Project2
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 1/43
9
Technical Controls
Practical Security Considerations
For a successful technology, reality must take precedence over public relations, for na-
ture cannot be fooled.
Richard Phillips Feynman, Report on space shuttle Challenger disaster (1986)
The controls specified in this chapter are the technical controls, or those controls
that govern the ongoing technical mechanisms impacting security. This chapter,
along with the preceding Chapter 8 on managerial controls and the subsequent
Chapter 10 on operational controls, completes the controls necessary for building
the foundation for an information security program. Each listing of the opera-
tional control family is preceded with some practical security considerations for
reviewing the family of controls. These controls are also mapped to COBIT 4.1, ISO
27001, and Health Insurance Portability and Accountability Act (HIPAA) where a
relationship between them exists.
Access Control Controls
The access control (AC) family could be in some ways viewed as the primary focus
of information security for the first several decades. This is the most tested area of
Topics Start Learning Search 50,000+ courses, events, titles, … What's New
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 2/43
information security and uncovers how well the security policies have been im-
plemented. The AC control family requires that accounts are set up according to
preestablished business reasons and that they are set up for individuals who have
a need to know the information they are requesting. Identity management sys-
tems of recent years have been implemented to ensure that access was properly
controlled and that terminated and transferred users no longer had access after
their company or department tenure. Role-based systems provide the ability to
model user access based upon a consistent profile. The profile can be as simple as
creating a small number of roles, defining the access required by those roles, and
then running a macro to create the access for the account requiring the access.
The AC family also promotes technical controls in place such that accounts are
locked in the event that someone is attempting to access the account and repeat-
edly failing. The system notification messages should be made available when the
user logs into the system as well as for other entry points, such as a logging onto a
server (via the use of banner pages). The wireless, mobile device and remote de-
vice controls are in place to ensure that each entry point into the computing envi-
ronment has been addressed by policy and procedures for gaining access. These
procedures ensure that there is a consistent path for requesting and approving
the access. The controls for the AC family are shown in Table 9.1.
Audit and Accountability Controls
The audit and accountability controls family (AU), as shown in Table 9.2, specifies
controls to ensure that the events are being monitored and failures are being fol-
lowed up. Due to the volume of audit records that may be generated, choices need
to be made as to what items are most important to be audited. Logon failures, for
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 3/43
example, may be monitored, but a threshold of 25 in a week may be used for the
level requiring investigation. Alternatively a trending report may be developed
and whereas the daily occurrence may be low, say 2, just under the threshold of 3
invalid login attempts before a lockout, resulting in over 60 during a month’s
time. This could be the work of someone internally attempting to guess someone’s
password and having over 750 tries in a year.
Reviewing audit records can be a very time-consuming task and automation of
some sort, whether it be through a Security Information and Event Management
(SIEM) product or an off-the-shelf reporting tool used to reduce the input records
to focus solely on the exceptions over the thresholds, the activity must be per-
formed beyond merely logging of the records. Logging the records for forensic re-
view in the event that other sources point to an incident may cause the organiza-
tion to miss valuable information such as that previously described that the audit
records could be pointing to.
Audit record storage and retention periods need to be defined. These may fol-
low a multilevel strategy, whereby the online audit records are held for 90 days,
followed by 1-year retention on a storage area network (SAN) device, and then
rolled off to tape for longer term archival in the event of an incident. By the time
1 year has passed, it is a small likelihood that these records would be needed, un-
less requested through litigation to support e-discovery efforts. The record reten-
tion policies of the legal department need to be known before devising a strategy.
Identification and Authentication
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 4/43
The identification and authentication control family (IA) is shown in Table 9.3.
These controls provide assurance that the individuals are each uniquely identi-
fied and are authenticated in a manner such that it is likely that the person ac-
cessing the computer system is who they say they are. This works with the access
control family of controls to provide the appropriate access.
The strength of the authenticator may vary and may include media access con-
trol (MAC) addressing, public key infrastructure (PKI) methods, or may be using
multifactor authentication through the use of a software or hardware token. The
transmission of information would also need encryption controls to ensure that
the authenticator is not being intercepted and used for playback.
System and Communications Protections
The systems and communications protections control family (SC) contains the
controls shown in Table 9.4. These controls ensure that the endpoints of the com-
munication systems are secured as well as sufficient management of the applica-
tions internally (e.g., application portioning). The content needs to be secured in
transit and at rest (for data classified at a higher risk level) using encryption.
The security architecture needs to be reviewed to determine the appropriate ac-
cess between servers, applications, placement of devices, and network zones.
Local, host-based firewalls are typically placed on mobile devices in addition to
the network firewall protections. These protections need to be depicted in the sys-
tems security plan to demonstrate how the boundaries are being protected as well
as the transmission of data.
