question

profilejimpop1998
Chapter8ManagerialControls_PracticalSecurityConsiderations_InformationSecurityGovernanceSimplified.pdf

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 1/61

8

Managerial Controls

Practical Security Considerations

It is tempting, if the only tool you have is a hammer, to treat everything as if it

were a nail.

Abraham Harold Maslow, 1908–1970

The previous chapter provided an overview of the security standards and

framework landscape, and illustrated the importance of adhering to a set

of security controls to enhance security and demonstrating compliance to

the organization and to the auditors. Each of the different standards has

controls at different levels of detail. The standards chosen by an organiza-

tion may be aligned to a particular vertical industry or generally applica-

ble across industries as shown in Table 8.1.

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 2/61

Security Control Convergence

The next three chapters cover the minimum controls that should be con-

sidered for a functioning information security program. These chapters

cover the detailed controls for the managerial, operational, and technical

classes of controls across 18 families of controls. The basis of the controls

is from the National Institute of Standards and Technology (NIST) 800-53

Recommended Controls for Federal Information Systems and

Organizations. Although these controls were developed with the U.S. gov-

ernment in mind, this control set forms one of the most comprehensive,

detailed control specifications that currently exist. An organization may

decide that this level of control is not necessary for its organization.

However, it is very useful to start with these controls and by performing a

risk assessment of the control, determine whether the control is neces-

sary. If the controls are approached in this manner, which could also be

referred to as a bottom-up approach, it is unlikely that key controls will

be missed.

As noted in the previous chapter on controls, a preferred approach

would be to use the NIST 800-53 security controls in conjunction with

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 3/61

ISO/IEC 27001 controls (from Annex A; published by the International

Organization for Standardization and the International Electrotechnical

Commission), the COBIT controls, and the security requirements that are

specified for the specific industry. If the controls are used in this manner,

the best of all worlds can be achieved. COBIT (Control Objectives for

Information and related Technology) can be used to supply the overall in-

formation technology (IT) framework and provide the accepted structure

for future auditing of the framework to establish compliance (i.e.,

Sarbanes–Oxley). ISO 27001 can provide the notion of a formalized infor-

mation security management system (ISMS) and a description of the pro-

cesses that could be chosen to make up the ISMS. The NIST 800-53 con-

trols can take the controls to a lower, more granular level to support the

security processes as well as provide some criteria for assessing the lower

level controls via the 800-53A special publication providing auditors guid-

ance on assessing the controls. Finally, the vertical industry set of con-

trols, such as the Health Insurance Portability and Accountability Act

(HIPAA) Final Security Rule can provide the higher-level requirements

necessary to be in compliance with the promulgated regulation. Each of

these standards, control frameworks, or regulations are not in conflict

with one another but can be very complimentary. Granted they exist at

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 4/61

different levels of detail, come from a different focus, and may have more

or less stringent requirements from one another, by implementing the

sum of these requirements, the security program can be made very effec-

tive and reduce the risk of loss. An illustration of an example relationship

between NIST 800-53, COBIT, ISO 27001, and HIPAA are shown in Figure

8.1.

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 5/61

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 6/61

Figure 8.1 NIST 800-53, COBIT, and ISO 27001 relationship example.

Controls may be tailored to fit the needs of the organization and con-

trols may or may not be applicable. For example, an organization that

outsources the data center processing to another organization may not

have to set up contracts and testing of disaster recovery with another off-

site data center. However the organization would need to ensure that the

function is being provided by the data center that they are contracting

their workload to. The organization should be asking how often the data

is being backed up, how often is it restored, and how often disaster recov-

ery tests are performed. It may be asked to participate in the tests for the

contracted data center. In other words, it is important to review the in-

tent of the control, and then determine who, what, where, why, and when

the control is being performed.

Security Control Methodology

The controls in the next three chapters are presented by (1) a discussion

of the control family area (e.g., access control) and the practical security

considerations for addressing this family are;, (2) a table showing the

mapping between the NIST 800-53 control and ISO/IEC 27001, COBIT 4.1,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 7/61

and HIPAA as an example of a vertical industry mapping. In some cases,

there was no related ISO/IEC 27001 mapping, and this is noted in the ta-

ble. When there was a COBIT mapping, this is noted. Likewise, when

there was no specific HIPAA reference, one was not noted.

The practical security considerations provide a discussion for each of

the 18 control families as a guide for approaching the creation of controls

within each area. The 18 control families are shown in Table 8.2. The size

and resources of the organization will dictate how much can be invested

within each control. Larger companies are expected to devote more re-

sources to the security controls and implement more automated solutions

to address the issues. Smaller organizations need to decide what is feasi-

ble to adequately protect the resources and may need to engage external

resources to provide the adequate protection. For example, a small com-

munity bank may not be able to afford an in-house staff to perform vul-

nerability assessment testing on the infrastructure, but may be able to se-

cure the Internet entry point into the organization and ensure that the 15

employees receive adequate information security awareness training.

