-

rity document and should be approved by senior management including the CEO,

CIO, and business owner of the system. The systems security department should

view itself as the facilitator of the risk assessment, but the final acceptance of risk

is whoever is designated within senior management to assume that role. Senior

management has a fiduciary responsibility to protect the organization’s resources

from loss, and the Risk Assessment document is a key document in its ability to

consciously understand and accept the appropriate level of risk.

System and Services Acquisition Controls

The system and services acquisition control family (SA) controls shown in Table

8.6 ensure that the computer code supporting the business environment, whether

running internally or externally, has been created by following a system develop-

ment life cycle whereby the appropriate security controls are analyzed, designed,

implemented, and tested according to a defined process.

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 11/41

Table 8.1 Vertical Industry Control Standard Alignment

STANDARD/CONTROL

FRAMEWORK/REGULATION

VERTICAL INDUSTRY

Health Insurance Portability and Accountability

Act (HIPAA) addressable and required standards

Health insurance

Payment Card Industry Data Security Standards Financial

National Institute of Standards and Technology

(NIST) Recommended Security Controls for

Federal Information Systems (800-53)

Government, federal

contractors (detailed controls

may be applied to all

industries) to support Federal

Information Security

Management Act (FISMA)

ISO/IEC 27001:2005 information security

management systems—Requirements and ISO

27002:2005 Information technology—Security

techniques—Code of practice for information

security management

International standard may be

applied to all industries

Control Objective for Information and related

Technology (COBIT)

International standard may be

applied to all industries; used

heavily to evaluate and

demonstrate compliance with

internal controls for Sarbanes–

Oxley regulation

Information Technology Infrastructure Library

(ITIL)

Adopted largely by IT

operational areas to improve

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 12/41

service, applicable across

industries

Federal Financial Institutions Examination

Council (FFIEC) IT Examination Handbook

(supports Gramm—Leach—BlileyAct)

Financial

North American Electric Reliability Corporation

(NERC) Critical Infrastructure Program (CIP)

U.S. bulk power systems

Software usage and licensing is also addressed to make sure that only the au-

thorized software in the appropriate quantities is running within the environ-

ment. This can be controlled by tracking spreadsheets, discovery tools, and re-

moving administrative access from most users machines and creating policies of

the approved software that may be requested from the desktop support team,

help desk, or the group managing the software licenses. Allowing end users to in-

stall software, even versions of approved software, on their own might introduce

vulnerabilities as they may be installing a version with vulnerabilities not inter-

nally reviewed or an older version. Software installs should be centrally con-

trolled for vulnerability management and license tracking. Having too many un-

used licenses installed costs the company money as well as the potential for fines

by the software vendors for not having enough licenses.

Table 8.2 NIST 800-53 18 Control Families

IDENTIFIERFAMILY CLASS

AC Access control Technical

AT Awareness and training Operational

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 13/41

AU Audit and accountability Technical

CA Security assessment and authorization Management

CM Configuration management Operational

CP Contingency planning Operational

IA Identification and authorization Technical

IR Incident response Operational

MA Maintenance Operational

MP Media protection Operational

PE Physical and environmental protection Operational

PL Planning Management

PS Personnel security Operational

RA Risk assessment Management

SA System and services acquisition Management

SC System and communications protectionTechnical

SI System and information integrity Operational

PM Program management Management

Source: NIST Special Publication 800-53 Revision 3, Table 1–1. August 2009. Includes May, 1,2010,

updates.

Program Management Controls

The program management (PM) control family was added in NIST 800-53 Rev3 to

provide the controls in support of managing an information security program

(see Table 8.7). The other controls could be viewed as tactical implementation of

security controls, whereby this control ensures that there is someone designated

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 14/41

with the role of information security and carries out the mission of managing the

information security program. The ISMS within ISO 27000 has long had the re-

quirements for the establishment of an information security program. Chapter 2

of this book discussed creating the information security strategy, and Chapters 3

and 4 addressed the management roles and responsibilities to achieve the appro-

priate structure and relationships to carry out the program.

Table 8.3 Security Assessment and Authorization Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Security

assessment

and

authorization

CA-1 Security Assessment and

Authorization Policies and

Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. Formal, documented security

assessment and authorization

policies that address purpose,

scope, roles, responsibilities,

management commitment,

coordination among organizational

entities, and compliance; and

b. Formal, documented procedures

to facilitate the implementation of

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3

A.6.1.4, A.8.1.1,

A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT P010.12

HIPAA 1

64.308(a) (8)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 15/41

the security assessment and

authorization policies and

associated security assessment and

authorization controls.