Table 9.1 Access Control Controls
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 5/43
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Access
control
AC-1 Access Control Policy and
Procedures
The organization develops,
disseminates, and reviews/updates
[Assignment: organization defined
frequency]:
a. A formal, documented access
control policy that addresses
purpose, scope, roles,
responsibilities, management
commitment, coordination among
organizational entities, and
compliance; and
b. Formal, documented procedures
to facilitate the implementation of
the access control policy and
associated access controls.
ISO/IEC 27001 A5.1.1,
A5.1.2, A.6.1.1,
A.6.1.3, A.8.1.1,
A10.1.1,
A.10.8.1, A.11.1.1,
A.11.2.1, All.2.2,
All.4.1, A.11.7.1,
A.11.7.2, A.15.1.1,
A.15.2.1
COBIT PC5, DS11.6
HIPAA 164.308(a)
(4)(ii)(B), 164.308(a)
(4)(ii) (C),
164.312(a) (1),
164.308(a) (3)(i),
164.308(a) (3)(ii)(A),
164.308(a)(4)(i)
Access
control
AC-2 Account Management The
organization manages information
system accounts, including:
a. Identifying account types (i.e.,
individual, group, system,
application, guest/anonymous, and
temporary);
ISO/IEC 27001
A.8.3.3, A.11.2.1,
A.11.2.2, A.11.2.4,
A15.2.1
COBIT DS5.4
HIPAA 164.308(a)
(4)(ii)(B), 164.308(a)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 6/43
b. Establishing conditions for group
membership;
c. Identifying authorized users of the
information system and specifying
access privileges;
d. Requiring appropriate approvals
for requests to establish accounts;
e. Establishing, activating,
modifying, disabling, and removing
accounts;
f. Specifically authorizing and
monitoring the use of
guest/anonymous and temporary
accounts;
(4)(ii) (C),
164.308(a) (5)(ii)(C),
164.312(a)(2)(i),
164.312(a)(2)(ii),
164.308(a)(3)(ii) (B),
164.308(a) (4)(i)
g. Notifying account managers when
temporary accounts are no longer
required and when information
system users are terminated,
transferred, or information system
usage or need-to-know/need-to-
share changes;
h. Deactivating: (i) temporary
accounts that are no longer
required; and (ii) accounts of
terminated or transferred users;
i. Granting access to the system
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 7/43
based on: (i) a valid access
authorization; (ii) intended system
usage; and (iii) other attributes as
required by the organization or
associated missions/business
functions; and
j. Reviewing accounts [Assignment:
organization-defined frequency].
Access
control
AC-3 Access Enforcement
The information system enforces
approved authorizations for logical
access to the system in accordance
with applicable policy.
ISO/IEC 27001
A.10.8.1 A.11.4.4,
A.11.4.6, A.11.5.4,
A.11.6.1, A.12.4.2
COBIT P02.3, AI2.4,
DS11.6
HIPAA 164.308(a)
(4)(ii)(B), 164.308(a)
(4)(ii) (C),
164.310(a) (2)(iii),
164.310(b),
164.312(a)(1),
164.312(a)(2)(i),
164.312(a)(2)(ii),
164.312(a)(2) (iv),
164.308(a) (3)(ii)(A)
Access
control
AC-4 Information Flow Enforcement
The information system enforces
ISO/IEC 27001
A.10.6.1, A.10.8.1,
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 8/43
approved authorizations for
controlling the flow of information
within the system and between
interconnected systems in
accordance with applicable policy.
A.11.4.5, A.11.4.7,
A.11.7.2,
A.12.4.2,A.12.5.4
COBIT DS5.10
HIPAA 164.308(a)
(4)(ii)(B),
164.310(b),
164.308(a)(3)(ii) (A)
Access
control
AC-5 Separation of Duties
The organization:
a. Separates duties of individuals as
necessary, to prevent malevolent
activity without collusion;
b. Documents separation of duties;
and
c. Implements separation of duties
through assigned information
system access authorizations.
ISO/IEC 27001
A.6.1.3, A.8.1.1,
A.10.1.3, A.11.1.1,
A.11.4.1
COBIT P04.11
HIPAA 164.308(a)
(4)(ii)(A), 164.312(a)
(1), 164.308(a)(3)(i),
164.308(a)(4)(i)
Access
control
AC-6 Least Privilege
The organization employs the
concept of least privilege, allowing
only authorized accesses for users
(and processes acting on behalf of
users) who are necessary to
accomplish assigned tasks in
ISO/IEC 27001
A.6.1.3, A.8.1.1,
A.11.1.1, A.11.2.2,
A.11.4.1, A.11.4.4,
A.11.4.6, A.11.5.4,
A.11.6.1, A.12.4.3
COBIT P04.11
HIPAA 164.308(a)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 9/43
accordance with organizational
missions and business functions.