This approach would not be sufficient for an organization of 40,000 em-

ployees spread across 100 locations. The risk assessment for these two or-

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 8/61

ganizations would lead to different conclusions. Clearly the security offi-

cer would like to spend as much money on the security controls as possi-

ble, however, the reality of balancing the other company demands with

overspending on information security will limit the investment.

Therefore, the practical security discussion provides an interpretation of

what the NIST 800-53 controls, COBIT controls, ISO 27001 controls, and in

this case the HIPAA controls are really trying to achieve and some consid-

erations for implementation.

Security Assessment and Authorization Controls

The security assessment and authorization control family (CA) controls

shown in Table 8.3 ensures that the policies and procedures are devel-

oped and followed, security controls are reviewed by the organization on

a periodic basis, and that a person in position of high enough authority

has approved the security controls for operation of the system. In effect

this approval is contingent upon the acceptance of the risk assessment

and the security control environment being adequate to present a reason-

able level of risk to the approver. Government entities will have a formal-

ized assessment and authorization process (formerly known as security

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 9/61

certification and accreditation). However, each organization should de-

velop a process whereby the security controls and the residual risk are

approved and accepted by senior management. This creates awareness of

the controls and the risk that the organization is accepting.

The security assessments may be done internally or externally, depend-

ing upon the expertise available to perform the assessments. In either

case, the individuals performing the assessment should be independent

so that bias does not impact the assessment. When gaps are found with

the security controls, these need to be documented formally through a

document such as a plan of action and milestones (POA&M). By reviewing

the plans on a monthly basis, the organization can direct the appropriate

attention to the controls. A process should be developed for closing the

plans upon receipt of the documentation demonstrating that the issue

was fixed, along with a reporting mechanism to management for items

on the monthly POA&M, especially those items showing delayed status or

ones that have missed the estimated implementation date.

The intent of these controls is to ensure that there is some oversight on

the assessment process and that the items that are determined to be gaps

are promptly closed. A goal of this process should be to close items within

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 10/61

90 days from issue identification. Although not all issues will be able to be

mitigated within that timeframe, this can be set as a standard to address

most security issues that an organization will face. For those items that

could take longer, the process could be built to require business justifica-

tion and subsequent executive management approval (i.e., from the chief

technology officer, chief information officer, or chief executive officer)

for any initiatives that will take longer than 90 days to implement.

Planning Controls

The old adage “If you don’t know where you are going, all roads will lead

you there” certainly applies to the security planning control family (PL)

shown in Table 8.4. Security can happen by chaos, but as indicated by the

Capability Maturity Model Integration (CMMI), an organization can be-

come more effective by adopting a more proactive, planned approach.

The key document in this section is the systems security plan (SSP) con-

taining descriptions of the business, computing infrastructure, major ap-

plications, and key controls that support the documentation of the envi-

ronment. The document needs to be updated annually or whenever there

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 11/61

are significant changes in the environment. These may be caused by

changes in applications, outsourcing of information technology, mergers

and acquisitions, adding a managed security service provider (MSSP), and

so forth. The plan should not be viewed as merely a documentation exer-

cise that is performed by one individual in the security department, but

rather as an opportunity to engage individuals from different business

and IT departments to construct the plan. It is not uncommon for differ-

ent people to have different understandings of what systems are in place,

technology infrastructure, and security controls to support the business

application or support system defined in the plan. In other words, the

process of constructing the plan can be an eye-opening experience.

The security team should also have a weekly meeting to discuss the cur-

rent initiatives and their status, including a review of the dates and deliv-

erables. For security to be viewed as an ongoing program versus a point-

in-time initiative to resolve the issues created by a recent incident, then

the security program should be expected to be managed as a business.

This can be as simple as creating a red-green-yellow colored spreadsheet

(for behind, completed, and in process) and shared at a weekly meeting

or as elaborate as using project management software for each project

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 12/61

and having a biweekly comprehensive review. What is important is that

there is a constant focus on what the activities are that are in process as

well as what activities need to be added within the next 0–6, 6–12, and 12–

18 month time frames to keep them on the radar.

Risk Assessment Controls

Risk assessments are the topic of much discussion these days and right-

fully so. The risk assessment should represent a documented meeting of

the minds between information security and senior management. This is

the process that, in very simple terms, documents the risks to the organi-

zation, documents the mitigating controls, identifies the residual risk, and

provides an understanding of what needs to be done to bring the security

profile of the organization in line with its risk appetite. The risk manage-

ment process was discussed extensively in Chapter 5 and the risk assess-

ment control family controls are depicted in Table 8.5.

Vulnerability scanning is performed as part of the risk assessment to

provide the status of the technical controls and where improvements

need to be made. The risk assessment may be performed on an annual

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 13/61

basis; however, the vulnerability scanning should be done more fre-

quently due to the vulnerabilities introduced daily that could impact the

computing environment. A minimum quarterly scanning frequency with

a subsequent 90 fix-cycle to address the vulnerabilities found during the

scan would be preferred. If the organization is able to perform the scan-

ning on a weekly or daily basis through the use of automated tools, this

would be a good goal to strive toward. Once the process is in place and

the initial list of vulnerabilities is mitigated, the amount of time required

to remove the subsequent vulnerabilities should decrease and become

more manageable. An organization may choose to use multiple tools to

provide increased security, whereby one tool might not pick up the same

vulnerability as another.

As with the systems security plans, the risk assessment constitutes a

key security document and should be approved by senior management

including the CEO, CIO, and business owner of the system. The systems se-

curity department should view itself as the facilitator of the risk assess-

ment, but the final acceptance of risk is whoever is designated within se-

nior management to assume that role. Senior management has a fidu-

ciary responsibility to protect the organization’s resources from loss, and

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 14/61

the Risk Assessment document is a key document in its ability to con-

sciously understand and accept the appropriate level of risk.

System and Services Acquisition Controls

The system and services acquisition control family (SA) controls shown in

Table 8.6 ensure that the computer code supporting the business envi-

ronment, whether running internally or externally, has been created by

following a system development life cycle whereby the appropriate secu-

rity controls are analyzed, designed, implemented, and tested according

to a defined process.

Table 8.1 Vertical Industry Control Standard Alignment

STANDARD/CONTROL

FRAMEWORK/REGULATION

VERTICAL INDUSTRY

Health Insurance Portability and

Accountability Act (HIPAA) addressable and

required standards

Health insurance

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 15/61

Payment Card Industry Data Security

Standards

Financial

National Institute of Standards and

Technology (NIST) Recommended Security

Controls for Federal Information Systems

(800-53)

Government, federal

contractors (detailed

controls may be applied to

all industries) to support

Federal Information

Security Management Act

(FISMA)

ISO/IEC 27001:2005 information security

management systems—Requirements and

ISO 27002:2005 Information technology—

Security techniques—Code of practice for

information security management

International standard may

be applied to all industries

Control Objective for Information and

related Technology (COBIT)

International standard may

be applied to all industries;

used heavily to evaluate

and demonstrate

compliance with internal

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 16/61

controls for Sarbanes–

Oxley regulation

Information Technology Infrastructure

Library (ITIL)

Adopted largely by IT

operational areas to

improve service,

applicable across

industries

Federal Financial Institutions Examination

Council (FFIEC) IT Examination Handbook

(supports Gramm—Leach—BlileyAct)

Financial

North American Electric Reliability

Corporation (NERC) Critical Infrastructure

Program (CIP)

U.S. bulk power systems

Software usage and licensing is also addressed to make sure that only

the authorized software in the appropriate quantities is running within

the environment. This can be controlled by tracking spreadsheets, discov-

ery tools, and removing administrative access from most users machines

and creating policies of the approved software that may be requested

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 17/61

from the desktop support team, help desk, or the group managing the

software licenses. Allowing end users to install software, even versions of

approved software, on their own might introduce vulnerabilities as they

may be installing a version with vulnerabilities not internally reviewed

or an older version. Software installs should be centrally controlled for

vulnerability management and license tracking. Having too many unused

licenses installed costs the company money as well as the potential for

fines by the software vendors for not having enough licenses.

Table 8.2 NIST 800-53 18 Control Families

IDENTIFIERFAMILY CLASS

AC Access control Technical

AT Awareness and training Operational

AU Audit and accountability Technical

CA Security assessment and authorization Management

CM Configuration management Operational

CP Contingency planning Operational

IA Identification and authorization Technical

IR Incident response Operational

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 18/61

MA Maintenance Operational

MP Media protection Operational

PE Physical and environmental protection Operational

PL Planning Management

PS Personnel security Operational

RA Risk assessment Management

SA System and services acquisition Management

SC System and communications protectionTechnical

SI System and information integrity Operational

PM Program management Management

Source: NIST Special Publication 800-53 Revision 3, Table 1–1. August 2009. Includes May,

1,2010, updates.

Program Management Controls

The program management (PM) control family was added in NIST 800-53

Rev3 to provide the controls in support of managing an information secu-

rity program (see Table 8.7). The other controls could be viewed as tacti-

cal implementation of security controls, whereby this control ensures

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 19/61

that there is someone designated with the role of information security

and carries out the mission of managing the information security pro-

gram. The ISMS within ISO 27000 has long had the requirements for the

establishment of an information security program. Chapter 2 of this book

discussed creating the information security strategy, and Chapters 3 and

4 addressed the management roles and responsibilities to achieve the ap-

propriate structure and relationships to carry out the program.

Table 8.3 Security Assessment and Authorization Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Security

assessment

and

authorization

CA-1 Security Assessment and

Authorization Policies and

Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined

frequency]:

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3

A.6.1.4,

A.8.1.1,

A.10.1.1,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 20/61

a. Formal, documented

security assessment and

authorization policies that

address purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational

entities, and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

security assessment and

authorization policies and

associated security

assessment and authorization

controls.

A.15.1.1,

A.15.2.1

COBIT

P010.12

HIPAA 1

64.308(a) (8)

Security

assessment

and

authorization

Practical security

considerations: CA-2 Security

Assessments The

organization:

ISO/IEC 27001

A.6.1.8,

A.10.3.2,

A.15.2.1,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 21/61

a. Develops a security

assessment plan that

describes the scope of the

assessment including:

• Security controls and

control enhancements under

assessment

• Assessment procedures to

be used to determine security

control effectiveness

• Assessment environment,

assessment team, and

assessment roles and

responsibilities

b. Assesses the security

controls in the information

system [Assignment:

organization-defined

frequency] to determine the

extent to which the controls

A.15.2.2

COBIT DS5.5

HIPAA

164.308(a) (8)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 22/61

are implemented correctly,

operating as intended, and

producing the desired

outcome with respect to

meeting the security

requirements for the system;

c. Produces a security

assessment report that

documents the results of the

assessment; and

d. Provides the results of the

security control assessment,

in writing, to the authorizing

official or authorizing official

designated representative.

Security

assessment

and

authorization

Practical security

considerations: CA-3

Information System

Connections The

organization:

ISO/IEC 27001

A.6.2.1,

A.6.2.3,

A.10.6.1,

A.10.8.1,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 23/61

a. Authorizes connections

from the information system

to other information systems

outside of the authorization

boundary through the use of

interconnection security

agreements;

b. Documents, for each

connection, the interface

characteristics, security

requirements, and the nature

of the information

communicated; and

c.Monitors the information

system connections on an

ongoing basis verifying

enforcement of security

requirements.

A.10.8.2,

A.10.8.5,

A.11.4.2

HIPAA

164.308(b)

(1),

164.308(b)

(4),

164.314(a) (2)

(ii)

Security

assessment

Practical security

considerations: CA-5 Plan of

ISO/IEC 27001

(None)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 24/61

and

authorization

Action and Milestones The

organization:

a. Develops a plan of action

and milestones for the

information system to

document the organization’s

planned remedial actions to

correct weaknesses or

deficiencies noted during the

assessment of the security

controls and to reduce or

eliminate known

vulnerabilities in the system;

and

b. Updates existing plan of

action and milestones

[Assignment: organization-

defined frequency] based on

the findings from security

controls assessments, security

COBIT ME2.7

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 25/61

impact analyses, and

continuous monitoring

activities.

Practical security

considerations:

Security

assessment

and

authorization

CA-6 Security Authorization

The organization:

a. Assigns a senior-level

executive or manager to the

role of authorizing official for

the information system;

b. Ensures that the

authorizing official

authorizes the information

system for processing before

commencing operations; and

c. Updates the security

authorization [Assignment:

organization-defined

frequency].

ISO/IEC 27001

A.6.1.4,

A.10.3.2

COBIT AI7.7,

DS5.5

HIPAA

164.308(a)

(8),

164.308(a) (2)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 26/61

Security

assessment

and

authorization

Practical Security

Considerations: CA-7

Continuous Monitoring The

organization establishes a

continuous monitoring

strategy and implements a

continuous monitoring

program that includes:

a. A configuration

management process for the

information system and its

constituent components;

b. A determination of the

security impact of changes to

the information system and

environment of operation;

c. Ongoing security control

assessments in accordance

with the organizational

continuous monitoring

ISO/IEC 27001

A.6.1.8,

A.15.2.1,

A.15.2.2

COBIT P01.3,

DS5.5

HIPAA

164.308(a)

(8),

164.308(a)

(D(ii)(D)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 27/61

strategy; and

d. Reporting the security state

of the information system to

appropriate organizational

officials

[Assignment: organization-

defined frequency].

Practical Security

Considerations:

Table 8.4 Planning Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Planning PL-1 Security Planning Policy

and

Procedures

The organization develops,

disseminates, and

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.2,

A.6.1.3, A.8.1.1,

A.10.1.1, A.15.1.1,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 28/61

reviews/updates

[Assignment: organization-

defined frequency]:

a. A formal, documented

security planning policy that

addresses purpose, scope,

roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

security planning policy and

associated security planning

controls.

A.15.2.1

COBIT DS5.2, PC5

HIPAA 164.316(a)

Planning PL-2 System Security Plan The

organization:

a. Develops a security plan

ISO/IEC 27001

(None)

COBIT P01.4, DS5.2

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 29/61

for the information system

that

• Is consistent with the

organization’s enterprise

architecture;

• Explicitly defines the

authorization boundary for

the system;

• Describes the operational

context of the information

system in terms of missions

and business processes;

• Provides the security

categorization of the

information system

including supporting

rationale;

• Describes the operational

environment for the

information system;

HIPAA 164.310(a)

(2), 164.316(a) (ii)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 30/61

• Describes relationships

with or connections to other

information systems;

• Provides an overview of the

security requirements for

the system;

• Describes the security

controls in place or planned

for meeting those

requirements including a

rationale for the tailoring

and supplementation

decisions;

• Is reviewed and approved

by the authorizing official or

designated representative

prior to plan

implementation;

b. Reviews the security plan

for the information system

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 31/61

[Assignment: organization-

defined frequency]; and

c. Updates the plan to

address changes to the

information system/

environment of operation or

problems identified during

plan implementation or

security control assessments.

Planning PL-4 Rules of Behavior The

organization:

a. Establishes and makes

readily available to all

information system users,

the rules that describe their

responsibilities and expected

behavior with regard to

information and information

system usage; and

b. Receives signed

ISO/IEC 27001

A.6.1.5, A.6.2.2,

A.7.1.3. A.8.1.1,

A.8.1.3, A.8.2.1,

A.9.1.5, A.10.8.1,

A.11.7.1, A.11.7.2,

A.12.4.1,

A.13.1.2,A.15.1.5

COBIT P06.5,

DS5.2, PC4

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 32/61

acknowledgment from users

indicating that they have

read, understand, and agree

to abide by the rules of

behavior, before authorizing

access to information and

the information system.

HIPAA 164.306(a)

(4)

Planning PL-5 Privacy Impact

Assessment The organization

conducts a privacy impact

assessment on the

information system in

accordance with OMB policy.

ISO/IEC 27001

A.15.1.4

Planning PL-6 Security-Related Activity

Planning The organization

plans and coordinates

security-related activities

affecting the information

system before conducting

such activities in order to

ISO/IEC 27001

A.6.1.2, A.15.3.1

HIPAa 164.308(a)

(D(ii)(B), 164.310(a)

(2)(ii)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 33/61

reduce the impact on

organizational operations

(i.e., mission, functions,

image, and reputation),

organizational assets, and

individuals.

Table 8.5 Risk Assessment Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Risk

assessment

RA-1 Risk Assessment Policy and

Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization-defined

frequency]:

a. A formal, documented risk

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1,

A.10.1.1,

A.14.1.2,

A.15.1.1,

A.15.2.1

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 34/61

assessment policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational entities,

and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the risk

assessment policy and

associated risk assessment

controls.

COBIT PC5,

P09.1

HIPAA

164.316(a),

164.308(a)(1)

(i)

Risk

assessment

RA-2 Security Categorization

The organization:

a. Categorizes information and

the information system in

accordance with applicable

federal laws, executive orders,

directives, policies, regulations,

standards, and guidance;

ISO/IEC 27001

A.7.2.1,

A.14.1.2

COBIT P09.2

HIPAA

164.308(a)

(D(ii)(A),

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 35/61

b. Documents the security

categorization results

(including supporting rationale)

in the security plan for the

information system; and

c. Ensures the security

categorization decision is

reviewed and approved by the

authorizing Official or

authorizing official designated

representative.

164.308(a)(7)

(ii) (E)

Risk

assessment

RA-3 Risk Assessment

The organization:

a. Conducts an assessment of

risk, including the likelihood

and magnitude of harm, from

the unauthorized access, use,

disclosure, disruption,

modification, or destruction of

the information system and the

ISO/IEC 27001

A.6.2.1,

A.10.2.3,

A.12.6.1,

A.14.1.2

COBIT P09.3,

P09.4, Al1.1

HIPAA

164.316(a),

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 36/61

information it processes, stores,

or transmits;

b. Documents risk assessment

results in [Selection: security

plan; risk assessment report;

Assignment: organization-

defined document];

c. Reviews risk assessment

results [Assignment:

organization-defined

frequency]; and

d. Updates the risk assessment

[Assignment: organization-

defined frequency] or

whenever there are significant

changes to the information

system or environment of

operation (including the

identification of new threats

and vulnerabilities), or other

164.308(a)(1)

(ii) (A)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 37/61

conditions that may impact the

security state of the system.

Risk

assessment

RA-5 Vulnerability Scanning

The organization:

a. Scans for vulnerabilities in

the information system and

hosted applications

[Assignment: organization-

defined frequency and/or

randomly in accordance with

organization-defined process]

and when new vulnerabilities

potentially affecting the system/

applications are identified and

reported;

b. Employs vulnerability

scanning tools and techniques

that promote interoperability

among tools and automate parts

of the vulnerability

ISO/IEC 27001

A.12.6.1,

A.15.2.2

COBIT P09.3,

DS5.5

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 38/61

management process by using

standards for:

• Enumerating platforms,

software flaws, and improper

configurations;

• Formatting and making

transparent, checklists and test

procedures; and

• Measuring vulnerability

impact

c. Analyzes vulnerability scan

reports and results from

security control assessments;

d. Remediates legitimate

vulnerabilities [Assignment:

organization-defined response

times] in accordance with an

organizational assessment of

risk; and

e. Shares information obtained

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 39/61

from the vulnerability scanning

process and security control

assessments with designated

personnel throughout the

organization to help eliminate

similar vulnerabilities in other

information systems (i.e.,

systemic weaknesses or

deficiencies).

Table 8.6 System and Services Acquisition Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

System and

services

acquisition

SA-1 System and Services

Acquisition

Policy and Procedures

The organization develops,

disseminates, and

ISO/IEC 27001

A.5.1.1,

A.5.1.2,

A.6.1.1,

A.6.1.3,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 40/61

reviews/updates [Assignment:

organization defined

frequency]:

a. A formal, documented system

and services acquisition policy

that includes information

security considerations and that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational entities,

and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the system

and services acquisition policy

and associated system and

services acquisition controls.

A.6.2.1,

A.8.1.1,

A.10.1.1,

A.12.1.1,

A.12.5.5,

A.15.1.1,

A.15.2.1

COBIT AI2.5,

AI5.1, PC5

System and

services

SA-2 Allocation of Resources

The organization:

ISO/IEC 27001

A.6.1.2,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 41/61

acquisition a. Includes a determination of

information security

requirements for the

information system in

mission/business process

planning;

b. Determines, documents, and

allocates the resources required

to protect the information

system as part of its capital

planning and investment control

process; and

c. Establishes a discrete line item

for information security in

organizational programming

and budgeting documentation.

A.10.3.1

COBIT P01.1,

P05.2

System and

services

acquisition

SA-3 Life Cycle Support

The organization: a. Manages

the information system using a

system development life cycle

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 42/61

methodology that includes

information security

considerations;

b. Defines and documents

information system security

roles and responsibilities

throughout the system

development life cycle; and

c. Identifies individuals having

information system security

roles and responsibilities.

ISO/IEC 27001

A.12.1.1

COBIT P08.3,

AI2.7

System and

services

acquisition

SA-4 Acquisitions

The organization includes the

following requirements and/or

specifications, explicitly or by

reference, in information system

acquisition contracts based on

an assessment of risk and in

accordance with applicable

federal laws, executive orders,

ISO/IEC 27001

A.12.1.1,

A.12.5.5

COBIT AI2.4,

AI5.4

HIPAA

164.314(a) (2)

(i)

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 43/61

directives, policies, regulations,

and standards:

a. Security functional

requirements/ specifications;

b. Security-related

documentation requirements;

and

c. Developmental and

evaluation-related assurance

requirements.

System and

services

acquisition

SA-5 Information System

Documentation

The organization:

a. Obtains, protects as required,

and makes available to

authorized personnel,

administrator documentation

for the information system that

describes:

• Secure configuration,

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 44/61

installation, and operation of the

information system;

• Effective use and maintenance

of security features/functions;

and

• Known vulnerabilities

regarding configuration and use

of administrative (i.e.,

privileged) functions; and

b. Obtains, protects as required,

and makes available to

authorized personnel, user

documentation for the

information system that

describes:

• User-accessible security

features/functions and how to

effectively use those security

features/functions;

• Methods for user interaction

ISO/IEC 27001

A.10.7.4,

A.15.1.3

COBIT DS5.7

4/23/23, 2:41 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 45/61

with the information system,

which enables individuals to use

the system in a more secure

manner; and

• User responsibilities in

maintaining the security of the

information and information

system; and

c. Documents attempts to obtain

information system

documentation when such

documentation is either

unavailable or nonexistent.

System and

services

acquisition

SA-6 Software Usage Restrictions

The organization:

a. Uses software and associated

documentation in accordance

with contract agreements and

copyright laws;

b. Employs tracking systems for

ISO/IEC 2700

A.12.4.1,

A.12.5.5,

A.15.1.2

COBIT DS9.3

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 46/61

software and associated

documentation protected by

quantity licenses to control

copying and distribution; and

c. Controls and documents the

use of peer-to-peer file sharing

technology to ensure that this

capability is not used for the

unauthorized distribution,

display, performance, or

reproduction of copyrighted

work.

System and

services

acquisition

SA-7 User-Installed Software

The organization enforces

explicit rules

governing the installation of

software

by users.

ISO/IEC 27001

A.12.4.1,

A.12.5.5,

A.15.1.5

COBIT DS9.3

System and

services

SA-8 Security Engineering

Principles The organization

ISO/IEC 27001

A.10.4.1,

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 47/61

acquisition applies information system

security engineering principles

in the specification, design,

development, implementation,

and modification of the

information system.

A.10.4.2,

A.11.4.5,

A.12.5.5

COBIT AI2.4

System and

services

acquisition

SA-9 External Information System

Services

The organization:

a. Requires that providers of

external information system

services comply with

organizational information

security requirements and

employ appropriate security

controls in accordance with

applicable federal laws,

executive orders, directives,

policies, regulations, standards,

and guidance;

ISO/IEC 27001

A.6.1.5,

A.6.2.1,

A.6.2.3,

A.8.1.1,

A.8.2.1,

A.10.2.1,

A.10.2.2,

A.10.2.3,

A.10.6.2,

A.10.8.2,

A.12.5.5

COBIT DS1.6,

DS2.3, ME3.1,

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 48/61

b. Defines and documents

government oversight and user

roles and responsibilities with

regard to external information

system services; and

c. Monitors security control

compliance by external service

providers.

ME3.3

HIPAA

164.308(b) (4),

164.314(a) (1),

164.314(a) (2)

(i), 164.314(a)

(2)(ii)

System and

services

acquisition

SA-10 Developer Configuration

Management The organization

requires that information

system developers/integrators:

a. Perform configuration

management during

information system design,

development, implementation,

and operation;

b. Manage and control changes

to the information system;

c. Implement only organization-

ISO/IEC 27001

A.12.4.3,

A.12.5.1,

A.12.5.5

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 49/61

approved changes;

d. Document approved changes

to the information system; and

e. Track security flaws and flaw

resolution.

System and

services

acquisition

SA-11 Developer Security Testing

The organization requires that

information system developers/

integrators, in consultation with

associated security personnel

(including security engineers):

a. Create and implement a

security test and evaluation

plan;

b. Implement a verifiable flaw

remediation process to correct

weaknesses and deficiencies

identified during the security

testing and evaluation process;

and

ISO/IEC 27001

A.10.3.2,

A.12.5.5

COBIT AI2.8

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 50/61

c. Document the results of the

security testing/evaluation and

flaw remediation processes.

System and

services

acquisition

SA-12 Supply Chain Protection

The organization protects

against supply chain threats by

employing [Assignment;

organization-defined list of

measures to protect against

supply chain threats] as part of a

comprehensive, defense-in-

breadth information security

strategy.

ISO/IEC 27001

A.12.5.5

System and

services

acquisition

SA-13 Trustworthiness

The organization requires that

the information system meets

[Assignment: organization-

defined level of

trustworthiness].

ISO/IEC 27001

A.12.5.5

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 51/61

System and

services

acquisition

SA-14 Critical Information System

Components

The organization:

a. Determines [Assignment:

organization-defined list of

critical information system

components that require re-

implementation]; and

b. Re-implements or custom

develops such information

system components.

ISO/IEC 27001

(None)

Table 8.7 Program Management Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Program

management

PM-1 Information Security

Program Plan The organization:

a. Develops and disseminates an

ISO/IEC

27001

A.5.1.1,

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 52/61

organization-wide information

security program plan that:

• Provides an overview of the

requirements for the security

program and a description of

the security program

management controls and

common controls in place or

planned for meeting those

requirements;

• Provides sufficient information

about the program management

controls and common controls

(including specification of

parameters for any assignment

and selection operations either

explicitly or by reference) to

enable an implementation that

is unambiguously compliant

with the intent of the plan and a

A.5.1.2,

A.6.1.1,

A.6.1.3

A.8.1.1,

A.15.1.1,

A.15.2.1

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 53/61

determination of the risk to be

incurred if the plan is

implemented as intended;

• Includes roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance;

• Is approved by a senior official

with responsibility and

accountability for the risk being

incurred to organizational

operations (including mission,

functions, image, and

reputation), organizational

assets, individuals, other

organizations, and the nation;

b. Reviews the organization-

wide information security

program plan [Assignment:

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 54/61

organization-defined

frequency]; and

c. Revises the plan to address

organizational changes and

problems identified during plan

implementation or security

control assessments.

Program

management

PM-2 Senior Information Security

Officer

The organization appoints a

senior information security

officer with the mission and

resources to coordinate,

develop, implement, and

maintain an organization-wide

information security program.

ISO/IEC

27001

A.6.1.1,

A.6.1.2,

A.6.1.3

Program

management

PM-3 Information Security

Resources The organization:

a. Ensures that all capital

planning and investment

ISO/IEC

27001

(None)

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 55/61

requests include the resources

needed to implement the

information security program

and documents all exceptions to

this requirement;

b. Employs a business

case/Exhibit 300/Exhibit 53 to

record the resources required;

and

c. Ensures that information

security resources are available

for expenditure as planned.

Program

management

PM-4 Plan of Action and

Milestones Process

The organization implements a

process for ensuring that plans

of action and milestones for the

security program and the

associated organizational

information systems are

ISO/IEC

27001

(None)

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 56/61

maintained and document the

remedial information security

actions to mitigate risk to

organizational operations and

assets, individuals, other

organizations, and the nation.

Program

management

PM-5 Information System

Inventory The organization

develops and

maintains an inventory of its

information systems.

ISO/IEC

27001

A.7.1.1,

A.7.1.2

Program

management

PM-6 Information Security

Measures of Performance

The organization develops,

monitors, and reports on the

results of information security

measures of performance.

ISO/IEC

27001

(None)

Program

management

PM-7 Enterprise Architecture

The organization develops an

enterprise architecture with

ISO/IEC

27001

(None)

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 57/61

consideration for information

security and the resulting risk to

organizational operations,

organizational assets,

individuals, other organizations,

and the nation.

Program

management

PM-8 Critical Infrastructure Plan

The organization addresses

information security issues in

the development,

documentation, and updating of

a critical infrastructure and key

resources protection plan.

ISO/IEC

27001

(None)

Program

management

PM-9 Risk Management Strategy

The organization:

a. Develops a comprehensive

strategy to manage risk to

organizational operations and

assets, individuals, other

organizations, and the nation

ISO/IEC

27001

A.6.2.1,

A.14.1.2

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 58/61

associated with the operation

and use of information systems;

and

b. Implements that strategy

consistently across the

organization.

Program

management

PM-10 Security Authorization

Process The organization:

a. Manages (i.e., documents,

tracks, and reports) the security

state of organizational

information systems through

security authorization

processes;

b. Designates individuals to

fulfill specific roles and

responsibilities within the

organizational risk management

process; and

c. Fully integrates the security

ISO/IEC

27001

A.6.1.4

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 59/61

authorization processes into an

organization-wide risk

management program.

Program

management

PM-11 Mission/Business Process

Definition

The organization:

a. Defines mission/business

processes with consideration for

information security and the

resulting risk to organizational

operations, organizational

assets, individuals, other

organizations, and the nation;

and

b. Determines information

protection needs arising from

the defined mission/business

processes and revises the

processes as necessary, until an

ISO/IEC

27001

(None)

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 60/61

1.

2.

3.

4.

achievable set of protection

needs is obtained.

Suggested Reading

National Institute of Standards and Technology (NIST). August 2009. Special

Publication 800-53 Rev3: Recommended security controls for federal information

systems and organizations. http://csrc.nist.gov/publications/nistpubs/800-53-

Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT® 4.1.

http://www.itgi.org

National Institute of Standards and Technology (NIST). October 2008. An introduc-

tory resource guide for implementing the Health Insurance Portability and

Accountability Act (HIPAA) Security Rule.

http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-Revisionl.pdf

International Organization for Standardization (ISO). ISO/IEC 27001:2005

Information security management systems—Requirements.

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=42103

4/23/23, 2:42 PM Chapter 8 Managerial Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/019-9781466551282-008.xhtml#sec188 61/61

5.

6.

7.

International Organization for Standardization (ISO). ISO/IEC 27002:2005

Information technology—Security techniques—Code of practice for information

security management,

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=50297

Department of Health and Human Services, Office of the Secretary. February 20,

2003. 45 CFR Parts 160, 162, and 164 Health insurance reform: Security standards;

Final rule. Federal Register 68(24).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

Capability Maturity Model Integration (CMMI), http://www.sei.cmu.edu/cmmi/