Project2

profilejimpop1998
Chapter9TechnicalChapter9Controls_PracticalSecurityConsiderations_InformationSecurityGovernanceSimplified.pdf

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 1/43

9

Technical Controls

Practical Security Considerations

For a successful technology, reality must take precedence over public relations, for na-

ture cannot be fooled.

Richard Phillips Feynman, Report on space shuttle Challenger disaster (1986)

The controls specified in this chapter are the technical controls, or those controls

that govern the ongoing technical mechanisms impacting security. This chapter,

along with the preceding Chapter 8 on managerial controls and the subsequent

Chapter 10 on operational controls, completes the controls necessary for building

the foundation for an information security program. Each listing of the opera-

tional control family is preceded with some practical security considerations for

reviewing the family of controls. These controls are also mapped to COBIT 4.1, ISO

27001, and Health Insurance Portability and Accountability Act (HIPAA) where a

relationship between them exists.

Access Control Controls

The access control (AC) family could be in some ways viewed as the primary focus

of information security for the first several decades. This is the most tested area of

Topics Start Learning Search 50,000+ courses, events, titles, … What's New

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 2/43

information security and uncovers how well the security policies have been im-

plemented. The AC control family requires that accounts are set up according to

preestablished business reasons and that they are set up for individuals who have

a need to know the information they are requesting. Identity management sys-

tems of recent years have been implemented to ensure that access was properly

controlled and that terminated and transferred users no longer had access after

their company or department tenure. Role-based systems provide the ability to

model user access based upon a consistent profile. The profile can be as simple as

creating a small number of roles, defining the access required by those roles, and

then running a macro to create the access for the account requiring the access.

The AC family also promotes technical controls in place such that accounts are

locked in the event that someone is attempting to access the account and repeat-

edly failing. The system notification messages should be made available when the

user logs into the system as well as for other entry points, such as a logging onto a

server (via the use of banner pages). The wireless, mobile device and remote de-

vice controls are in place to ensure that each entry point into the computing envi-

ronment has been addressed by policy and procedures for gaining access. These

procedures ensure that there is a consistent path for requesting and approving

the access. The controls for the AC family are shown in Table 9.1.

Audit and Accountability Controls

The audit and accountability controls family (AU), as shown in Table 9.2, specifies

controls to ensure that the events are being monitored and failures are being fol-

lowed up. Due to the volume of audit records that may be generated, choices need

to be made as to what items are most important to be audited. Logon failures, for

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 3/43

example, may be monitored, but a threshold of 25 in a week may be used for the

level requiring investigation. Alternatively a trending report may be developed

and whereas the daily occurrence may be low, say 2, just under the threshold of 3

invalid login attempts before a lockout, resulting in over 60 during a month’s

time. This could be the work of someone internally attempting to guess someone’s

password and having over 750 tries in a year.

Reviewing audit records can be a very time-consuming task and automation of

some sort, whether it be through a Security Information and Event Management

(SIEM) product or an off-the-shelf reporting tool used to reduce the input records

to focus solely on the exceptions over the thresholds, the activity must be per-

formed beyond merely logging of the records. Logging the records for forensic re-

view in the event that other sources point to an incident may cause the organiza-

tion to miss valuable information such as that previously described that the audit

records could be pointing to.

Audit record storage and retention periods need to be defined. These may fol-

low a multilevel strategy, whereby the online audit records are held for 90 days,

followed by 1-year retention on a storage area network (SAN) device, and then

rolled off to tape for longer term archival in the event of an incident. By the time

1 year has passed, it is a small likelihood that these records would be needed, un-

less requested through litigation to support e-discovery efforts. The record reten-

tion policies of the legal department need to be known before devising a strategy.

Identification and Authentication

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 4/43

The identification and authentication control family (IA) is shown in Table 9.3.

These controls provide assurance that the individuals are each uniquely identi-

fied and are authenticated in a manner such that it is likely that the person ac-

cessing the computer system is who they say they are. This works with the access

control family of controls to provide the appropriate access.

The strength of the authenticator may vary and may include media access con-

trol (MAC) addressing, public key infrastructure (PKI) methods, or may be using

multifactor authentication through the use of a software or hardware token. The

transmission of information would also need encryption controls to ensure that

the authenticator is not being intercepted and used for playback.

System and Communications Protections

The systems and communications protections control family (SC) contains the

controls shown in Table 9.4. These controls ensure that the endpoints of the com-

munication systems are secured as well as sufficient management of the applica-

tions internally (e.g., application portioning). The content needs to be secured in

transit and at rest (for data classified at a higher risk level) using encryption.

The security architecture needs to be reviewed to determine the appropriate ac-

cess between servers, applications, placement of devices, and network zones.