(4)(ii)(A), 164.312(a)
(1), 164.308(a)(3)(i),
164.308(a)(4)(i)
Access
control
AC-7 Unsuccessful Login Attempts
The information system_
a. Enforces a limit of [Assignment:
organization-defined number]
consecutive invalid login attempts
by a user during a [Assignment:
organization-defined time period];
and
b. Automatically [Selection: locks the
account/node] for an [Assignment:
organization-defined time period];
locks the account/node until
released by an administrator; delays
next login prompt according to
[Assignment: organization-defined
delay algorithm] when the
maximum number of unsuccessful
attempts is exceeded. The control
applies regardless of whether the
login occurs via a local or network
connection.
ISO/IEC 27001
A.11.5.1
Access
control
AC-8 System Use Notification
The information system_
ISO/IEC 27001
A.6.2.2, A.8.1.1,
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 10/43
a. Displays an approved system use
notification message or banner
before granting access to the system
that provides privacy and security
notices consistent with applicable
federal laws, executive orders,
directives, policies, regulations,
standards, and guidance and states
that: (i) users are accessing a U.S.
government information system; (ii)
system usage may be monitored,
recorded, and subject to audit; (iii)
unauthorized use of the system is
prohibited and subject to criminal
and civil penalties; and (iv) use of
the system indicates consent to
monitoring and recording;
A.11.5.1, A.15.1.5
b. Retains the notification message or
banner on the screen until users
take explicit actions to log on to or
further access the information
system; and
c. For publicly accessible systems: (i)
displays the system use information
when appropriate, before granting
further access; (ii) displays
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 11/43
references, if any, to monitoring,
recording, or auditing that are
consistent with privacy
accommodations for such systems
that generally prohibit those
activities; and (iii) includes in the
notice given to public users of the
information system, a description of
the authorized uses of the system.
Access
control
AC-9 Previous Logon (Access)
Notification
The information system notifies the
user, upon successful logon (access),
of the date and time of the last logon
(access).
ISO/IEC 27001
A.11.5.1
Access
control
AC-10 Concurrent Session Control The
information system limits the
number of concurrent sessions for
each system account to [Assignment:
organization-defined number].
ISO/IEC 27001
A.11.5.1
Access
control
AC-11 Session Lock
The information system_
a. Prevents further access to the
system by initiating a session lock
after [Assignment: organization-
defined time period] of inactivity or
ISO/IEC 27001
A.11.3.2, A.11.3.3,
A.11.5.5
HIPAA 164.310(b),
164.312(a)(2)(iii)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 12/43
upon receiving a request from a
user; and
b. Retains the session lock until the
user reestablishes access using
established identification and
authentication procedures.
Access
control
AC-14 Permitted Actions without
Identification or Authentication The
organization:
a. Identifies specific user actions that
can be performed on the
information system without
identification or authentication; and
b. Documents and provides
supporting rationale in the security
plan for the information system,
user actions not requiring
identification and authentication.
ISO/IEC 27001
A.11.6.1
Access
control
AC-16 Security Attributes
The information system supports
and maintains the binding of
[Assignment: organization-defined
security attributes] to information in
storage, in process, and in
transmission.
ISO/IEC 27001 A.7.2.2
COBIT P02.3, DS11.6
HIPAA 164.310(b)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 13/43
Access
control
AC-17 Remote Access
The organization:
a. Documents allowed methods of
remote access to the information
system;
b. Establishes usage restrictions and
implementation guidance for each
allowed remote access method;
c. Monitors for unauthorized remote
access to the information system;
d. Authorizes remote access to the
information system prior to
connection; and
e. Enforces requirements for remote
connections to the information
system.
ISO/IEC 27001
A.10.6.1, A.10.8.1,
A.11.1.1, A.11.4.1,
A.11.4.2, A.11.4.4,
A.11.4.6, A.11.4.7,
A.11.7.1, A.11.7.2
HIPAA 164.310(b)
Access
control
AC-18 Wireless Access
The organization:
a. Establishes usage restrictions and
implementation guidance for
wireless access;
b. Monitors for unauthorized
wireless access to the information
system;
c. Authorizes wireless access to the
information system prior to
ISO/IEC 27001
A.10.6.1, A.10.8.1,
A.11.1.1, A.11.4.1,
A.11.4.2, A.11.4.4,
A.11.4.6, A.11.4.7,
A.11.7.1, A.11.7.2
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 14/43
connection; and
d. Enforces requirements for
wireless connections to the
information system.