Security

assessment

and

authorization

Practical security considerations: CA-

2 Security Assessments The

organization:

a. Develops a security assessment

plan that describes the scope of the

assessment including:

• Security controls and control

enhancements under assessment

• Assessment procedures to be used

to determine security control

effectiveness

• Assessment environment,

assessment team, and assessment

roles and responsibilities

b. Assesses the security controls in

the information system

[Assignment: organization-defined

frequency] to determine the extent

to which the controls are

implemented correctly, operating as

intended, and producing the

desired outcome with respect to

ISO/IEC 27001

A.6.1.8,

A.10.3.2,

A.15.2.1,

A.15.2.2

COBIT DS5.5

HIPAA

164.308(a) (8)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 16/41

meeting the security requirements

for the system;

c. Produces a security assessment

report that documents the results of

the assessment; and

d. Provides the results of the

security control assessment, in

writing, to the authorizing official

or authorizing official designated

representative.

Security

assessment

and

authorization

Practical security considerations: CA-

3 Information System Connections

The organization:

a. Authorizes connections from the

information system to other

information systems outside of the

authorization boundary through

the use of interconnection security

agreements;

b. Documents, for each connection,

the interface characteristics,

security requirements, and the

nature of the information

communicated; and

c.Monitors the information system

connections on an ongoing basis

ISO/IEC 27001

A.6.2.1, A.6.2.3,

A.10.6.1,

A.10.8.1,

A.10.8.2,

A.10.8.5,

A.11.4.2

HIPAA

164.308(b) (1),

164.308(b) (4),

164.314(a) (2)

(ii)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 17/41

verifying enforcement of security

requirements.

Security

assessment

and

authorization

Practical security considerations: CA-

5 Plan of Action and Milestones The

organization:

a. Develops a plan of action and

milestones for the information

system to document the

organization’s planned remedial

actions to correct weaknesses or

deficiencies noted during the

assessment of the security controls

and to reduce or eliminate known

vulnerabilities in the system; and

b. Updates existing plan of action

and milestones [Assignment:

organization-defined frequency]

based on the findings from security

controls assessments, security

impact analyses, and continuous

monitoring activities.

Practical security considerations:

ISO/IEC 27001

(None)

COBIT ME2.7

Security

assessment

and

authorization

CA-6 Security Authorization

The organization:

a. Assigns a senior-level executive

or manager to the role of

ISO/IEC 27001

A.6.1.4,

A.10.3.2 COBIT

AI7.7, DS5.5

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 18/41

authorizing official for the

information system;

b. Ensures that the authorizing

official authorizes the information

system for processing before

commencing operations; and

c. Updates the security

authorization [Assignment:

organization-defined frequency].

HIPAA

164.308(a) (8),

164.308(a) (2)

Security

assessment

and

authorization

Practical Security Considerations:

CA-7 Continuous Monitoring The

organization establishes a

continuous monitoring strategy and

implements a continuous

monitoring program that includes:

a. A configuration management

process for the information system

and its constituent components;

b. A determination of the security

impact of changes to the

information system and

environment of operation;

c. Ongoing security control

assessments in accordance with the

organizational continuous

monitoring strategy; and

ISO/IEC 27001

A.6.1.8,

A.15.2.1,

A.15.2.2

COBIT P01.3,

DS5.5

HIPAA

164.308(a) (8),

164.308(a)

(D(ii)(D)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 19/41

d. Reporting the security state of

the information system to

appropriate organizational officials

[Assignment: organization-defined

frequency].

Practical Security Considerations:

Table 8.4 Planning Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Planning PL-1 Security Planning Policy and

Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization-defined

frequency]:

a. A formal, documented security

planning policy that addresses

purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

b. Formal, documented procedures

to facilitate the implementation of

ISO/IEC 27001 A.5.1.1,

A.5.1.2, A.6.1.1,

A.6.1.2, A.6.1.3,

A.8.1.1, A.10.1.1,

A.15.1.1, A.15.2.1

COBIT DS5.2, PC5

HIPAA 164.316(a)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 20/41

the security planning policy and

associated security planning

controls.

Planning PL-2 System Security Plan The

organization:

a. Develops a security plan for the

information system that

• Is consistent with the

organization’s enterprise

architecture;

• Explicitly defines the

authorization boundary for the

system;

• Describes the operational context

of the information system in terms

of missions and business

processes;

• Provides the security

categorization of the information

system including supporting

rationale;

• Describes the operational

environment for the information

system;

• Describes relationships with or

connections to other information

ISO/IEC 27001 (None)

COBIT P01.4, DS5.2

HIPAA 164.310(a) (2),

164.316(a) (ii)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 21/41

systems;

• Provides an overview of the

security requirements for the

system;

• Describes the security controls in

place or planned for meeting those

requirements including a rationale

for the tailoring and

supplementation decisions;

• Is reviewed and approved by the

authorizing official or designated

representative prior to plan

implementation;

b. Reviews the security plan for the

information system [Assignment:

organization-defined frequency];

and

c. Updates the plan to address

changes to the information system/

environment of operation or

problems identified during plan

implementation or security control

assessments.

Planning PL-4 Rules of Behavior The

organization:

a. Establishes and makes readily

ISO/IEC 27001 A.6.1.5,

A.6.2.2, A.7.1.3.

A.8.1.1, A.8.1.3,

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 22/41

available to all information system

users, the rules that describe their

responsibilities and expected

behavior with regard to

information and information

system usage; and

b. Receives signed

acknowledgment from users

indicating that they have read,

understand, and agree to abide by

the rules of behavior, before

authorizing access to information

and the information system.

A.8.2.1, A.9.1.5,

A.10.8.1, A.11.7.1,

A.11.7.2, A.12.4.1,

A.13.1.2,A.15.1.5

COBIT P06.5, DS5.2,

PC4

HIPAA 164.306(a) (4)

Planning PL-5 Privacy Impact Assessment

The organization conducts a

privacy impact assessment on the

information system in accordance

with OMB policy.

ISO/IEC 27001 A.15.1.4

Planning PL-6 Security-Related Activity

Planning The organization plans

and coordinates security-related

activities affecting the information

system before conducting such

activities in order to reduce the

impact on organizational

operations (i.e., mission, functions,

ISO/IEC 27001 A.6.1.2,

A.15.3.1

HIPAa 164.308(a)

(D(ii)(B), 164.310(a)

(2)(ii)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 23/41

image, and reputation),

organizational assets, and

individuals.

Table 8.5 Risk Assessment Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Risk

assessment

RA-1 Risk Assessment Policy and

Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization-defined

frequency]:

a. A formal, documented risk

assessment policy that addresses

purpose, scope, roles, responsibilities,

management commitment,

coordination among organizational

entities, and compliance; and

b. Formal, documented procedures to

facilitate the implementation of the

risk assessment policy and associated

risk assessment controls.

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.14.1.2,

A.15.1.1,

A.15.2.1

COBIT PC5,

P09.1

HIPAA

164.316(a),

164.308(a)(1)(i)

Risk

assessment

RA-2 Security Categorization

The organization:

ISO/IEC 27001

A.7.2.1, A.14.1.2

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 24/41

a. Categorizes information and the

information system in accordance

with applicable federal laws,

executive orders, directives, policies,

regulations, standards, and guidance;

b. Documents the security

categorization results (including

supporting rationale) in the security

plan for the information system; and

c. Ensures the security categorization

decision is reviewed and approved by

the authorizing Official or authorizing

official designated representative.

COBIT P09.2

HIPAA

164.308(a) (D(ii)

(A),

164.308(a)(7)(ii)

(E)

Risk

assessment

RA-3 Risk Assessment

The organization:

a. Conducts an assessment of risk,

including the likelihood and

magnitude of harm, from the

unauthorized access, use, disclosure,

disruption, modification, or

destruction of the information system

and the information it processes,

stores, or transmits;

b. Documents risk assessment results

in [Selection: security plan; risk

assessment report; Assignment:

ISO/IEC 27001

A.6.2.1, A.10.2.3,

A.12.6.1,

A.14.1.2

COBIT P09.3,

P09.4, Al1.1

HIPAA

164.316(a),

164.308(a)(1)(ii)

(A)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 25/41

organization-defined document];

c. Reviews risk assessment results

[Assignment: organization-defined

frequency]; and

d. Updates the risk assessment

[Assignment: organization-defined

frequency] or whenever there are

significant changes to the information

system or environment of operation

(including the identification of new

threats and vulnerabilities), or other

conditions that may impact the

security state of the system.

Risk

assessment

RA-5 Vulnerability Scanning

The organization:

a. Scans for vulnerabilities in the

information system and hosted

applications [Assignment:

organization-defined frequency

and/or randomly in accordance with

organization-defined process] and

when new vulnerabilities potentially

affecting the system/ applications are

identified and reported;

b. Employs vulnerability scanning tools

and techniques that promote

ISO/IEC 27001

A.12.6.1,

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 26/41

interoperability among tools and

automate parts of the vulnerability

management process by using

standards for:

• Enumerating platforms, software

flaws, and improper configurations;

• Formatting and making transparent,

checklists and test procedures; and

• Measuring vulnerability impact

c. Analyzes vulnerability scan reports

and results from security control

assessments;

d. Remediates legitimate

vulnerabilities [Assignment:

organization-defined response times]

in accordance with an organizational

assessment of risk; and

e. Shares information obtained from

the vulnerability scanning process

and security control assessments with

designated personnel throughout the

organization to help eliminate similar

vulnerabilities in other information

systems (i.e., systemic weaknesses or

deficiencies).

A.15.2.2

COBIT P09.3,

DS5.5

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 27/41

Table 8.6 System and Services Acquisition Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

System and

services

acquisition

SA-1 System and Services Acquisition

Policy and Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. A formal, documented system and

services acquisition policy that

includes information security

considerations and that addresses

purpose, scope, roles, responsibilities,

management commitment,

coordination among organizational

entities, and compliance; and

b. Formal, documented procedures to

facilitate the implementation of the

system and services acquisition policy

and associated system and services

acquisition controls.

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.6.2.1, A.8.1.1,

A.10.1.1,

A.12.1.1,

A.12.5.5,

A.15.1.1,

A.15.2.1

COBIT AI2.5,

AI5.1, PC5

System and

services

acquisition

SA-2 Allocation of Resources

The organization:

a. Includes a determination of

ISO/IEC 27001

A.6.1.2, A.10.3.1

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 28/41

information security requirements for

the information system in

mission/business process planning;

b. Determines, documents, and

allocates the resources required to

protect the information system as part

of its capital planning and investment

control process; and

c. Establishes a discrete line item for

information security in organizational

programming and budgeting

documentation.

COBIT P01.1,

P05.2

System and

services

acquisition

SA-3 Life Cycle Support

The organization: a. Manages the

information system using a system

development life cycle methodology

that includes information security

considerations;

b. Defines and documents information

system security roles and

responsibilities throughout the system

development life cycle; and

c. Identifies individuals having

information system security roles and

responsibilities.

ISO/IEC 27001

A.12.1.1

COBIT P08.3,

AI2.7

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 29/41

System and

services

acquisition

SA-4 Acquisitions

The organization includes the

following requirements and/or

specifications, explicitly or by

reference, in information system

acquisition contracts based on an

assessment of risk and in accordance

with applicable federal laws,

executive orders, directives, policies,

regulations, and standards:

a. Security functional requirements/

specifications;

b. Security-related documentation

requirements; and

c. Developmental and evaluation-

related assurance requirements.

ISO/IEC 27001

A.12.1.1,

A.12.5.5

COBIT AI2.4,

AI5.4

HIPAA

164.314(a) (2)(i)

System and

services

acquisition

SA-5 Information System

Documentation

The organization:

a. Obtains, protects as required, and

makes available to authorized

personnel, administrator

documentation for the information

system that describes:

• Secure configuration, installation,

and operation of the information

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 30/41

system;

• Effective use and maintenance of

security features/functions; and

• Known vulnerabilities regarding

configuration and use of

administrative (i.e., privileged)

functions; and

b. Obtains, protects as required, and

makes available to authorized

personnel, user documentation for the

information system that describes:

• User-accessible security

features/functions and how to

effectively use those security

features/functions;

• Methods for user interaction with

the information system, which

enables individuals to use the system

in a more secure manner; and

• User responsibilities in maintaining

the security of the information and

information system; and

c. Documents attempts to obtain

information system documentation

when such documentation is either

unavailable or nonexistent.

ISO/IEC 27001

A.10.7.4,

A.15.1.3

COBIT DS5.7

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 31/41

System and

services

acquisition

SA-6 Software Usage Restrictions

The organization:

a. Uses software and associated

documentation in accordance with

contract agreements and copyright

laws;

b. Employs tracking systems for

software and associated

documentation protected by quantity

licenses to control copying and

distribution; and

c. Controls and documents the use of

peer-to-peer file sharing technology to

ensure that this capability is not used

for the unauthorized distribution,

display, performance, or reproduction

of copyrighted work.

ISO/IEC 2700

A.12.4.1,

A.12.5.5,

A.15.1.2

COBIT DS9.3

System and

services

acquisition

SA-7 User-Installed Software

The organization enforces explicit

rules

governing the installation of software

by users.

ISO/IEC 27001

A.12.4.1,

A.12.5.5,

A.15.1.5

COBIT DS9.3

System and

services

acquisition

SA-8 Security Engineering Principles

The organization applies information

system security engineering principles

in the specification, design,

ISO/IEC 27001

A.10.4.1,

A.10.4.2,

A.11.4.5,

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 32/41

development, implementation, and

modification of the information

system.

A.12.5.5

COBIT AI2.4

System and

services

acquisition

SA-9 External Information System

Services

The organization:

a. Requires that providers of external

information system services comply

with organizational information

security requirements and employ

appropriate security controls in

accordance with applicable federal

laws, executive orders, directives,

policies, regulations, standards, and

guidance;

b. Defines and documents government

oversight and user roles and

responsibilities with regard to

external information system services;

and

c. Monitors security control

compliance by external service

providers.

ISO/IEC 27001

A.6.1.5, A.6.2.1,

A.6.2.3, A.8.1.1,

A.8.2.1, A.10.2.1,

A.10.2.2,

A.10.2.3,

A.10.6.2,

A.10.8.2,

A.12.5.5

COBIT DS1.6,

DS2.3, ME3.1,

ME3.3

HIPAA

164.308(b) (4),

164.314(a) (1),

164.314(a) (2)

(i), 164.314(a)

(2)(ii)

System and

services

acquisition

SA-10 Developer Configuration

Management The organization

requires that information system

ISO/IEC 27001

A.12.4.3,

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 33/41

developers/integrators:

a. Perform configuration management

during information system design,

development, implementation, and

operation;

b. Manage and control changes to the

information system;

c. Implement only organization-

approved changes;

d. Document approved changes to the

information system; and

e. Track security flaws and flaw

resolution.

A.12.5.1,

A.12.5.5

System and

services

acquisition

SA-11 Developer Security Testing The

organization requires that

information system developers/

integrators, in consultation with

associated security personnel

(including security engineers):

a. Create and implement a security

test and evaluation plan;

b. Implement a verifiable flaw

remediation process to correct

weaknesses and deficiencies

identified during the security testing

and evaluation process; and

ISO/IEC 27001

A.10.3.2,

A.12.5.5

COBIT AI2.8

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 34/41

c. Document the results of the security

testing/evaluation and flaw

remediation processes.

System and

services

acquisition

SA-12 Supply Chain Protection

The organization protects against

supply chain threats by employing

[Assignment; organization-defined list

of measures to protect against supply

chain threats] as part of a

comprehensive, defense-in-breadth

information security strategy.

ISO/IEC 27001

A.12.5.5

System and

services

acquisition

SA-13 Trustworthiness

The organization requires that the

information system meets

[Assignment: organization-defined

level of trustworthiness].

ISO/IEC 27001

A.12.5.5

System and

services

acquisition

SA-14 Critical Information System

Components

The organization:

a. Determines [Assignment:

organization-defined list of critical

information system components that

require re-implementation]; and

b. Re-implements or custom develops

such information system components.

ISO/IEC 27001

(None)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 35/41

Table 8.7 Program Management Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Program

management

PM-1 Information Security Program

Plan The organization:

a. Develops and disseminates an

organization-wide information security

program plan that:

• Provides an overview of the

requirements for the security program

and a description of the security

program management controls and

common controls in place or planned

for meeting those requirements;

• Provides sufficient information about

the program management controls and

common controls (including

specification of parameters for any

assignment and selection operations

either explicitly or by reference) to

enable an implementation that is

unambiguously compliant with the

intent of the plan and a determination

of the risk to be incurred if the plan is

implemented as intended;

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3

A.8.1.1,

A.15.1.1,

A.15.2.1

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 36/41

• Includes roles, responsibilities,

management commitment,

coordination among organizational

entities, and compliance;

• Is approved by a senior official with

responsibility and accountability for

the risk being incurred to

organizational operations (including

mission, functions, image, and

reputation), organizational assets,

individuals, other organizations, and

the nation;

b. Reviews the organization-wide

information security program plan

[Assignment: organization-defined

frequency]; and

c. Revises the plan to address

organizational changes and problems

identified during plan implementation

or security control assessments.

Program

management

PM-2 Senior Information Security

Officer

The organization appoints a senior

information security officer with the

mission and resources to coordinate,

develop, implement, and maintain an

ISO/IEC 27001

A.6.1.1,

A.6.1.2,

A.6.1.3

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 37/41

organization-wide information security

program.

Program

management

PM-3 Information Security Resources

The organization:

a. Ensures that all capital planning and

investment requests include the

resources needed to implement the

information security program and

documents all exceptions to this

requirement;

b. Employs a business case/Exhibit

300/Exhibit 53 to record the resources

required; and

c. Ensures that information security

resources are available for expenditure

as planned.

ISO/IEC 27001

(None)

Program

management

PM-4 Plan of Action and Milestones

Process

The organization implements a process

for ensuring that plans of action and

milestones for the security program

and the associated organizational

information systems are maintained

and document the remedial

information security actions to mitigate

risk to organizational operations and

ISO/IEC 27001

(None)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 38/41

assets, individuals, other organizations,

and the nation.

Program

management

PM-5 Information System Inventory The

organization develops and

maintains an inventory of its

information systems.

ISO/IEC 27001

A.7.1.1,

A.7.1.2

Program

management

PM-6 Information Security Measures of

Performance

The organization develops, monitors,

and reports on the results of

information security measures of

performance.

ISO/IEC 27001

(None)

Program

management

PM-7 Enterprise Architecture

The organization develops an

enterprise architecture with

consideration for information security

and the resulting risk to organizational

operations, organizational assets,

individuals, other organizations, and

the nation.

ISO/IEC 27001

(None)

Program

management

PM-8 Critical Infrastructure Plan

The organization addresses

information security issues in the

development, documentation, and

updating of a critical infrastructure

and key resources protection plan.

ISO/IEC 27001

(None)

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 39/41

Program

management

PM-9 Risk Management Strategy The

organization:

a. Develops a comprehensive strategy

to manage risk to organizational

operations and assets, individuals,

other organizations, and the nation

associated with the operation and use

of information systems; and

b. Implements that strategy

consistently across the organization.

ISO/IEC 27001

A.6.2.1,

A.14.1.2

Program

management

PM-10 Security Authorization Process

The organization:

a. Manages (i.e., documents, tracks, and

reports) the security state of

organizational information systems

through security authorization

processes;

b. Designates individuals to fulfill

specific roles and responsibilities

within the organizational risk

management process; and

c. Fully integrates the security

authorization processes into an

organization-wide risk management

program.

ISO/IEC 27001

A.6.1.4

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 40/41

1.

2.

Program

management

PM-11 Mission/Business Process

Definition

The organization:

a. Defines mission/business processes

with consideration for information

security and the resulting risk to

organizational operations,

organizational assets, individuals,

other organizations, and the nation;

and

b. Determines information protection

needs arising from the defined

mission/business processes and revises

the processes as necessary, until an

achievable set of protection needs is

obtained.

ISO/IEC 27001

(None)

Suggested Reading

National Institute of Standards and Technology (NIST). August 2009. Special Publication

800-53 Rev3: Recommended security controls for federal information systems and organi-

zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-

final_updated-errata_05-01-2010.pdf

IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT® 4.1.

http://www.itgi.org

3/28/23, 3:44 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 41/41

3.

4.

5.

6.

7.

National Institute of Standards and Technology (NIST). October 2008. An introductory re-

source guide for implementing the Health Insurance Portability and Accountability Act

(HIPAA) Security Rule. http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-

Revisionl.pdf

International Organization for Standardization (ISO). ISO/IEC 27001:2005 Information secu-

rity management systems—Requirements.

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=42103

International Organization for Standardization (ISO). ISO/IEC 27002:2005 Information tech-

nology—Security techniques—Code of practice for information security management,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=50297

Department of Health and Human Services, Office of the Secretary. February 20, 2003. 45

CFR Parts 160, 162, and 164 Health insurance reform: Security standards; Final rule.

Federal Register 68(24).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

Capability Maturity Model Integration (CMMI), http://www.sei.cmu.edu/cmmi/