Local, host-based firewalls are typically placed on mobile devices in addition to

the network firewall protections. These protections need to be depicted in the sys-

tems security plan to demonstrate how the boundaries are being protected as well

as the transmission of data.

Table 9.1 Access Control Controls

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 5/43

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Access

control

AC-1 Access Control Policy and

Procedures

The organization develops,

disseminates, and reviews/updates

[Assignment: organization defined

frequency]:

a. A formal, documented access

control policy that addresses

purpose, scope, roles,

responsibilities, management

commitment, coordination among

organizational entities, and

compliance; and

b. Formal, documented procedures

to facilitate the implementation of

the access control policy and

associated access controls.

ISO/IEC 27001 A5.1.1,

A5.1.2, A.6.1.1,

A.6.1.3, A.8.1.1,

A10.1.1,

A.10.8.1, A.11.1.1,

A.11.2.1, All.2.2,

All.4.1, A.11.7.1,

A.11.7.2, A.15.1.1,

A.15.2.1

COBIT PC5, DS11.6

HIPAA 164.308(a)

(4)(ii)(B), 164.308(a)

(4)(ii) (C),

164.312(a) (1),

164.308(a) (3)(i),

164.308(a) (3)(ii)(A),

164.308(a)(4)(i)

Access

control

AC-2 Account Management The

organization manages information

system accounts, including:

a. Identifying account types (i.e.,

individual, group, system,

application, guest/anonymous, and

temporary);

ISO/IEC 27001

A.8.3.3, A.11.2.1,

A.11.2.2, A.11.2.4,

A15.2.1

COBIT DS5.4

HIPAA 164.308(a)

(4)(ii)(B), 164.308(a)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 6/43

b. Establishing conditions for group

membership;

c. Identifying authorized users of the

information system and specifying

access privileges;

d. Requiring appropriate approvals

for requests to establish accounts;

e. Establishing, activating,

modifying, disabling, and removing

accounts;

f. Specifically authorizing and

monitoring the use of

guest/anonymous and temporary

accounts;

(4)(ii) (C),

164.308(a) (5)(ii)(C),

164.312(a)(2)(i),

164.312(a)(2)(ii),

164.308(a)(3)(ii) (B),

164.308(a) (4)(i)

g. Notifying account managers when

temporary accounts are no longer

required and when information

system users are terminated,

transferred, or information system

usage or need-to-know/need-to-

share changes;

h. Deactivating: (i) temporary

accounts that are no longer

required; and (ii) accounts of

terminated or transferred users;

i. Granting access to the system

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 7/43

based on: (i) a valid access

authorization; (ii) intended system

usage; and (iii) other attributes as

required by the organization or

associated missions/business

functions; and

j. Reviewing accounts [Assignment:

organization-defined frequency].

Access

control

AC-3 Access Enforcement

The information system enforces

approved authorizations for logical

access to the system in accordance

with applicable policy.

ISO/IEC 27001

A.10.8.1 A.11.4.4,

A.11.4.6, A.11.5.4,

A.11.6.1, A.12.4.2

COBIT P02.3, AI2.4,

DS11.6

HIPAA 164.308(a)

(4)(ii)(B), 164.308(a)

(4)(ii) (C),

164.310(a) (2)(iii),

164.310(b),

164.312(a)(1),

164.312(a)(2)(i),

164.312(a)(2)(ii),

164.312(a)(2) (iv),

164.308(a) (3)(ii)(A)

Access

control

AC-4 Information Flow Enforcement

The information system enforces

ISO/IEC 27001

A.10.6.1, A.10.8.1,

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 8/43

approved authorizations for

controlling the flow of information

within the system and between

interconnected systems in

accordance with applicable policy.

A.11.4.5, A.11.4.7,

A.11.7.2,

A.12.4.2,A.12.5.4

COBIT DS5.10

HIPAA 164.308(a)

(4)(ii)(B),

164.310(b),

164.308(a)(3)(ii) (A)

Access

control

AC-5 Separation of Duties

The organization:

a. Separates duties of individuals as

necessary, to prevent malevolent

activity without collusion;

b. Documents separation of duties;

and

c. Implements separation of duties

through assigned information

system access authorizations.

ISO/IEC 27001

A.6.1.3, A.8.1.1,

A.10.1.3, A.11.1.1,

A.11.4.1

COBIT P04.11

HIPAA 164.308(a)

(4)(ii)(A), 164.312(a)

(1), 164.308(a)(3)(i),

164.308(a)(4)(i)

Access

control

AC-6 Least Privilege

The organization employs the

concept of least privilege, allowing

only authorized accesses for users

(and processes acting on behalf of

users) who are necessary to

accomplish assigned tasks in

ISO/IEC 27001

A.6.1.3, A.8.1.1,

A.11.1.1, A.11.2.2,

A.11.4.1, A.11.4.4,

A.11.4.6, A.11.5.4,

A.11.6.1, A.12.4.3

COBIT P04.11

HIPAA 164.308(a)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 9/43

accordance with organizational

missions and business functions.