Access
control
AC-19 Access Control for Mobile
Devices
The organization:
a. Establishes usage restrictions and
implementation guidance for
organization-controlled mobile
devices;
b. Authorizes connection of mobile
devices meeting organizational
usage restrictions and
implementation guidance to
organizational information systems;
c. Monitors for unauthorized
connections of mobile devices to
organizational information systems;
d. Enforces requirements for the
connection of mobile devices to
organizational information systems;
e. Disables information system
functionality that provides the
capability for automatic execution of
code on mobile devices without user
ISO/IEC 27001
A.10.4.1, A.11.1.1,
A.11.4.3, A.11.7.1
HIPAA 164.310(b)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 15/43
direction;
f. Issues specially configured mobile
devices to individuals traveling to
locations that the organization
deems to be of significant risk in
accordance with organizational
policies and procedures; and
g. Applies [Assignment: organization-
defined inspection and preventative
measures] to mobile devices
returning from locations that the
organization deems to be of
significant risk in accordance with
organizational policies and
procedures.
Access
control
AC-20 Use of External Information
Systems
The organization establishes terms
and conditions, consistent with any
trust relationships established with
other organizations owning,
operating, and/ or maintaining
external information systems,
allowing authorized individuals to:
a. Access the information system
from the external information
ISO/IEC 27001
A.7.1.3, A.8.1.1,
A.8.1.3, A.10.6.1,
A.10.8.1, A.11.4.1,
A.11.4.2
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 16/43
systems; and
b. Process, store, and/or transmit
organization-controlled information
using the external information
systems.
Access
control
AC-21 User-Based Collaboration and
Information Sharing The
organization:
a. Facilitates information sharing by
enabling authorized users to
determine whether access
authorizations assigned to the
sharing partner match the access
restrictions on the information for
[Assignment: organization-defined
information sharing circumstances
where user discretion is required];
and
b. Employs [Assignment: list of
organization-defined information
sharing circumstances and
automated mechanisms or manual
processes required] to assist users in
making information sharing/
collaboration decisions.
ISO/IEC 27001
A.11.2.1, A.11.2.2
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 17/43
Access
control
AC-22 Publicly Accessible Content The
organization:
a. Designates individuals authorized
to post information onto an
organizational information system
that is publicly accessible;
b. Trains authorized individuals to
ensure that publicly accessible
information does not contain
nonpublic information;
c. Reviews the proposed content of
publicly accessible information for
nonpublic information prior to
posting onto the organizational
information system;
d. Reviews the content on the
publicly accessible organizational
information system for nonpublic
information [Assignment:
organization-defined frequency];
and
e. Removes nonpublic information
from the publicly accessible
organizational information system,
if discovered.
ISO/IEC 27001
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 18/43
Table 9.2 Audit and Accountability Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Audit and
accountability
AU-1 Audit and Accountability
Policy and Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented audit
and accountability policy that
addresses purpose, scope, roles,
responsibilities, management
commitment, coordination
among organizational entities,
and compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the audit and
accountability policy and
associated audit and
accountability controls.
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.10.10.2,
A.15.1.1, A.15.2.1,
A.15.3.1
COBIT PC2, PC5
HIPAA 164.312(b)
Audit and
accountability
AU-2 Auditable Events
The organization:
a. Determines, based on a risk
ISO/IEC 27001
A.10.10.1,
A.10.10.4,
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 19/43
assessment and mission/business
needs, that the information
system must be capable of
auditing the following events:
[Assignment: organization-
defined list of auditable events];
b. Coordinates the security audit
function with other
organizational entities requiring
audit-related information to
enhance mutual support and to
help guide the selection of
auditable events;
c. Provides a rationale for why
the list of auditable events is
deemed to be adequate to
support after-the-fact
investigations of security
incidents; and
A.10.10.5,
A.15.3.1
COBIT AI2.3
HIPAA
164.312(b),
164.308(a)(5)(ii)
(C)
d. Determines, based on current
threat information and ongoing
assessment of risk, that the
following events are to be
audited within the information
system_ [Assignment:
organization defined subset of
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 20/43
the auditable events defined in
AU-2(a) to be audited along with
the frequency of (or situation
requiring) auditing for each
identified event].
Audit and
accountability
AU-3 Content of Audit Records The
information system produces
audit records that contain
sufficient information to, at a
minimum, establish what type of
event occurred, when (date and
time) the event occurred, where
the event occurred, the source of
the event, the outcome (success
or failure) of the event, and the
identity of any user/subject
associated with the event.
ISO/IEC 27001
A.10.10.4,
A.10.10.5,
A.15.3.1 A.10.10.1
HIPAA 164.312(b)
Audit and
accountability
AU-4 Audit Storage Capacity The
organization allocates audit
record storage capacity and
configures auditing to reduce the
likelihood of such capacity being
exceeded.
ISO/IEC 27001
A.10.10.1,
A.10.3.1 HIPAA
164.312(b)
Audit and
accountability
AU-5 Response to Audit Processing
Failures
The information system_
ISO/IEC 27001
A.10.3.1,
A.10.10.1
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 21/43
a. Alerts designated
organizational officials in the
event of an audit processing
failure; and
b. Takes the following additional
actions: [Assignment:
organization-defined actions to
be taken (e.g., shut down
information system, overwrite
oldest audit records, stop
generating audit records)].
Audit and
accountability
AU-6 Audit Review, Analysis, and
Reporting
The organization:
a. Reviews and analyzes
information system audit records
[Assignment: organization-
defined frequency] for
indications of inappropriate or
unusual activity, and reports
findings to designated
organizational officials; and
b. Adjusts the level of audit
review, analysis, and reporting
within the information system
when there is a change in risk to
ISO/IEC 27001
A.10.10.2,
A.10.10.5,
A.13.1.1,A.15.1.5
COBITDS5.5
HIPAA 164.308(a)
(5)(ii)(C),
164.312(b),
164.308(a)(1)(ii)
(D)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 22/43
organizational operations,
organizational assets,
individuals, other organizations,
or the nation based on law
enforcement information,
intelligence information, or other
credible sources of information.
Audit and
accountability
AU-7 Audit Reduction and Report
Generation
The information system provides
an audit reduction and report
generation capability.
ISO/IEC 27001
A.10.10.2
HIPAA
164.312(b),
164.308(a)(1)(ii)
(D)
Audit and
accountability
AU-8 Time Stamps
The information system uses
internal system clocks to
generate time stamps for audit
records.
ISO/IEC 27001
A.10.10.1,
A.10.10.6
Audit and
accountability
AU-9 Protection of Audit
Information The information
system protects audit
information and audit tools from
unauthorized access,
modification, and deletion.
ISO/IEC 27001
A.10.10.3,
A.13.2.3, A.15.1.3,
A.15.3.2
Audit and
accountability
AU-10 Non-Repudiation
The information system protects
ISO/IEC 27001
A.10.9.1, A.12.2.3
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 23/43
against an individual falsely
denying having performed a
particular action.
COBIT DS5.11,
AC6
Audit and
accountability
AU-11 Audit Record Retention
The organization retains audit
records for [Assignment:
organization-defined time period
consistent with records retention
policy] to provide support for
after-the-fact investigations of
security incidents and to meet
regulatory and organizational
information retention
requirements.
ISO/IEC 27001
A.10.10.1,
A.10.10.2,
A.15.1.3
Audit and
accountability
AU-12 Audit Generation
The information system_
a. Provides audit record
generation capability for the list
of auditable events defined in
AU-2 at [Assignment:
organization-defined
information system
components];
b. Allows designated
organizational personnel to
select which auditable events are
ISO/IEC 27001
A.10.10.1,
A.10.10.4,
A.10.10.5
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 24/43
to be audited by specific
components of the system; and
c. Generates audit records for the
list of audited events defined in
AU-2 with the content as defined
in AU-3.
Audit and
accountability
AU-13 Monitoring for Information
Disclosure
The organization monitors open
source information for evidence
of unauthorized exfiltration or
disclosure of organizational
information [Assignment:
organization-defined frequency].
ISO/IEC 27001
(None)
Audit and
accountability
AU-14 Session Audit
The information system provides
the capability to:
a. Capture/record and log all
content related to a user session;
and
b. Remotely view/hear all content
related to an established user
session in real time.
ISO/IEC 27001
(None)
Table 9.3 Identification and Authentication Controls
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 25/43
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
Identification
and
authentication
IA-1 Identification and
Authentication Policy and
Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented
identification and authentication
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
implementation of the
identification and authentication
policy and associated
identification and authentication
controls.
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.11.2.1,
A.15.1.1, A.15.2.1
COBIT DS5.3,
PC5
Identification
and
IA-2 Identification and
Authentication (Organizational
ISO/IEC 27001
A.11.3.2,
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 26/43
authentication Users)
The information system uniquely
identifies and authenticates
organizational users (or
processes acting on behalf of
organizational users).
A.11.5.1,
A.11.5.2, A.11.5.3
COBIT AI2.4,
DS5.3
HIPAA
164.308(a) (5)(ii)
(D), 164.312(a)
(2)(i), 164.312(d)
Identification
and
authentication
IA-3 Device Identification and
Authentication
The information system uniquely
identifies and authenticates
[Assignment: organization
defined list of specific and/or
types of devices] before
establishing a connection.
ISO/IEC 27001
A.11.4.3
HIPAA
164.312(a) (2)(i),
164.312(d)
Identification
and
authentication
IA-4 Identifier Management
The organization manages
information system identifiers
for users and devices by:
a. Receiving authorization from a
designated organizational official
to assign a user or device
identifier;
ISO/IEC 27001
A.11.5.2
COBITDS5.3,
DS5.4
HIPAA
164.308(a) (5)(ii)
(D), 164.312(a)
(2)(i), 164.312(d)
Identification
and
b. Selecting an identifier that
uniquely identifies an individual
ISO/IEC 27001
A.11.2.1,
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 27/43
authentication or device;
c. Assigning the user identifier to
the intended party or the device
identifier to the intended device;
d. Preventing reuse of user or
device identifiers for
[Assignment: organization-
defined time period]; and
e. Disabling the user identifier
after [Assignment: organization-
defined time period of
inactivity].
IA-5 Authenticator Management
The organization manages
information system
authenticators for users and
devices by:
a. Verifying, as part of the initial
authenticator distribution, the
identity of the individual and/or
device receiving the
authenticator;
b. Establishing initial
authenticator content for
authenticators defined by the
organization;
A.11.2.3,
A.11.3.1,
A.11.5.2, A.11.5.3
HIPAA
164.308(a) (5)(ii)
(D)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 28/43
c. Ensuring that authenticators
have sufficient strength of
mechanism for their intended
use;
d. Establishing and
implementing administrative
procedures for initial
authenticator distribution, for
lost/compromised or damaged
authenticators, and for revoking
authenticators;
e. Changing default content of
authenticators upon information
system installation;
f. Establishing minimum and
maximum lifetime restrictions
and reuse conditions for
authenticators (if appropriate);
g. Changing/refreshing
authenticators [Assignment:
organization-defined time period
by authenticator type];
h. Protecting authenticator
content from unauthorized
disclosure and modification; and
i. Requiring users to take, and
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 29/43
having devices implement,
specific measures to safeguard
authenticators.
Identification
and
authentication
IA-6 Authenticator Feedback The
information system obscures
feedback of authentication
information during the
authentication process to protect
the information from possible
exploitation/use by unauthorized
individuals.
ISO/IEC 27001
A.11.5.1 HIPAA
164.308(a) (5)(ii)
(D)
Identification
and
authentication
IA-7 Cryptographic Module
Authentication
The information system uses
mechanisms for authentication
to a cryptographic module that
meet the requirements of
applicable federal laws,
executive orders, directives,
policies, regulations, standards,
and guidance for such
authentication.
ISO/IEC 27001
A.12.3.1,
A.15.1.1,
A.15.1.6, A.15.2.1
HIPAA
164.308(a) (5)(ii)
(D)
Identification
and
authentication
IA-8 Identification and
Authentication (Non-
Organizational Users)
The information system uniquely
ISO/IEC 27001
A.10.9.1,
A.11.4.2,
A.11.5.1, A.11.5.2
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 30/43
identifies and authenticates non-
organizational users (or
processes acting on behalf of
non-organizational users).
Table 9.4 System and Communications Protection Controls
CONTROL
FAMILY
COMPLIANT
(YES/NO)
CONTROL MAPPINGS
System and
communications
protection
SC-1 System and Communications
Protection Policy and
Procedures
The organization develops,
disseminates, and
reviews/updates [Assignment:
organization defined frequency]:
a. A formal, documented system
and communications protection
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
b. Formal, documented
procedures to facilitate the
ISO/IEC 27001
A.5.1.1, A.5.1.2,
A.6.1.1, A.6.1.3,
A.8.1.1, A.10.1.1,
A.15.1.1,
A.15.2.1
COBIT DS5.2,
PC5
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 31/43
implementation of the system
and communications protection
policy and associated system
and communications protection
controls.
System and
communications
protection
SC-2 Application Partitioning
The information system
separates user functionality
(including user interface
services) from information
system management
functionality.
ISO/IEC 27001
A.10.4.1,
A.10.4.2
COBIT AI2.4
System and
communications
protection
SC-3 Security Function Isolation
The information system isolates
security functions from
nonsecurity functions.
ISO/IEC 27001
A.10.4.1,
A.10.4.2,
A.10.9.1,
A.10.9.2
COBIT DS5.7
System and
communications
protection
SC-4 Information in Shared
Resources
The information system
prevents unauthorized and
unintended information transfer
via shared system resources.
ISO/IEC 27001
(None)
System and
communications
SC-5 Denial of Service Protection
The information system protects
ISO/IEC 27001
A.10.3.1
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 32/43
protection against or limits the effects of
the following types of denial of
service attacks: [Assignment:
organization-defined list of types
of denial of service attacks or
reference to source for current
list].
System and
communications
protection
SC-6 Resource Priority
The information system limits
the use of resources by priority.
ISO/IEC 27001
(None)
System and
communications
protection
SC-7 Boundary Protection The
information system_
a. Monitors and controls
communications at the external
boundary of the system and at
key internal boundaries within
the system; and
b. Connects to external networks
or information systems only
through managed interfaces
consisting of boundary
protection devices arranged in
accordance with an
organizational security
architecture.
ISO/IEC 27001
A.6.2.1, A.10.4.1,
A.10.4.2,
A.10.6.1,
A.10.8.1,
A.10.9.1,
A.10.9.2,
A.10.10.2,
A.11.4.5,
A.11.4.6
COBITDS5.10
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 33/43
System and
communications
protection
SC-8 Transmission Integrity The
information system protects the
integrity of transmitted
information.
ISO/IEC 27001
A.10.4.2,
A.10.6.1,
A.10.6.2,
A.10.9.1,
A.10.9.2,
A.12.2.3,
A.12.3.1
COBIT AC6
HIPAA
164.312(c) (1),
164.312(c) (2),
164.312(e) (2)(i)
System and
communications
protection
SC-9 Transmission Confidentiality
The information system protects
the confidentiality of
transmitted information.
ISO/IEC 27001
A.10.6.1,
A.10.6.2,
A.10.9.1,
A.10.9.2,
A.12.3.1
COBIT DS5.11,
AC6
HIPAA
164.312(e) (1),
164.312(e) (2)(ii)
System and
communications
SC-10 Network Disconnect
The information system
ISO/IEC 27001
A.10.6.1,
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 34/43
protection terminates the network
connection associated with a
communications session at the
end of the session or after
[Assignment: organization-
defined time period] of
inactivity.
A.11.3.2,
A.11.5.1,
A.11.5.5
System and
communications
protection
SC-11 Trusted Path
The information system
establishes a trusted
communications path between
the user and the following
security functions of the system_
[Assignment: organization-
defined security functions to
include at a minimum
information system
authentication and
reauthentication].
ISO/IEC 27001
(None)
COBIT AC6,
DS5.11
System and
communications
protection
SC-12 Cryptographic Key
Establishment and Management
The organization establishes and
manages cryptographic keys for
required cryptography
employed within the
information system.
ISO/IEC 27001
A.12.3.2
COBIT DS5.8
HIPAA
164.312(e) (2)(ii)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 35/43
System and
communications
protection
SC-13 Use of Cryptography The
information system implements
required cryptographic
protections using cryptographic
modules that comply with
applicable federal laws,
executive orders, directives,
policies, regulations, standards,
and guidance.
ISO/IEC 27001
A.12.3.1,
A.15.1.6
COBIT DS5.8
HIPAA
164.312(a) (2)
(iv), 164.312(e)
(2)(ii)
System and
communications
protection
SC-14 Public Access Protections
The information system protects
the integrity and availability of
publicly available information
and applications.
ISO/IEC 27001
A.10.4.1,
A.10.4.2,
A.10.9.1,
A.10.9.2,
A.10.9.3
System and
communications
protection
SC-15 Collaborative Computing
Devices The information system_
a. Prohibits remote activation of
collaborative computing devices
with the following exceptions:
[Assignment: organization-
defined exceptions where
remote activation is to be
allowed]; and
b. Provides an explicit indication
ISO/IEC 27001
(None)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 36/43
of use to users physically present
at the devices.
System and
communications
protection
SC-16 Transmission of Security
Attributes
The information system
associates security attributes
with information exchanged
between information systems.
ISO/IEC 27001
A.7.2.2, A.10.8.1
COBIT DS5.11
System and
communications
protection
SC-17 Public Key Infrastructure
Certificates
The organization issues public
key certificates under an
[Assignment: organization-
defined certificate policy] or
obtains public key certificates
under an appropriate certificate
policy from an approved service
provider.
ISO/IEC 27001
A.12.3.2
System and
communications
protection
SC-18 Mobile Code
The organization:
a. Defines acceptable and
unacceptable mobile code and
mobile code technologies;
b. Establishes usage restrictions
and implementation guidance
for acceptable mobile code and
ISO/IEC 27001
A.10.4.2
COBIT DS5.9
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 37/43
mobile code technologies; and
c. Authorizes, monitors, and
controls the use of mobile code
within the information system.
System and
communications
protection
SC-19 Voice Over Internet
Protocol The organization:
a. Establishes usage restrictions
and implementation guidance
for Voice over Internet Protocol
(VoIP) technologies based on the
potential to cause damage to the
information system if used
maliciously; and
b. Authorizes, monitors, and
controls the use of VoIP within
the information system.
ISO/IEC 27001
A.10.6.1
System and
communications
protection
SC-20 Secure Name/Address
Resolution Service
(Authoritative Source)
The information system
provides additional data origin
and integrity artifacts along with
the authoritative data the system
returns in response to
name/address resolution
queries.
ISO/IEC 27001
A.10.6.1
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 38/43
System and
communications
protection
SC-21 Secure Name/Address
Resolution Service (Recursive or
Caching Resolver)
The information system
performs data origin
authentication and data
integrity verification on the
name/ address resolution
responses the system receives
from authoritative sources when
requested by client systems.
ISO/IEC 27001
A.10.6.1
System and
communications
protection
SC-22 Architecture and
Provisioning for Name/Address
Resolution Service
The information systems that
collectively provide
name/address resolution service
for an organization are fault-
tolerant and implement
internal/external role
separation.
ISO/IEC 27001
A.10.6.1
System and
communications
protection
SC-23 Session Authenticity
The information system
provides mechanisms to protect
the authenticity of
communications sessions.
ISO/IEC 27001
A.10.6.1 COBIT
AC6
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 39/43
System and
communications
protection
SC-24 Fail in Known State
The information system fails to a
[Assignment: organization-
defined known state] for
[Assignment: organization-
defined types of failures]
preserving [Assignment:
organization-defined system
state information] in failure.
ISO/IEC 27001
(None)
System and
communications
protection
SC-25 Thin Nodes
The information system employs
processing components that
have minimal functionality and
information storage.
ISO/IEC 27001
(None)
System and
communications
protection
SC-26 Honeypots
The information system includes
components specifically
designed to be the target of
malicious attacks for the
purpose of detecting, deflecting,
and analyzing such attacks.
ISO/IEC 27001
(None)
System and
communications
protection
SC-27 Operating System-
Independent Applications
The information system
includes: [Assignment:
organization-defined operating
ISO/IEC 27001
(None)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 40/43
system independent
applications].
System and
communications
protection
SC-28 Protection of Information at
Rest
The information system protects
the confidentiality and integrity
of information at rest.
ISO/IEC 27001
(None)
System and
communications
protection
SC-29 Heterogeneity
The organization employs
diverse information
technologies in the
implementation of the
information system.
ISO/IEC 27001
(None)
System and
communications
protection
SC-30 Virtualization Techniques
The organization employs
virtualization techniques to
present information system
components as other types of
components, or components
with differing configurations.
ISO/IEC 27001
(None)
System and
communications
protection
SC-31 Covert Channel Analysis
The organization requires that
information system
developers/integrators perform
a covert channel analysis to
identify those aspects of system
ISO/IEC 27001
(None)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 41/43
communication that are
potential avenues for covert
storage and timing channels.
System and
communications
protection
SC-32 Information System
Partitioning The organization
partitions the information
system into components residing
in separate physical domains (or
environments) as deemed
necessary.
ISO/IEC 27001
(None)
System and
communications
protection
SC-33 Transmission Preparation
Integrity
The information system protects
the integrity of information
during the processes of data
aggregation, packaging, and
transformation in preparation
for transmission.
ISO/IEC 27001
(None)
System and
communications
protection
SC-34 Non-Modifiable Executable
Programs
The information system at
[Assignment: organization-
defined information system
components]:
a. Loads and executes the
operating environment from
ISO/IEC 27001
(None)
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 42/43
1.
2.
3.
4.
hardware-enforced, read-only
media; and
b. Loads and executes
[Assignment: organization-
defined applications] from
hardware-enforced, read-only
media.
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special Publication
800-53 Rev3: Recommended security controls for federal information systems and organi-
zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf
IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT 4.1,
http://www.itgi.org
National Institute of Standards and Technology (NIST). October 2008. An introductory re-
source guide for implementing the Health Insurance Portability and Accountability Act
(HIPAA) security rule. http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-
Revisionl.pdf
International Organization for Standardization (ISO). ISO/IEC 27001:2005 Information secu-
rity management systems—Requirements.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 43/43
5.
6.
International Organization for Standardization (ISO). ISO/IEC 27002:2005 Information tech-
nology security techniques—Code of practice for information security management.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
Department of Health and Human Services, Office of the Secretary. February 20, 2003. 45
CFR Parts 160, 162, and 164 Health insurance reform: Security standards; Final rule.
Federal Register 68(24).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf