question
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 1/61
8
Managerial Controls
Practical Security Considerations
It is tempting, if the only tool you have is a hammer, to treat everything as if it
were a nail.
Abraham Harold Maslow, 1908–1970
The previous chapter provided an overview of the security standards and
framework landscape, and illustrated the importance of adhering to a set
of security controls to enhance security and demonstrating compliance to
the organization and to the auditors. Each of the different standards has
controls at different levels of detail. The standards chosen by an organiza-
tion may be aligned to a particular vertical industry or generally applica-
ble across industries as shown in Table 8.1.
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 2/61
Security Control Convergence
The next three chapters cover the minimum controls that should be con-
sidered for a functioning information security program. These chapters
cover the detailed controls for the managerial, operational, and technical
classes of controls across 18 families of controls. The basis of the controls
is from the National Institute of Standards and Technology (NIST) 800-53
Recommended Controls for Federal Information Systems and
Organizations. Although these controls were developed with the U.S. gov-
ernment in mind, this control set forms one of the most comprehensive,
detailed control specifications that currently exist. An organization may
decide that this level of control is not necessary for its organization.
However, it is very useful to start with these controls and by performing a
risk assessment of the control, determine whether the control is neces-
sary. If the controls are approached in this manner, which could also be
referred to as a bottom-up approach, it is unlikely that key controls will
be missed.
As noted in the previous chapter on controls, a preferred approach
would be to use the NIST 800-53 security controls in conjunction with
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 3/61
ISO/IEC 27001 controls (from Annex A; published by the International
Organization for Standardization and the International Electrotechnical
Commission), the COBIT controls, and the security requirements that are
specified for the specific industry. If the controls are used in this manner,
the best of all worlds can be achieved. COBIT (Control Objectives for
Information and related Technology) can be used to supply the overall in-
formation technology (IT) framework and provide the accepted structure
for future auditing of the framework to establish compliance (i.e.,
Sarbanes–Oxley). ISO 27001 can provide the notion of a formalized infor-
mation security management system (ISMS) and a description of the pro-
cesses that could be chosen to make up the ISMS. The NIST 800-53 con-
trols can take the controls to a lower, more granular level to support the
security processes as well as provide some criteria for assessing the lower
level controls via the 800-53A special publication providing auditors guid-
ance on assessing the controls. Finally, the vertical industry set of con-
trols, such as the Health Insurance Portability and Accountability Act
(HIPAA) Final Security Rule can provide the higher-level requirements
necessary to be in compliance with the promulgated regulation. Each of
these standards, control frameworks, or regulations are not in conflict
with one another but can be very complimentary. Granted they exist at
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 4/61
different levels of detail, come from a different focus, and may have more
or less stringent requirements from one another, by implementing the
sum of these requirements, the security program can be made very effec-
tive and reduce the risk of loss. An illustration of an example relationship
between NIST 800-53, COBIT, ISO 27001, and HIPAA are shown in Figure
8.1.
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 5/61
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 6/61
Figure 8.1 NIST 800-53, COBIT, and ISO 27001 relationship example.
Controls may be tailored to fit the needs of the organization and con-
trols may or may not be applicable. For example, an organization that
outsources the data center processing to another organization may not
have to set up contracts and testing of disaster recovery with another off-
site data center. However the organization would need to ensure that the
function is being provided by the data center that they are contracting
their workload to. The organization should be asking how often the data
is being backed up, how often is it restored, and how often disaster recov-
ery tests are performed. It may be asked to participate in the tests for the
contracted data center. In other words, it is important to review the in-
tent of the control, and then determine who, what, where, why, and when
the control is being performed.
Security Control Methodology
The controls in the next three chapters are presented by (1) a discussion
of the control family area (e.g., access control) and the practical security
considerations for addressing this family are;, (2) a table showing the
mapping between the NIST 800-53 control and ISO/IEC 27001, COBIT 4.1,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 7/61
and HIPAA as an example of a vertical industry mapping. In some cases,
there was no related ISO/IEC 27001 mapping, and this is noted in the ta-
ble. When there was a COBIT mapping, this is noted. Likewise, when
there was no specific HIPAA reference, one was not noted.
The practical security considerations provide a discussion for each of
the 18 control families as a guide for approaching the creation of controls
within each area. The 18 control families are shown in Table 8.2. The size
and resources of the organization will dictate how much can be invested
within each control. Larger companies are expected to devote more re-
sources to the security controls and implement more automated solutions
to address the issues. Smaller organizations need to decide what is feasi-
ble to adequately protect the resources and may need to engage external
resources to provide the adequate protection. For example, a small com-
munity bank may not be able to afford an in-house staff to perform vul-
nerability assessment testing on the infrastructure, but may be able to se-
cure the Internet entry point into the organization and ensure that the 15
employees receive adequate information security awareness training.
This approach would not be sufficient for an organization of 40,000 em-
ployees spread across 100 locations. The risk assessment for these two or-
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 8/61
ganizations would lead to different conclusions. Clearly the security offi-
cer would like to spend as much money on the security controls as possi-
ble, however, the reality of balancing the other company demands with
overspending on information security will limit the investment.
Therefore, the practical security discussion provides an interpretation of
what the NIST 800-53 controls, COBIT controls, ISO 27001 controls, and in
this case the HIPAA controls are really trying to achieve and some consid-
erations for implementation.
Security Assessment and Authorization Controls
The security assessment and authorization control family (CA) controls
shown in Table 8.3 ensures that the policies and procedures are devel-
oped and followed, security controls are reviewed by the organization on
a periodic basis, and that a person in position of high enough authority
has approved the security controls for operation of the system. In effect
this approval is contingent upon the acceptance of the risk assessment
and the security control environment being adequate to present a reason-
able level of risk to the approver. Government entities will have a formal-
ized assessment and authorization process (formerly known as security
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 9/61
certification and accreditation). However, each organization should de-
velop a process whereby the security controls and the residual risk are
approved and accepted by senior management. This creates awareness of
the controls and the risk that the organization is accepting.
The security assessments may be done internally or externally, depend-
ing upon the expertise available to perform the assessments. In either
case, the individuals performing the assessment should be independent
so that bias does not impact the assessment. When gaps are found with
the security controls, these need to be documented formally through a
document such as a plan of action and milestones (POA&M). By reviewing
the plans on a monthly basis, the organization can direct the appropriate
attention to the controls. A process should be developed for closing the
plans upon receipt of the documentation demonstrating that the issue
was fixed, along with a reporting mechanism to management for items
on the monthly POA&M, especially those items showing delayed status or
ones that have missed the estimated implementation date.
The intent of these controls is to ensure that there is some oversight on
the assessment process and that the items that are determined to be gaps
are promptly closed. A goal of this process should be to close items within
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 10/61
90 days from issue identification. Although not all issues will be able to be
mitigated within that timeframe, this can be set as a standard to address
most security issues that an organization will face. For those items that
could take longer, the process could be built to require business justifica-
tion and subsequent executive management approval (i.e., from the chief
technology officer, chief information officer, or chief executive officer)
for any initiatives that will take longer than 90 days to implement.
Planning Controls
The old adage “If you don’t know where you are going, all roads will lead
you there” certainly applies to the security planning control family (PL)
shown in Table 8.4. Security can happen by chaos, but as indicated by the
Capability Maturity Model Integration (CMMI), an organization can be-
come more effective by adopting a more proactive, planned approach.
The key document in this section is the systems security plan (SSP) con-
taining descriptions of the business, computing infrastructure, major ap-
plications, and key controls that support the documentation of the envi-
ronment. The document needs to be updated annually or whenever there
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 11/61
are significant changes in the environment. These may be caused by
changes in applications, outsourcing of information technology, mergers
and acquisitions, adding a managed security service provider (MSSP), and
so forth. The plan should not be viewed as merely a documentation exer-
cise that is performed by one individual in the security department, but
rather as an opportunity to engage individuals from different business
and IT departments to construct the plan. It is not uncommon for differ-
ent people to have different understandings of what systems are in place,
technology infrastructure, and security controls to support the business
application or support system defined in the plan. In other words, the
process of constructing the plan can be an eye-opening experience.
The security team should also have a weekly meeting to discuss the cur-
rent initiatives and their status, including a review of the dates and deliv-
erables. For security to be viewed as an ongoing program versus a point-
in-time initiative to resolve the issues created by a recent incident, then
the security program should be expected to be managed as a business.
This can be as simple as creating a red-green-yellow colored spreadsheet
(for behind, completed, and in process) and shared at a weekly meeting
or as elaborate as using project management software for each project
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 12/61
and having a biweekly comprehensive review. What is important is that
there is a constant focus on what the activities are that are in process as
well as what activities need to be added within the next 0–6, 6–12, and 12–
18 month time frames to keep them on the radar.
Risk Assessment Controls
Risk assessments are the topic of much discussion these days and right-
fully so. The risk assessment should represent a documented meeting of
the minds between information security and senior management. This is
the process that, in very simple terms, documents the risks to the organi-
zation, documents the mitigating controls, identifies the residual risk, and
provides an understanding of what needs to be done to bring the security
profile of the organization in line with its risk appetite. The risk manage-
ment process was discussed extensively in Chapter 5 and the risk assess-
ment control family controls are depicted in Table 8.5.
Vulnerability scanning is performed as part of the risk assessment to
provide the status of the technical controls and where improvements
need to be made. The risk assessment may be performed on an annual
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 13/61
basis; however, the vulnerability scanning should be done more fre-
quently due to the vulnerabilities introduced daily that could impact the
computing environment. A minimum quarterly scanning frequency with
a subsequent 90 fix-cycle to address the vulnerabilities found during the
scan would be preferred. If the organization is able to perform the scan-
ning on a weekly or daily basis through the use of automated tools, this
would be a good goal to strive toward. Once the process is in place and
the initial list of vulnerabilities is mitigated, the amount of time required
to remove the subsequent vulnerabilities should decrease and become
more manageable. An organization may choose to use multiple tools to
provide increased security, whereby one tool might not pick up the same
vulnerability as another.
As with the systems security plans, the risk assessment constitutes a
key security document and should be approved by senior management
including the CEO, CIO, and business owner of the system. The systems se-
curity department should view itself as the facilitator of the risk assess-
ment, but the final acceptance of risk is whoever is designated within se-
nior management to assume that role. Senior management has a fidu-
ciary responsibility to protect the organization’s resources from loss, and
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 14/61
the Risk Assessment document is a key document in its ability to con-
sciously understand and accept the appropriate level of risk.
System and Services Acquisition Controls
The system and services acquisition control family (SA) controls shown in
Table 8.6 ensure that the computer code supporting the business envi-
ronment, whether running internally or externally, has been created by
following a system development life cycle whereby the appropriate secu-
rity controls are analyzed, designed, implemented, and tested according
to a defined process.
Table 8.1 Vertical Industry Control Standard Alignment
STANDARD/CONTROL
FRAMEWORK/REGULATION
VERTICAL INDUSTRY
Health Insurance Portability and
Accountability Act (HIPAA) addressable and
required standards
Health insurance
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 15/61
Payment Card Industry Data Security
Standards
Financial
National Institute of Standards and
Technology (NIST) Recommended Security
Controls for Federal Information Systems
(800-53)
Government, federal
contractors (detailed
controls may be applied to
all industries) to support
Federal Information
Security Management Act
(FISMA)
ISO/IEC 27001:2005 information security
management systems—Requirements and
ISO 27002:2005 Information technology—
Security techniques—Code of practice for
information security management
International standard may
be applied to all industries
Control Objective for Information and
related Technology (COBIT)
International standard may
be applied to all industries;
used heavily to evaluate
and demonstrate
compliance with internal
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 16/61
controls for Sarbanes–
Oxley regulation
Information Technology Infrastructure
Library (ITIL)
Adopted largely by IT
operational areas to
improve service,
applicable across
industries
Federal Financial Institutions Examination
Council (FFIEC) IT Examination Handbook
(supports Gramm—Leach—BlileyAct)
Financial
North American Electric Reliability
Corporation (NERC) Critical Infrastructure
Program (CIP)
U.S. bulk power systems
Software usage and licensing is also addressed to make sure that only
the authorized software in the appropriate quantities is running within
the environment. This can be controlled by tracking spreadsheets, discov-
ery tools, and removing administrative access from most users machines
and creating policies of the approved software that may be requested
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 17/61
from the desktop support team, help desk, or the group managing the
software licenses. Allowing end users to install software, even versions of
approved software, on their own might introduce vulnerabilities as they
may be installing a version with vulnerabilities not internally reviewed
or an older version. Software installs should be centrally controlled for
vulnerability management and license tracking. Having too many unused
licenses installed costs the company money as well as the potential for
fines by the software vendors for not having enough licenses.
Table 8.2 NIST 800-53 18 Control Families
IDENTIFIERFAMILY CLASS
AC Access control Technical
AT Awareness and training Operational
AU Audit and accountability Technical
CA Security assessment and authorization Management
CM Configuration management Operational
CP Contingency planning Operational
IA Identification and authorization Technical
IR Incident response Operational
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 18/61
MA Maintenance Operational
MP Media protection Operational
PE Physical and environmental protection Operational
PL Planning Management
PS Personnel security Operational
RA Risk assessment Management
SA System and services acquisition Management
SC System and communications protectionTechnical
SI System and information integrity Operational
PM Program management Management
Source: NIST Special Publication 800-53 Revision 3, Table 1–1. August 2009. Includes May,
1,2010, updates.
Program Management Controls
The program management (PM) control family was added in NIST 800-53
Rev3 to provide the controls in support of managing an information secu-
rity program (see Table 8.7). The other controls could be viewed as tacti-
cal implementation of security controls, whereby this control ensures
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 19/61
that there is someone designated with the role of information security
and carries out the mission of managing the information security pro-
gram. The ISMS within ISO 27000 has long had the requirements for the
establishment of an information security program. Chapter 2 of this book
discussed creating the information security strategy, and Chapters 3 and
4 addressed the management roles and responsibilities to achieve the ap-
propriate structure and relationships to carry out the program.
Table 8.3 Security Assessment and Authorization Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Security
assessment
and
authorization
CA-1 Security Assessment and
Authorization Policies and
Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined
frequency]:
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3
A.6.1.4,
A.8.1.1,
A.10.1.1,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 20/61
a. Formal, documented
security assessment and
authorization policies that
address purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational
entities, and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
security assessment and
authorization policies and
associated security
assessment and authorization
controls.
A.15.1.1,
A.15.2.1
COBIT
P010.12
HIPAA 1
64.308(a) (8)
Security
assessment
and
authorization
Practical security
considerations: CA-2 Security
Assessments The
organization:
ISO/IEC 27001
A.6.1.8,
A.10.3.2,
A.15.2.1,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 21/61
a. Develops a security
assessment plan that
describes the scope of the
assessment including:
• Security controls and
control enhancements under
assessment
• Assessment procedures to
be used to determine security
control effectiveness
• Assessment environment,
assessment team, and
assessment roles and
responsibilities
b. Assesses the security
controls in the information
system [Assignment:
organization-defined
frequency] to determine the
extent to which the controls
A.15.2.2
COBIT DS5.5
HIPAA
164.308(a) (8)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 22/61
are implemented correctly,
operating as intended, and
producing the desired
outcome with respect to
meeting the security
requirements for the system;
c. Produces a security
assessment report that
documents the results of the
assessment; and
d. Provides the results of the
security control assessment,
in writing, to the authorizing
official or authorizing official
designated representative.
Security
assessment
and
authorization
Practical security
considerations: CA-3
Information System
Connections The
organization:
ISO/IEC 27001
A.6.2.1,
A.6.2.3,
A.10.6.1,
A.10.8.1,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 23/61
a. Authorizes connections
from the information system
to other information systems
outside of the authorization
boundary through the use of
interconnection security
agreements;
b. Documents, for each
connection, the interface
characteristics, security
requirements, and the nature
of the information
communicated; and
c.Monitors the information
system connections on an
ongoing basis verifying
enforcement of security
requirements.
A.10.8.2,
A.10.8.5,
A.11.4.2
HIPAA
164.308(b)
(1),
164.308(b)
(4),
164.314(a) (2)
(ii)
Security
assessment
Practical security
considerations: CA-5 Plan of
ISO/IEC 27001
(None)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 24/61
and
authorization
Action and Milestones The
organization:
a. Develops a plan of action
and milestones for the
information system to
document the organization’s
planned remedial actions to
correct weaknesses or
deficiencies noted during the
assessment of the security
controls and to reduce or
eliminate known
vulnerabilities in the system;
and
b. Updates existing plan of
action and milestones
[Assignment: organization-
defined frequency] based on
the findings from security
controls assessments, security
COBIT ME2.7
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 25/61
impact analyses, and
continuous monitoring
activities.
Practical security
considerations:
Security
assessment
and
authorization
CA-6 Security Authorization
The organization:
a. Assigns a senior-level
executive or manager to the
role of authorizing official for
the information system;
b. Ensures that the
authorizing official
authorizes the information
system for processing before
commencing operations; and
c. Updates the security
authorization [Assignment:
organization-defined
frequency].
ISO/IEC 27001
A.6.1.4,
A.10.3.2
COBIT AI7.7,
DS5.5
HIPAA
164.308(a)
(8),
164.308(a) (2)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 26/61
Security
assessment
and
authorization
Practical Security
Considerations: CA-7
Continuous Monitoring The
organization establishes a
continuous monitoring
strategy and implements a
continuous monitoring
program that includes:
a. A configuration
management process for the
information system and its
constituent components;
b. A determination of the
security impact of changes to
the information system and
environment of operation;
c. Ongoing security control
assessments in accordance
with the organizational
continuous monitoring
ISO/IEC 27001
A.6.1.8,
A.15.2.1,
A.15.2.2
COBIT P01.3,
DS5.5
HIPAA
164.308(a)
(8),
164.308(a)
(D(ii)(D)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 27/61
strategy; and
d. Reporting the security state
of the information system to
appropriate organizational
officials
[Assignment: organization-
defined frequency].
Practical Security
Considerations:
Table 8.4 Planning Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Planning PL-1 Security Planning Policy
and
Procedures
The organization develops,
disseminates, and
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.2,
A.6.1.3, A.8.1.1,
A.10.1.1, A.15.1.1,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 28/61
reviews/updates
[Assignment: organization-
defined frequency]:
a. A formal, documented
security planning policy that
addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
security planning policy and
associated security planning
controls.
A.15.2.1
COBIT DS5.2, PC5
HIPAA 164.316(a)
Planning PL-2 System Security Plan The
organization:
a. Develops a security plan
ISO/IEC 27001
(None)
COBIT P01.4, DS5.2
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 29/61
for the information system
that
• Is consistent with the
organization’s enterprise
architecture;
• Explicitly defines the
authorization boundary for
the system;
• Describes the operational
context of the information
system in terms of missions
and business processes;
• Provides the security
categorization of the
information system
including supporting
rationale;
• Describes the operational
environment for the
information system;
HIPAA 164.310(a)
(2), 164.316(a) (ii)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 30/61
• Describes relationships
with or connections to other
information systems;
• Provides an overview of the
security requirements for
the system;
• Describes the security
controls in place or planned
for meeting those
requirements including a
rationale for the tailoring
and supplementation
decisions;
• Is reviewed and approved
by the authorizing official or
designated representative
prior to plan
implementation;
b. Reviews the security plan
for the information system
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 31/61
[Assignment: organization-
defined frequency]; and
c. Updates the plan to
address changes to the
information system/
environment of operation or
problems identified during
plan implementation or
security control assessments.
Planning PL-4 Rules of Behavior The
organization:
a. Establishes and makes
readily available to all
information system users,
the rules that describe their
responsibilities and expected
behavior with regard to
information and information
system usage; and
b. Receives signed
ISO/IEC 27001
A.6.1.5, A.6.2.2,
A.7.1.3. A.8.1.1,
A.8.1.3, A.8.2.1,
A.9.1.5, A.10.8.1,
A.11.7.1, A.11.7.2,
A.12.4.1,
A.13.1.2,A.15.1.5
COBIT P06.5,
DS5.2, PC4
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 32/61
acknowledgment from users
indicating that they have
read, understand, and agree
to abide by the rules of
behavior, before authorizing
access to information and
the information system.
HIPAA 164.306(a)
(4)
Planning PL-5 Privacy Impact
Assessment The organization
conducts a privacy impact
assessment on the
information system in
accordance with OMB policy.
ISO/IEC 27001
A.15.1.4
Planning PL-6 Security-Related Activity
Planning The organization
plans and coordinates
security-related activities
affecting the information
system before conducting
such activities in order to
ISO/IEC 27001
A.6.1.2, A.15.3.1
HIPAa 164.308(a)
(D(ii)(B), 164.310(a)
(2)(ii)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 33/61
reduce the impact on
organizational operations
(i.e., mission, functions,
image, and reputation),
organizational assets, and
individuals.
Table 8.5 Risk Assessment Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Risk
assessment
RA-1 Risk Assessment Policy and
Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization-defined
frequency]:
a. A formal, documented risk
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1,
A.10.1.1,
A.14.1.2,
A.15.1.1,
A.15.2.1
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 34/61
assessment policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the risk
assessment policy and
associated risk assessment
controls.
COBIT PC5,
P09.1
HIPAA
164.316(a),
164.308(a)(1)
(i)
Risk
assessment
RA-2 Security Categorization
The organization:
a. Categorizes information and
the information system in
accordance with applicable
federal laws, executive orders,
directives, policies, regulations,
standards, and guidance;
ISO/IEC 27001
A.7.2.1,
A.14.1.2
COBIT P09.2
HIPAA
164.308(a)
(D(ii)(A),
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 35/61
b. Documents the security
categorization results
(including supporting rationale)
in the security plan for the
information system; and
c. Ensures the security
categorization decision is
reviewed and approved by the
authorizing Official or
authorizing official designated
representative.
164.308(a)(7)
(ii) (E)
Risk
assessment
RA-3 Risk Assessment
The organization:
a. Conducts an assessment of
risk, including the likelihood
and magnitude of harm, from
the unauthorized access, use,
disclosure, disruption,
modification, or destruction of
the information system and the
ISO/IEC 27001
A.6.2.1,
A.10.2.3,
A.12.6.1,
A.14.1.2
COBIT P09.3,
P09.4, Al1.1
HIPAA
164.316(a),
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 36/61
information it processes, stores,
or transmits;
b. Documents risk assessment
results in [Selection: security
plan; risk assessment report;
Assignment: organization-
defined document];
c. Reviews risk assessment
results [Assignment:
organization-defined
frequency]; and
d. Updates the risk assessment
[Assignment: organization-
defined frequency] or
whenever there are significant
changes to the information
system or environment of
operation (including the
identification of new threats
and vulnerabilities), or other
164.308(a)(1)
(ii) (A)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 37/61
conditions that may impact the
security state of the system.
Risk
assessment
RA-5 Vulnerability Scanning
The organization:
a. Scans for vulnerabilities in
the information system and
hosted applications
[Assignment: organization-
defined frequency and/or
randomly in accordance with
organization-defined process]
and when new vulnerabilities
potentially affecting the system/
applications are identified and
reported;
b. Employs vulnerability
scanning tools and techniques
that promote interoperability
among tools and automate parts
of the vulnerability
ISO/IEC 27001
A.12.6.1,
A.15.2.2
COBIT P09.3,
DS5.5
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 38/61
management process by using
standards for:
• Enumerating platforms,
software flaws, and improper
configurations;
• Formatting and making
transparent, checklists and test
procedures; and
• Measuring vulnerability
impact
c. Analyzes vulnerability scan
reports and results from
security control assessments;
d. Remediates legitimate
vulnerabilities [Assignment:
organization-defined response
times] in accordance with an
organizational assessment of
risk; and
e. Shares information obtained
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 39/61
from the vulnerability scanning
process and security control
assessments with designated
personnel throughout the
organization to help eliminate
similar vulnerabilities in other
information systems (i.e.,
systemic weaknesses or
deficiencies).
Table 8.6 System and Services Acquisition Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
System and
services
acquisition
SA-1 System and Services
Acquisition
Policy and Procedures
The organization develops,
disseminates, and
ISO/IEC 27001
A.5.1.1,
A.5.1.2,
A.6.1.1,
A.6.1.3,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 40/61
reviews/updates [Assignment:
organization defined
frequency]:
a. A formal, documented system
and services acquisition policy
that includes information
security considerations and that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the system
and services acquisition policy
and associated system and
services acquisition controls.
A.6.2.1,
A.8.1.1,
A.10.1.1,
A.12.1.1,
A.12.5.5,
A.15.1.1,
A.15.2.1
COBIT AI2.5,
AI5.1, PC5
System and
services
SA-2 Allocation of Resources
The organization:
ISO/IEC 27001
A.6.1.2,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 41/61
acquisition a. Includes a determination of
information security
requirements for the
information system in
mission/business process
planning;
b. Determines, documents, and
allocates the resources required
to protect the information
system as part of its capital
planning and investment control
process; and
c. Establishes a discrete line item
for information security in
organizational programming
and budgeting documentation.
A.10.3.1
COBIT P01.1,
P05.2
System and
services
acquisition
SA-3 Life Cycle Support
The organization: a. Manages
the information system using a
system development life cycle
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 42/61
methodology that includes
information security
considerations;
b. Defines and documents
information system security
roles and responsibilities
throughout the system
development life cycle; and
c. Identifies individuals having
information system security
roles and responsibilities.
ISO/IEC 27001
A.12.1.1
COBIT P08.3,
AI2.7
System and
services
acquisition
SA-4 Acquisitions
The organization includes the
following requirements and/or
specifications, explicitly or by
reference, in information system
acquisition contracts based on
an assessment of risk and in
accordance with applicable
federal laws, executive orders,
ISO/IEC 27001
A.12.1.1,
A.12.5.5
COBIT AI2.4,
AI5.4
HIPAA
164.314(a) (2)
(i)
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 43/61
directives, policies, regulations,
and standards:
a. Security functional
requirements/ specifications;
b. Security-related
documentation requirements;
and
c. Developmental and
evaluation-related assurance
requirements.
System and
services
acquisition
SA-5 Information System
Documentation
The organization:
a. Obtains, protects as required,
and makes available to
authorized personnel,
administrator documentation
for the information system that
describes:
• Secure configuration,
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 44/61
installation, and operation of the
information system;
• Effective use and maintenance
of security features/functions;
and
• Known vulnerabilities
regarding configuration and use
of administrative (i.e.,
privileged) functions; and
b. Obtains, protects as required,
and makes available to
authorized personnel, user
documentation for the
information system that
describes:
• User-accessible security
features/functions and how to
effectively use those security
features/functions;
• Methods for user interaction
ISO/IEC 27001
A.10.7.4,
A.15.1.3
COBIT DS5.7
4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 45/61
with the information system,
which enables individuals to use
the system in a more secure
manner; and
• User responsibilities in
maintaining the security of the
information and information
system; and
c. Documents attempts to obtain
information system
documentation when such
documentation is either
unavailable or nonexistent.
System and
services
acquisition
SA-6 Software Usage Restrictions
The organization:
a. Uses software and associated
documentation in accordance
with contract agreements and
copyright laws;
b. Employs tracking systems for
ISO/IEC 2700
A.12.4.1,
A.12.5.5,
A.15.1.2
COBIT DS9.3
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 46/61
software and associated
documentation protected by
quantity licenses to control
copying and distribution; and
c. Controls and documents the
use of peer-to-peer file sharing
technology to ensure that this
capability is not used for the
unauthorized distribution,
display, performance, or
reproduction of copyrighted
work.
System and
services
acquisition
SA-7 User-Installed Software
The organization enforces
explicit rules
governing the installation of
software
by users.
ISO/IEC 27001
A.12.4.1,
A.12.5.5,
A.15.1.5
COBIT DS9.3
System and
services
SA-8 Security Engineering
Principles The organization
ISO/IEC 27001
A.10.4.1,
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 47/61
acquisition applies information system
security engineering principles
in the specification, design,
development, implementation,
and modification of the
information system.
A.10.4.2,
A.11.4.5,
A.12.5.5
COBIT AI2.4
System and
services
acquisition
SA-9 External Information System
Services
The organization:
a. Requires that providers of
external information system
services comply with
organizational information
security requirements and
employ appropriate security
controls in accordance with
applicable federal laws,
executive orders, directives,
policies, regulations, standards,
and guidance;
ISO/IEC 27001
A.6.1.5,
A.6.2.1,
A.6.2.3,
A.8.1.1,
A.8.2.1,
A.10.2.1,
A.10.2.2,
A.10.2.3,
A.10.6.2,
A.10.8.2,
A.12.5.5
COBIT DS1.6,
DS2.3, ME3.1,
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 48/61
b. Defines and documents
government oversight and user
roles and responsibilities with
regard to external information
system services; and
c. Monitors security control
compliance by external service
providers.
ME3.3
HIPAA
164.308(b) (4),
164.314(a) (1),
164.314(a) (2)
(i), 164.314(a)
(2)(ii)
System and
services
acquisition
SA-10 Developer Configuration
Management The organization
requires that information
system developers/integrators:
a. Perform configuration
management during
information system design,
development, implementation,
and operation;
b. Manage and control changes
to the information system;
c. Implement only organization-
ISO/IEC 27001
A.12.4.3,
A.12.5.1,
A.12.5.5
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 49/61
approved changes;
d. Document approved changes
to the information system; and
e. Track security flaws and flaw
resolution.
System and
services
acquisition
SA-11 Developer Security Testing
The organization requires that
information system developers/
integrators, in consultation with
associated security personnel
(including security engineers):
a. Create and implement a
security test and evaluation
plan;
b. Implement a verifiable flaw
remediation process to correct
weaknesses and deficiencies
identified during the security
testing and evaluation process;
and
ISO/IEC 27001
A.10.3.2,
A.12.5.5
COBIT AI2.8
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 50/61
c. Document the results of the
security testing/evaluation and
flaw remediation processes.
System and
services
acquisition
SA-12 Supply Chain Protection
The organization protects
against supply chain threats by
employing [Assignment;
organization-defined list of
measures to protect against
supply chain threats] as part of a
comprehensive, defense-in-
breadth information security
strategy.
ISO/IEC 27001
A.12.5.5
System and
services
acquisition
SA-13 Trustworthiness
The organization requires that
the information system meets
[Assignment: organization-
defined level of
trustworthiness].
ISO/IEC 27001
A.12.5.5
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 51/61
System and
services
acquisition
SA-14 Critical Information System
Components
The organization:
a. Determines [Assignment:
organization-defined list of
critical information system
components that require re-
implementation]; and
b. Re-implements or custom
develops such information
system components.
ISO/IEC 27001
(None)
Table 8.7 Program Management Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Program
management
PM-1 Information Security
Program Plan The organization:
a. Develops and disseminates an
ISO/IEC
27001
A.5.1.1,
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 52/61
organization-wide information
security program plan that:
• Provides an overview of the
requirements for the security
program and a description of
the security program
management controls and
common controls in place or
planned for meeting those
requirements;
• Provides sufficient information
about the program management
controls and common controls
(including specification of
parameters for any assignment
and selection operations either
explicitly or by reference) to
enable an implementation that
is unambiguously compliant
with the intent of the plan and a
A.5.1.2,
A.6.1.1,
A.6.1.3
A.8.1.1,
A.15.1.1,
A.15.2.1
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 53/61
determination of the risk to be
incurred if the plan is
implemented as intended;
• Includes roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance;
• Is approved by a senior official
with responsibility and
accountability for the risk being
incurred to organizational
operations (including mission,
functions, image, and
reputation), organizational
assets, individuals, other
organizations, and the nation;
b. Reviews the organization-
wide information security
program plan [Assignment:
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 54/61
organization-defined
frequency]; and
c. Revises the plan to address
organizational changes and
problems identified during plan
implementation or security
control assessments.
Program
management
PM-2 Senior Information Security
Officer
The organization appoints a
senior information security
officer with the mission and
resources to coordinate,
develop, implement, and
maintain an organization-wide
information security program.
ISO/IEC
27001
A.6.1.1,
A.6.1.2,
A.6.1.3
Program
management
PM-3 Information Security
Resources The organization:
a. Ensures that all capital
planning and investment
ISO/IEC
27001
(None)
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 55/61
requests include the resources
needed to implement the
information security program
and documents all exceptions to
this requirement;
b. Employs a business
case/Exhibit 300/Exhibit 53 to
record the resources required;
and
c. Ensures that information
security resources are available
for expenditure as planned.
Program
management
PM-4 Plan of Action and
Milestones Process
The organization implements a
process for ensuring that plans
of action and milestones for the
security program and the
associated organizational
information systems are
ISO/IEC
27001
(None)
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 56/61
maintained and document the
remedial information security
actions to mitigate risk to
organizational operations and
assets, individuals, other
organizations, and the nation.
Program
management
PM-5 Information System
Inventory The organization
develops and
maintains an inventory of its
information systems.
ISO/IEC
27001
A.7.1.1,
A.7.1.2
Program
management
PM-6 Information Security
Measures of Performance
The organization develops,
monitors, and reports on the
results of information security
measures of performance.
ISO/IEC
27001
(None)
Program
management
PM-7 Enterprise Architecture
The organization develops an
enterprise architecture with
ISO/IEC
27001
(None)
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 57/61
consideration for information
security and the resulting risk to
organizational operations,
organizational assets,
individuals, other organizations,
and the nation.
Program
management
PM-8 Critical Infrastructure Plan
The organization addresses
information security issues in
the development,
documentation, and updating of
a critical infrastructure and key
resources protection plan.
ISO/IEC
27001
(None)
Program
management
PM-9 Risk Management Strategy
The organization:
a. Develops a comprehensive
strategy to manage risk to
organizational operations and
assets, individuals, other
organizations, and the nation
ISO/IEC
27001
A.6.2.1,
A.14.1.2
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 58/61
associated with the operation
and use of information systems;
and
b. Implements that strategy
consistently across the
organization.
Program
management
PM-10 Security Authorization
Process The organization:
a. Manages (i.e., documents,
tracks, and reports) the security
state of organizational
information systems through
security authorization
processes;
b. Designates individuals to
fulfill specific roles and
responsibilities within the
organizational risk management
process; and
c. Fully integrates the security
ISO/IEC
27001
A.6.1.4
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 59/61
authorization processes into an
organization-wide risk
management program.
Program
management
PM-11 Mission/Business Process
Definition
The organization:
a. Defines mission/business
processes with consideration for
information security and the
resulting risk to organizational
operations, organizational
assets, individuals, other
organizations, and the nation;
and
b. Determines information
protection needs arising from
the defined mission/business
processes and revises the
processes as necessary, until an
ISO/IEC
27001
(None)
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 60/61
1.
2.
3.
4.
achievable set of protection
needs is obtained.
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special
Publication 800-53 Rev3: Recommended security controls for federal information
systems and organizations. http://csrc.nist.gov/publications/nistpubs/800-53-
Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT® 4.1.
http://www.itgi.org
National Institute of Standards and Technology (NIST). October 2008. An introduc-
tory resource guide for implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule.
http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-Revisionl.pdf
International Organization for Standardization (ISO). ISO/IEC 27001:2005
Information security management systems—Requirements.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 61/61
5.
6.
7.
International Organization for Standardization (ISO). ISO/IEC 27002:2005
Information technology—Security techniques—Code of practice for information
security management,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
Department of Health and Human Services, Office of the Secretary. February 20,
2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security standards;
Final rule. Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
Capability Maturity Model Integration (CMMI), http://www.sei.cmu.edu/cmmi/