(4)(ii)(A), 164.312(a)

(1), 164.308(a)(3)(i),

164.308(a)(4)(i)

Access

control

AC-7 Unsuccessful Login Attempts

The information system_

a. Enforces a limit of [Assignment:

organization-defined number]

consecutive invalid login attempts

by a user during a [Assignment:

organization-defined time period];

and

b. Automatically [Selection: locks the

account/node] for an [Assignment:

organization-defined time period];

locks the account/node until

released by an administrator; delays

next login prompt according to

[Assignment: organization-defined

delay algorithm] when the

maximum number of unsuccessful

attempts is exceeded. The control

applies regardless of whether the

login occurs via a local or network

connection.

ISO/IEC 27001

A.11.5.1

Access

control

AC-8 System Use Notification

The information system_

ISO/IEC 27001

A.6.2.2, A.8.1.1,

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 10/43

a. Displays an approved system use

notification message or banner

before granting access to the system

that provides privacy and security

notices consistent with applicable

federal laws, executive orders,

directives, policies, regulations,

standards, and guidance and states

that: (i) users are accessing a U.S.

government information system; (ii)

system usage may be monitored,

recorded, and subject to audit; (iii)

unauthorized use of the system is

prohibited and subject to criminal

and civil penalties; and (iv) use of

the system indicates consent to

monitoring and recording;

A.11.5.1, A.15.1.5

b. Retains the notification message or

banner on the screen until users

take explicit actions to log on to or

further access the information

system; and

c. For publicly accessible systems: (i)

displays the system use information

when appropriate, before granting

further access; (ii) displays

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 11/43

references, if any, to monitoring,

recording, or auditing that are

consistent with privacy

accommodations for such systems

that generally prohibit those

activities; and (iii) includes in the

notice given to public users of the

information system, a description of

the authorized uses of the system.

Access

control

AC-9 Previous Logon (Access)

Notification

The information system notifies the

user, upon successful logon (access),

of the date and time of the last logon

(access).

ISO/IEC 27001

A.11.5.1

Access

control

AC-10 Concurrent Session Control The

information system limits the

number of concurrent sessions for

each system account to [Assignment:

organization-defined number].

ISO/IEC 27001

A.11.5.1

Access

control

AC-11 Session Lock

The information system_

a. Prevents further access to the

system by initiating a session lock

after [Assignment: organization-

defined time period] of inactivity or

ISO/IEC 27001

A.11.3.2, A.11.3.3,

A.11.5.5

HIPAA 164.310(b),

164.312(a)(2)(iii)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 12/43

upon receiving a request from a

user; and

b. Retains the session lock until the

user reestablishes access using

established identification and

authentication procedures.

Access

control

AC-14 Permitted Actions without

Identification or Authentication The

organization:

a. Identifies specific user actions that

can be performed on the

information system without

identification or authentication; and

b. Documents and provides

supporting rationale in the security

plan for the information system,

user actions not requiring

identification and authentication.

ISO/IEC 27001

A.11.6.1

Access

control

AC-16 Security Attributes

The information system supports

and maintains the binding of

[Assignment: organization-defined

security attributes] to information in

storage, in process, and in

transmission.

ISO/IEC 27001 A.7.2.2

COBIT P02.3, DS11.6

HIPAA 164.310(b)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 13/43

Access

control

AC-17 Remote Access

The organization:

a. Documents allowed methods of

remote access to the information

system;

b. Establishes usage restrictions and

implementation guidance for each

allowed remote access method;

c. Monitors for unauthorized remote

access to the information system;

d. Authorizes remote access to the

information system prior to

connection; and

e. Enforces requirements for remote

connections to the information

system.

ISO/IEC 27001

A.10.6.1, A.10.8.1,

A.11.1.1, A.11.4.1,

A.11.4.2, A.11.4.4,

A.11.4.6, A.11.4.7,

A.11.7.1, A.11.7.2

HIPAA 164.310(b)

Access

control

AC-18 Wireless Access

The organization:

a. Establishes usage restrictions and

implementation guidance for

wireless access;

b. Monitors for unauthorized

wireless access to the information

system;

c. Authorizes wireless access to the

information system prior to

ISO/IEC 27001

A.10.6.1, A.10.8.1,

A.11.1.1, A.11.4.1,

A.11.4.2, A.11.4.4,

A.11.4.6, A.11.4.7,

A.11.7.1, A.11.7.2

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 14/43

connection; and

d. Enforces requirements for

wireless connections to the

information system.

Access

control

AC-19 Access Control for Mobile

Devices

The organization:

a. Establishes usage restrictions and

implementation guidance for

organization-controlled mobile

devices;

b. Authorizes connection of mobile

devices meeting organizational

usage restrictions and

implementation guidance to

organizational information systems;

c. Monitors for unauthorized

connections of mobile devices to

organizational information systems;

d. Enforces requirements for the

connection of mobile devices to

organizational information systems;

e. Disables information system

functionality that provides the

capability for automatic execution of

code on mobile devices without user

ISO/IEC 27001

A.10.4.1, A.11.1.1,

A.11.4.3, A.11.7.1

HIPAA 164.310(b)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 15/43

direction;

f. Issues specially configured mobile

devices to individuals traveling to

locations that the organization

deems to be of significant risk in

accordance with organizational

policies and procedures; and

g. Applies [Assignment: organization-

defined inspection and preventative

measures] to mobile devices

returning from locations that the

organization deems to be of

significant risk in accordance with

organizational policies and

procedures.

Access

control

AC-20 Use of External Information

Systems

The organization establishes terms

and conditions, consistent with any

trust relationships established with

other organizations owning,

operating, and/ or maintaining

external information systems,

allowing authorized individuals to:

a. Access the information system

from the external information

ISO/IEC 27001

A.7.1.3, A.8.1.1,

A.8.1.3, A.10.6.1,

A.10.8.1, A.11.4.1,

A.11.4.2

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 16/43

systems; and

b. Process, store, and/or transmit

organization-controlled information

using the external information

systems.

Access

control

AC-21 User-Based Collaboration and

Information Sharing The

organization:

a. Facilitates information sharing by

enabling authorized users to

determine whether access

authorizations assigned to the

sharing partner match the access

restrictions on the information for

[Assignment: organization-defined

information sharing circumstances

where user discretion is required];

and

b. Employs [Assignment: list of

organization-defined information

sharing circumstances and

automated mechanisms or manual

processes required] to assist users in

making information sharing/

collaboration decisions.

ISO/IEC 27001

A.11.2.1, A.11.2.2

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 17/43

Access

control

AC-22 Publicly Accessible Content The

organization:

a. Designates individuals authorized

to post information onto an

organizational information system

that is publicly accessible;

b. Trains authorized individuals to

ensure that publicly accessible

information does not contain

nonpublic information;

c. Reviews the proposed content of

publicly accessible information for

nonpublic information prior to

posting onto the organizational

information system;

d. Reviews the content on the

publicly accessible organizational

information system for nonpublic

information [Assignment:

organization-defined frequency];

and

e. Removes nonpublic information

from the publicly accessible

organizational information system,

if discovered.

ISO/IEC 27001

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 18/43

Table 9.2 Audit and Accountability Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Audit and

accountability

AU-1 Audit and Accountability

Policy and Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented audit

and accountability policy that

addresses purpose, scope, roles,

responsibilities, management

commitment, coordination

among organizational entities,

and compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the audit and

accountability policy and

associated audit and

accountability controls.

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.10.10.2,

A.15.1.1, A.15.2.1,

A.15.3.1

COBIT PC2, PC5

HIPAA 164.312(b)

Audit and

accountability

AU-2 Auditable Events

The organization:

a. Determines, based on a risk

ISO/IEC 27001

A.10.10.1,

A.10.10.4,

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 19/43

assessment and mission/business

needs, that the information

system must be capable of

auditing the following events:

[Assignment: organization-

defined list of auditable events];

b. Coordinates the security audit

function with other

organizational entities requiring

audit-related information to

enhance mutual support and to

help guide the selection of

auditable events;

c. Provides a rationale for why

the list of auditable events is

deemed to be adequate to

support after-the-fact

investigations of security

incidents; and

A.10.10.5,

A.15.3.1

COBIT AI2.3

HIPAA

164.312(b),

164.308(a)(5)(ii)

(C)

d. Determines, based on current

threat information and ongoing

assessment of risk, that the

following events are to be

audited within the information

system_ [Assignment:

organization defined subset of

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 20/43

the auditable events defined in

AU-2(a) to be audited along with

the frequency of (or situation

requiring) auditing for each

identified event].

Audit and

accountability

AU-3 Content of Audit Records The

information system produces

audit records that contain

sufficient information to, at a

minimum, establish what type of

event occurred, when (date and

time) the event occurred, where

the event occurred, the source of

the event, the outcome (success

or failure) of the event, and the

identity of any user/subject

associated with the event.

ISO/IEC 27001

A.10.10.4,

A.10.10.5,

A.15.3.1 A.10.10.1

HIPAA 164.312(b)

Audit and

accountability

AU-4 Audit Storage Capacity The

organization allocates audit

record storage capacity and

configures auditing to reduce the

likelihood of such capacity being

exceeded.

ISO/IEC 27001

A.10.10.1,

A.10.3.1 HIPAA

164.312(b)

Audit and

accountability

AU-5 Response to Audit Processing

Failures

The information system_

ISO/IEC 27001

A.10.3.1,

A.10.10.1

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 21/43

a. Alerts designated

organizational officials in the

event of an audit processing

failure; and

b. Takes the following additional

actions: [Assignment:

organization-defined actions to

be taken (e.g., shut down

information system, overwrite

oldest audit records, stop

generating audit records)].

Audit and

accountability

AU-6 Audit Review, Analysis, and

Reporting

The organization:

a. Reviews and analyzes

information system audit records

[Assignment: organization-

defined frequency] for

indications of inappropriate or

unusual activity, and reports

findings to designated

organizational officials; and

b. Adjusts the level of audit

review, analysis, and reporting

within the information system

when there is a change in risk to

ISO/IEC 27001

A.10.10.2,

A.10.10.5,

A.13.1.1,A.15.1.5

COBITDS5.5

HIPAA 164.308(a)

(5)(ii)(C),

164.312(b),

164.308(a)(1)(ii)

(D)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 22/43

organizational operations,

organizational assets,

individuals, other organizations,

or the nation based on law

enforcement information,

intelligence information, or other

credible sources of information.

Audit and

accountability

AU-7 Audit Reduction and Report

Generation

The information system provides

an audit reduction and report

generation capability.

ISO/IEC 27001

A.10.10.2

HIPAA

164.312(b),

164.308(a)(1)(ii)

(D)

Audit and

accountability

AU-8 Time Stamps

The information system uses

internal system clocks to

generate time stamps for audit

records.

ISO/IEC 27001

A.10.10.1,

A.10.10.6

Audit and

accountability

AU-9 Protection of Audit

Information The information

system protects audit

information and audit tools from

unauthorized access,

modification, and deletion.

ISO/IEC 27001

A.10.10.3,

A.13.2.3, A.15.1.3,

A.15.3.2

Audit and

accountability

AU-10 Non-Repudiation

The information system protects

ISO/IEC 27001

A.10.9.1, A.12.2.3

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 23/43

against an individual falsely

denying having performed a

particular action.

COBIT DS5.11,

AC6

Audit and

accountability

AU-11 Audit Record Retention

The organization retains audit

records for [Assignment:

organization-defined time period

consistent with records retention

policy] to provide support for

after-the-fact investigations of

security incidents and to meet

regulatory and organizational

information retention

requirements.

ISO/IEC 27001

A.10.10.1,

A.10.10.2,

A.15.1.3

Audit and

accountability

AU-12 Audit Generation

The information system_

a. Provides audit record

generation capability for the list

of auditable events defined in

AU-2 at [Assignment:

organization-defined

information system

components];

b. Allows designated

organizational personnel to

select which auditable events are

ISO/IEC 27001

A.10.10.1,

A.10.10.4,

A.10.10.5

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 24/43

to be audited by specific

components of the system; and

c. Generates audit records for the

list of audited events defined in

AU-2 with the content as defined

in AU-3.

Audit and

accountability

AU-13 Monitoring for Information

Disclosure

The organization monitors open

source information for evidence

of unauthorized exfiltration or

disclosure of organizational

information [Assignment:

organization-defined frequency].

ISO/IEC 27001

(None)

Audit and

accountability

AU-14 Session Audit

The information system provides

the capability to:

a. Capture/record and log all

content related to a user session;

and

b. Remotely view/hear all content

related to an established user

session in real time.

ISO/IEC 27001

(None)

Table 9.3 Identification and Authentication Controls

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 25/43

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

Identification

and

authentication

IA-1 Identification and

Authentication Policy and

Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented

identification and authentication

policy that addresses purpose,

scope, roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

implementation of the

identification and authentication

policy and associated

identification and authentication

controls.

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.11.2.1,

A.15.1.1, A.15.2.1

COBIT DS5.3,

PC5

Identification

and

IA-2 Identification and

Authentication (Organizational

ISO/IEC 27001

A.11.3.2,

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 26/43

authentication Users)

The information system uniquely

identifies and authenticates

organizational users (or

processes acting on behalf of

organizational users).

A.11.5.1,

A.11.5.2, A.11.5.3

COBIT AI2.4,

DS5.3

HIPAA

164.308(a) (5)(ii)

(D), 164.312(a)

(2)(i), 164.312(d)

Identification

and

authentication

IA-3 Device Identification and

Authentication

The information system uniquely

identifies and authenticates

[Assignment: organization

defined list of specific and/or

types of devices] before

establishing a connection.

ISO/IEC 27001

A.11.4.3

HIPAA

164.312(a) (2)(i),

164.312(d)

Identification

and

authentication

IA-4 Identifier Management

The organization manages

information system identifiers

for users and devices by:

a. Receiving authorization from a

designated organizational official

to assign a user or device

identifier;

ISO/IEC 27001

A.11.5.2

COBITDS5.3,

DS5.4

HIPAA

164.308(a) (5)(ii)

(D), 164.312(a)

(2)(i), 164.312(d)

Identification

and

b. Selecting an identifier that

uniquely identifies an individual

ISO/IEC 27001

A.11.2.1,

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 27/43

authentication or device;

c. Assigning the user identifier to

the intended party or the device

identifier to the intended device;

d. Preventing reuse of user or

device identifiers for

[Assignment: organization-

defined time period]; and

e. Disabling the user identifier

after [Assignment: organization-

defined time period of

inactivity].

IA-5 Authenticator Management

The organization manages

information system

authenticators for users and

devices by:

a. Verifying, as part of the initial

authenticator distribution, the

identity of the individual and/or

device receiving the

authenticator;

b. Establishing initial

authenticator content for

authenticators defined by the

organization;

A.11.2.3,

A.11.3.1,

A.11.5.2, A.11.5.3

HIPAA

164.308(a) (5)(ii)

(D)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 28/43

c. Ensuring that authenticators

have sufficient strength of

mechanism for their intended

use;

d. Establishing and

implementing administrative

procedures for initial

authenticator distribution, for

lost/compromised or damaged

authenticators, and for revoking

authenticators;

e. Changing default content of

authenticators upon information

system installation;

f. Establishing minimum and

maximum lifetime restrictions

and reuse conditions for

authenticators (if appropriate);

g. Changing/refreshing

authenticators [Assignment:

organization-defined time period

by authenticator type];

h. Protecting authenticator

content from unauthorized

disclosure and modification; and

i. Requiring users to take, and

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 29/43

having devices implement,

specific measures to safeguard

authenticators.

Identification

and

authentication

IA-6 Authenticator Feedback The

information system obscures

feedback of authentication

information during the

authentication process to protect

the information from possible

exploitation/use by unauthorized

individuals.

ISO/IEC 27001

A.11.5.1 HIPAA

164.308(a) (5)(ii)

(D)

Identification

and

authentication

IA-7 Cryptographic Module

Authentication

The information system uses

mechanisms for authentication

to a cryptographic module that

meet the requirements of

applicable federal laws,

executive orders, directives,

policies, regulations, standards,

and guidance for such

authentication.

ISO/IEC 27001

A.12.3.1,

A.15.1.1,

A.15.1.6, A.15.2.1

HIPAA

164.308(a) (5)(ii)

(D)

Identification

and

authentication

IA-8 Identification and

Authentication (Non-

Organizational Users)

The information system uniquely

ISO/IEC 27001

A.10.9.1,

A.11.4.2,

A.11.5.1, A.11.5.2

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 30/43

identifies and authenticates non-

organizational users (or

processes acting on behalf of

non-organizational users).

Table 9.4 System and Communications Protection Controls

CONTROL

FAMILY

COMPLIANT

(YES/NO)

CONTROL MAPPINGS

System and

communications

protection

SC-1 System and Communications

Protection Policy and

Procedures

The organization develops,

disseminates, and

reviews/updates [Assignment:

organization defined frequency]:

a. A formal, documented system

and communications protection

policy that addresses purpose,

scope, roles, responsibilities,

management commitment,

coordination among

organizational entities, and

compliance; and

b. Formal, documented

procedures to facilitate the

ISO/IEC 27001

A.5.1.1, A.5.1.2,

A.6.1.1, A.6.1.3,

A.8.1.1, A.10.1.1,

A.15.1.1,

A.15.2.1

COBIT DS5.2,

PC5

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 31/43

implementation of the system

and communications protection

policy and associated system

and communications protection

controls.

System and

communications

protection

SC-2 Application Partitioning

The information system

separates user functionality

(including user interface

services) from information

system management

functionality.

ISO/IEC 27001

A.10.4.1,

A.10.4.2

COBIT AI2.4

System and

communications

protection

SC-3 Security Function Isolation

The information system isolates

security functions from

nonsecurity functions.

ISO/IEC 27001

A.10.4.1,

A.10.4.2,

A.10.9.1,

A.10.9.2

COBIT DS5.7

System and

communications

protection

SC-4 Information in Shared

Resources

The information system

prevents unauthorized and

unintended information transfer

via shared system resources.

ISO/IEC 27001

(None)

System and

communications

SC-5 Denial of Service Protection

The information system protects

ISO/IEC 27001

A.10.3.1

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 32/43

protection against or limits the effects of

the following types of denial of

service attacks: [Assignment:

organization-defined list of types

of denial of service attacks or

reference to source for current

list].

System and

communications

protection

SC-6 Resource Priority

The information system limits

the use of resources by priority.

ISO/IEC 27001

(None)

System and

communications

protection

SC-7 Boundary Protection The

information system_

a. Monitors and controls

communications at the external

boundary of the system and at

key internal boundaries within

the system; and

b. Connects to external networks

or information systems only

through managed interfaces

consisting of boundary

protection devices arranged in

accordance with an

organizational security

architecture.

ISO/IEC 27001

A.6.2.1, A.10.4.1,

A.10.4.2,

A.10.6.1,

A.10.8.1,

A.10.9.1,

A.10.9.2,

A.10.10.2,

A.11.4.5,

A.11.4.6

COBITDS5.10

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 33/43

System and

communications

protection

SC-8 Transmission Integrity The

information system protects the

integrity of transmitted

information.

ISO/IEC 27001

A.10.4.2,

A.10.6.1,

A.10.6.2,

A.10.9.1,

A.10.9.2,

A.12.2.3,

A.12.3.1

COBIT AC6

HIPAA

164.312(c) (1),

164.312(c) (2),

164.312(e) (2)(i)

System and

communications

protection

SC-9 Transmission Confidentiality

The information system protects

the confidentiality of

transmitted information.

ISO/IEC 27001

A.10.6.1,

A.10.6.2,

A.10.9.1,

A.10.9.2,

A.12.3.1

COBIT DS5.11,

AC6

HIPAA

164.312(e) (1),

164.312(e) (2)(ii)

System and

communications

SC-10 Network Disconnect

The information system

ISO/IEC 27001

A.10.6.1,

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 34/43

protection terminates the network

connection associated with a

communications session at the

end of the session or after

[Assignment: organization-

defined time period] of

inactivity.

A.11.3.2,

A.11.5.1,

A.11.5.5

System and

communications

protection

SC-11 Trusted Path

The information system

establishes a trusted

communications path between

the user and the following

security functions of the system_

[Assignment: organization-

defined security functions to

include at a minimum

information system

authentication and

reauthentication].

ISO/IEC 27001

(None)

COBIT AC6,

DS5.11

System and

communications

protection

SC-12 Cryptographic Key

Establishment and Management

The organization establishes and

manages cryptographic keys for

required cryptography

employed within the

information system.

ISO/IEC 27001

A.12.3.2

COBIT DS5.8

HIPAA

164.312(e) (2)(ii)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 35/43

System and

communications

protection

SC-13 Use of Cryptography The

information system implements

required cryptographic

protections using cryptographic

modules that comply with

applicable federal laws,

executive orders, directives,

policies, regulations, standards,

and guidance.

ISO/IEC 27001

A.12.3.1,

A.15.1.6

COBIT DS5.8

HIPAA

164.312(a) (2)

(iv), 164.312(e)

(2)(ii)

System and

communications

protection

SC-14 Public Access Protections

The information system protects

the integrity and availability of

publicly available information

and applications.

ISO/IEC 27001

A.10.4.1,

A.10.4.2,

A.10.9.1,

A.10.9.2,

A.10.9.3

System and

communications

protection

SC-15 Collaborative Computing

Devices The information system_

a. Prohibits remote activation of

collaborative computing devices

with the following exceptions:

[Assignment: organization-

defined exceptions where

remote activation is to be

allowed]; and

b. Provides an explicit indication

ISO/IEC 27001

(None)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 36/43

of use to users physically present

at the devices.

System and

communications

protection

SC-16 Transmission of Security

Attributes

The information system

associates security attributes

with information exchanged

between information systems.

ISO/IEC 27001

A.7.2.2, A.10.8.1

COBIT DS5.11

System and

communications

protection

SC-17 Public Key Infrastructure

Certificates

The organization issues public

key certificates under an

[Assignment: organization-

defined certificate policy] or

obtains public key certificates

under an appropriate certificate

policy from an approved service

provider.

ISO/IEC 27001

A.12.3.2

System and

communications

protection

SC-18 Mobile Code

The organization:

a. Defines acceptable and

unacceptable mobile code and

mobile code technologies;

b. Establishes usage restrictions

and implementation guidance

for acceptable mobile code and

ISO/IEC 27001

A.10.4.2

COBIT DS5.9

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 37/43

mobile code technologies; and

c. Authorizes, monitors, and

controls the use of mobile code

within the information system.

System and

communications

protection

SC-19 Voice Over Internet

Protocol The organization:

a. Establishes usage restrictions

and implementation guidance

for Voice over Internet Protocol

(VoIP) technologies based on the

potential to cause damage to the

information system if used

maliciously; and

b. Authorizes, monitors, and

controls the use of VoIP within

the information system.

ISO/IEC 27001

A.10.6.1

System and

communications

protection

SC-20 Secure Name/Address

Resolution Service

(Authoritative Source)

The information system

provides additional data origin

and integrity artifacts along with

the authoritative data the system

returns in response to

name/address resolution

queries.

ISO/IEC 27001

A.10.6.1

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 38/43

System and

communications

protection

SC-21 Secure Name/Address

Resolution Service (Recursive or

Caching Resolver)

The information system

performs data origin

authentication and data

integrity verification on the

name/ address resolution

responses the system receives

from authoritative sources when

requested by client systems.

ISO/IEC 27001

A.10.6.1

System and

communications

protection

SC-22 Architecture and

Provisioning for Name/Address

Resolution Service

The information systems that

collectively provide

name/address resolution service

for an organization are fault-

tolerant and implement

internal/external role

separation.

ISO/IEC 27001

A.10.6.1

System and

communications

protection

SC-23 Session Authenticity

The information system

provides mechanisms to protect

the authenticity of

communications sessions.

ISO/IEC 27001

A.10.6.1 COBIT

AC6

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 39/43

System and

communications

protection

SC-24 Fail in Known State

The information system fails to a

[Assignment: organization-

defined known state] for

[Assignment: organization-

defined types of failures]

preserving [Assignment:

organization-defined system

state information] in failure.

ISO/IEC 27001

(None)

System and

communications

protection

SC-25 Thin Nodes

The information system employs

processing components that

have minimal functionality and

information storage.

ISO/IEC 27001

(None)

System and

communications

protection

SC-26 Honeypots

The information system includes

components specifically

designed to be the target of

malicious attacks for the

purpose of detecting, deflecting,

and analyzing such attacks.

ISO/IEC 27001

(None)

System and

communications

protection

SC-27 Operating System-

Independent Applications

The information system

includes: [Assignment:

organization-defined operating

ISO/IEC 27001

(None)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 40/43

system independent

applications].

System and

communications

protection

SC-28 Protection of Information at

Rest

The information system protects

the confidentiality and integrity

of information at rest.

ISO/IEC 27001

(None)

System and

communications

protection

SC-29 Heterogeneity

The organization employs

diverse information

technologies in the

implementation of the

information system.

ISO/IEC 27001

(None)

System and

communications

protection

SC-30 Virtualization Techniques

The organization employs

virtualization techniques to

present information system

components as other types of

components, or components

with differing configurations.

ISO/IEC 27001

(None)

System and

communications

protection

SC-31 Covert Channel Analysis

The organization requires that

information system

developers/integrators perform

a covert channel analysis to

identify those aspects of system

ISO/IEC 27001

(None)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 41/43

communication that are

potential avenues for covert

storage and timing channels.

System and

communications

protection

SC-32 Information System

Partitioning The organization

partitions the information

system into components residing

in separate physical domains (or

environments) as deemed

necessary.

ISO/IEC 27001

(None)

System and

communications

protection

SC-33 Transmission Preparation

Integrity

The information system protects

the integrity of information

during the processes of data

aggregation, packaging, and

transformation in preparation

for transmission.

ISO/IEC 27001

(None)

System and

communications

protection

SC-34 Non-Modifiable Executable

Programs

The information system at

[Assignment: organization-

defined information system

components]:

a. Loads and executes the

operating environment from

ISO/IEC 27001

(None)

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 42/43

1.

2.

3.

4.

hardware-enforced, read-only

media; and

b. Loads and executes

[Assignment: organization-

defined applications] from

hardware-enforced, read-only

media.

Suggested Reading

National Institute of Standards and Technology (NIST). August 2009. Special Publication

800-53 Rev3: Recommended security controls for federal information systems and organi-

zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-

final_updated-errata_05-01-2010.pdf

IT Governance Institute. 2007. Mapping of NIST SP 800-53Rev 1 with COBIT 4.1,

http://www.itgi.org

National Institute of Standards and Technology (NIST). October 2008. An introductory re-

source guide for implementing the Health Insurance Portability and Accountability Act

(HIPAA) security rule. http://csrc.nist.gov/publications/nistpubs/800-66-Revl/SP-800-66-

Revisionl.pdf

International Organization for Standardization (ISO). ISO/IEC 27001:2005 Information secu-

rity management systems—Requirements.

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=42103

3/28/23, 3:45 PM Chapter 9 Technical Controls: Practical Security Considerations | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/020-9781466551282-009.xhtml 43/43

5.

6.

International Organization for Standardization (ISO). ISO/IEC 27002:2005 Information tech-

nology security techniques—Code of practice for information security management.

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=50297

Department of Health and Human Services, Office of the Secretary. February 20, 2003. 45

CFR Parts 160, 162, and 164 Health insurance reform: Security standards; Final rule.

Federal Register 68(24).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf