information security program assessment tool (166215873)

7/29/2019 Information Security Program Assessment Tool (166215873)

http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 1/39

Introduction and Guidance

ISO 4: Risk Management

ISO 5: Security Policy

Assess how an institution expresses its intent with regard to information security.

ISO 6: Organization of Information Security

ISO 7: Asset Management

ISO 8: Human Resources Security

ISO 9: Physical and Environmental Security

Assess an institution's steps taken to protect systems, buildings, and related supporting infrast

How to Use This Tool This assessment tool was created to evaluate the maturity of higher education information secStandardization (ISO) 27002 "Information technology Security techniques. Code of practice foras a whole, although a unit within an institution may also use it to help determine the maturitycompleted by chief information officer, chief information security officer or equivalent, or a desan information security officer or equivalent, familiar with their environment, to complete this

The self-assessment has been designed to be completed annually or at the frequency your insframework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maNIST, CMMI, or another maturity framework, that may be more familiar, with the same numericmaturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessm"Score Definitions" tab of the spreadsheet.

Not Performed = 0;Performed Informally = 1;Planned = 2;Well Defined = 3;Quantitatively Controlled = 4;Continuously Improving = 5

Below is a summary of the focus of each section and scoring to be used for that section. The saPlease send any feedback to [email protected].

Assess the risk management process as it relates to creating an information security strategy amanagement process, which includes not only assessing information security risks to the institmanaging and implementing controls to protect against those risks.

Assess how an institution manages its information security across the entire enterprise, includdirection.

Assess an institution's asset management program. Does it include ways to identify, track, clas

adequately protected?

Assess an institution's safeguards and processes for ensuring that all employees (including conand responsibilities of their job duties and that access is removed once employment is termina



Introduction and Guidance

ISO 10: Communications and Operations Management

Assess an institution’s formalized policies, procedures, and controls, which assist in data and sy

ISO 11: Access Control

ISO 12: Information Systems Acquisition, Development, and Maintenance

Assess whether an institution has security requirements established as an integral part of the d

ISO 13: Information Security Incident Management

ISO 14: Business Continuity Management

ISO 15: Compliance

Assess an institution’s processes for staying current with legal and contractual requirements to

Assess an institution’s use of administrative, physical, or technical security features to manage

resources.

Assess an institution’s information security incident management program. An effective prograadverse events.

Assess an institution’s business continuity management. A mature institution has a managed,

operations under extraordinary circumstances including the maintenance of measures to ensu



ISO 21827 Definitions

0 Not Performed

1 Performed Informally

2 Planned

3 Well Defined

4 Quantitatively Controlled

5 Continuously Improving

ISO 21827 https://www.sabs.co.za/content/uploads/files/SANS21827%28colour%29.pdf

There are no security controls or plans in place . The controls are nonexiste

Base practices of the control area are generally performed on an ad hoc basis. within the organization that identified actions should be performed, and they are

The practices are not formally adopted, tracked, and reported on.

The base requirements for the control area are planned, implemented, and repe

The primary distinction from Level 2, Planned and Tracked, is that in addition toprocesses used are more mature: documented, approved, and implemente

The primary distinction from Level 3, Well Defined, is that the defined, standardreviewed and updated. Improvements reflect an understanding of, and respoimpact.

The primary distinction from Level 4, Quantitatively Controlled, is that the defined, stan

reviewed and updated. Improvements reflect an understanding of, and response to,



ISG (ECAR) CMMI NIST COBIT

Not Implemented Non-existent Non-existent Non-existent

Planning Stages Ad hoc Initial/Ad-hoc

Partially Implemented Repeatable Repeatable but Intuitive

Close to Completion Defined & Implemented Defined Process

Fully Implemented Managed Managed & Measurable

Optimized

DocumentedPolicy

DocumentedProcedures

Procedures &Controls

MeasuredProgram

PervasiveProgram

Optimized



HEIS

Name of person completing assessment:

Name of department or institution (if applicable):

Date completed

Questions

1 Does your institution have a risk management program?

2

3

4 Does your institution have an information security policy that has been approved by management?

5

6 Does your institution review the policy at defined intervals to encompass significant change and mon

7

8

9

10 Is responsibility clearly assigned for all areas of the information security architecture, compliance, pro

11

12 Does your institution require the use of confidentiality or nondisclosure agreements for employees an

13

14

15

16

17 Are requirements addressed and remediated prior to granting access to data, assets, and information

This tool can be used to assess an enterprise information security pdepartment, or other. Please select from the drop down box ->

Risk Management (ISO 4)

Does your institution have a process for identifying and assessing reasonably foreseeable internal andsecurity, confidentiality, and/or integrity of any electronic, paper, or other records containing sensitive

Does your organization conduct routine risk assessments to identify the key objectives that need to beinformation security program?

Security Policy (ISO 5)

Has it been published and communicated to all relevant parties?

Organization of Information Security (ISO 6)

Does your information security function have the authority it needs to manage and ensure compliancesecurity program?

Does your institution have an individual with enterprise-wide (campus) information security responsibwritten in their job description, or equivalent? Note: This may be the CIO, CISO, CSO, or other.

Is there a formal process for having the individual with information security responsibility assess and shardware, software, and services, ensuring they follow security policies and requirements?

Does your institution maintain relationships with local authorities?

Does your institution participate with local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfSystems Security Association, etc.)?

Does your institution have independent security reviews completed at planned intervals or when signienvironment occur?

Does your institution specify security requirements in contracts with external entities (third party) bef

sensitive institutional information assets?

B C

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+%28ISO+4%29

https://wiki.internet2.edu/confluence/display/itsg2/Security+Policy+%28ISO+5%29

https://wiki.internet2.edu/confluence/display/itsg2/Organization+of+Information+Security+%28ISO+6%29

https://wiki.internet2.edu/confluence/display/itsg2/Organization+of+Information+Security+%28ISO+6%29

https://wiki.internet2.edu/confluence/display/itsg2/Security+Policy+%28ISO+5%29

https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+%28ISO+4%29



Questions

18 Has your organization identified critical information assets and the functions that rely on them?

19 Does your institution classify information to indicate the appropriate levels of information security

20

21 Do all individuals interacting with university systems receive information security awareness trai

22

23 Do the information security programs clearly state responsibilities, liabilities, and consequences?

24 Does your institution have a process for revoking system and building access and returning assig

25

26

27

28

29 Does your institution follow vendor-recommended guidance for maintaining equipment?

30

31 Are there processes in place to detect the unauthorized removal of equipment, information, or so

Asset Management (ISO 7)

Human Resource Security (ISO 8)

Does your institution conduct specialized role-based training?

Does your institution have a process for revoking system access when there is a position change change?

Physical and Environmental Security (ISO 9)

Do your institution's data centers include controls to ensure that only authorized parties are allow

Does your institution have preventative measures in place to protect critical hardware and wiringthreats?

Does your institution have a process for issuing keys, codes, and/or cards that require appropriatbackground checks for access to these sensitive facilities?

Does your institution have a media-sanitization process that is applied to equipment prior to dispo

B C

14

34

35

36

37

38

39

40

41

42

43

44

45

46

47

49

50

https://wiki.internet2.edu/confluence/display/itsg2/Asset+Management+%28ISO+7%29

https://wiki.internet2.edu/confluence/display/itsg2/Human+Resources+Security+%28ISO+8%29

https://wiki.internet2.edu/confluence/display/itsg2/Physical+and+Environmental+Security+%28ISO+9%29

https://wiki.internet2.edu/confluence/display/itsg2/Physical+and+Environmental+Security+%28ISO+9%29

https://wiki.internet2.edu/confluence/display/itsg2/Human+Resources+Security+%28ISO+8%29

https://wiki.internet2.edu/confluence/display/itsg2/Asset+Management+%28ISO+7%29



Questions

32 Does your institution maintain security configuration standards for information systems and appli

33 Are changes to information systems tested, authorized, and reported?

34 Are duties sufficiently segregated to ensure unintentional or unauthorized modification of informa

35 Are production systems separated from other stages of the development life cycle?

36 Do agreements for external information system services specify appropriate security requiremen

37

38 Is external information system services provider compliance with security controls monitored?

39

40

41

42

43 Is your data backup process frequency consistent with the availability requirements of your organ

44 Does your institution routinely test your restore procedures?

45 Does your institution continuously monitor your wired and wireless networks for unauthorized acc

46

47

48 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS

49 Does your institution use appropriate/vetted encryption methods to protect sensitive data in tran

50 Are controls in place to protect, track, and report status of media that has been removed from se

51

52

53

Communications and Operations Management (ISO 10)

Does your institution have a process in place for assessing that external information system proviappropriate security requirements?

Are external information system service agreements executed and routinely reviewed to ensure scurrent?

Does your institution have processes in place to monitor the utilization of key system resources asystem downtime?

Are methods used to detect, quarantine, and eradicate known malicious code on information systservers, and mobile computing devices?

Are methods used to detect and eradicate known malicious code transported by electronic mail, tmedia?

Does your institution have a process for posture checking, such as current antivirus software, firew

etc., of devices as they connect to your network?

Does your institution have a segmented network architecture to provide different levels of securitclassification?

Does your institution have policies and procedures in place to protect exchanged information (witthird-party agreements) from interception, copying, modification, misrouting, and destruction?

Does your institution have a process in place to ensure data related to electronic commerce (e-conetworks is protected from fraudulent activity, unauthorized disclosure, or modification?

Are security related activities such as hardware configuration changes software configuration cha

B C

14

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

https://wiki.internet2.edu/confluence/display/itsg2/Communications+and+Operations+Management+%28ISO+10%29

https://wiki.internet2.edu/confluence/display/itsg2/Communications+and+Operations+Management+%28ISO+10%29



Questions

77 Does your institution have a process for validating the security of purchased software products an

78

79

80

81 Are processes in place to check whether message integrity is required?

82

83 Do your policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive o

84 Are standards for key management documented and employed?

85

86 Does your institution apply the same security standards for sensitive test data that you apply to s

87 Does your institution restrict and monitor access to source code libraries to reduce the risk of corr

88

89

90 Have you implemented tools and procedures to monitor for and prevent loss of sensitive data?

91 Do your contract agreements include security requirements for outsourced software development

92

93

94 Are your incident response staff aware of legal or compliance requirements surrounding evidence

95

Information Systems Acquisition, Development, and Maintenance (ISO 12)

Are new information systems or enhancements to existing information systems validated against requirements?

Have standards been established that address secure coding practices (e.g., input validation, propmanagement, etc.), and take into consideration common application security vulnerabilities (e.g., etc.)?

Are validation checks incorporated into applications to detect any corruption of information througdeliberate acts?

Incorrect output may occur, even in tested systems. Does your institution have validation checks texpected?

Have you established procedures for maintaining source code during the development life cycle areduce the risk of software corruption?

Does your institution have a configuration-management process in place to ensure that changes tfor valid business reasons and have received proper authorization?

Are reviews and tests performed to ensure that changes made to production systems do not havesecurity or operations?

Does your institution have a patch management strategy in place and responsibilities assigned foresponding to patch releases, security bulletins, and vulnerability reports?

Information Security Incident Management (ISO 13)

Are incident-handling procedures in place to report and respond to security events throughout theincluding the definition of roles and responsibilities?

Business Continuity Management (ISO 14)

Does your institution have a documented business continuity plan for information technology thatimpact analysis, is periodically tested, and has been reviewed and approved by senior staff or the

B C

14

99

100

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

https://wiki.internet2.edu/confluence/display/itsg2/Information+Systems+Acquisition%2C+Development%2C+and+Maintenance+%28ISO+12%29

https://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Incident+Management+%28ISO+13%29

https://wiki.internet2.edu/confluence/display/itsg2/Business+Continuity+Management+%28ISO+14%29

https://wiki.internet2.edu/confluence/display/itsg2/Business+Continuity+Management+%28ISO+14%29

https://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Incident+Management+%28ISO+13%29

https://wiki.internet2.edu/confluence/display/itsg2/Information+Systems+Acquisition%2C+Development%2C+and+Maintenance+%28ISO+12%29



ISO

1

2

3 4.1

4 4.2A.5 Security Policy

5 5.1.1

6 5.1.1

7 5.1.2

A.6.1 Internal

8 6.1.1

9 6.1.2

10 6.1.3

11 6.1.4

12 6.1.5

13 6.1.6

14 6.1.7

15 6.1.8

AssessmentQuestions

A.5.1 Informationsecurity policy

A.5.1.1 Informationsecurity policydocument

A.5.1.2 Review of theinformation securitypolicy

A.6 Organization of information security

A.6.1.1 Managementcommitment toinformation security

A.6.1.2 Informationsecurity coordination

A.6.1.3 Allocation of

information securityresponsibilities

A.6.1.4 Authorizationprocess forinformationprocessing facilities

A.6.1.5Confidentialityagreements

A.6.1.6 Contact withauthorities

A.6.1.7 Contact withspecial interestgroups

A.6.1.8 Independentreview of informationsecurity



A.6.2 External Parties

16 6.2.1

17 6.2.2

18 7.1.1

19 7.2.1

A.8.1.2 Screening

20 8.2.1

A.6.2.1 Identificationof risks related toexternal parties

A.6.2.2 Addressingsecurity when dealingwith customers

A.6.2.3 Addressingsecurity in third partyagreements

A.7 AssetManagement

A.7.1 Responsibilityfor assets

A.7.1.1 Inventory of assets

A.7.1.2 Ownership of assets

A.7.1.3 Acceptableuse of assets

A.7.2 InformationClassification

A.7.2.1 ClassificationGuidelines

A.7.2.2 Informationlabeling and handling

A.8 Human ResourcesSecurity

A.8.1 Prior toEmployment

A.8.1.1 Roles andResponsibilities

A.8.1.3 Terms andconditions of employment

A.8.2 Duringemployment

A.8.2.1 Managementresponsibilities



21 8.2.2

22 8.2.3

23 8.3.1

24

A.9.1 Secure areas

25 9.1.2

26 9.1.4

27 9.1.5

28 9.2.4

A.8.2.2 Awareness,education, andtraining

A.8.2.3 Disciplinaryprocess

A.8.3 Termination orchange of employment

8.3.28.3.3

A.8.3.1 Terminationresponsibilities

A.8.3.2 Return of assets

A.8.3.3 Removal of access rights

A.9 Physical andenvironmentalsecurity

A.9.1.1 Physicalsecurity perimeter

A.9.1.2 Physical entrycontrols

A.9.1.3 Securingoffices, rooms,facilities

A.9.1.4 Protectingagainst external andenvironmental

threats

A.9.1.5 Working insecure areas

A.9.1.6 Public access,delivery and loadingareas

A.9.2 Equipmentsecurity

A.9.2.1 Equipmentsiting and protection

A.9.2.2 Supportingutilities

A.9.2.3 Cablingsecurity

A.9.2.4 Equipmentmaintenance



29 9.2.6

30 9.2.7

31 10.1.1

32 10.1.2

33 10.1.3

34 10.1.4

35 10.2.1

36 10.2.2

40 10.3.1

41 10.4.1

A.9.2.5 Security of equipment off-premises

A.9.2.6 Securedisposal or reuse of equipment

A.9.2.7 Removal of property MP-5, PE-16

A.10 Communicationsand operationsmanagement

A.10.1 Operationalprocedures andresponsibilities

A.10.1.1 Documented

operating procedures

A.10.1.2 Changemanagement

A.10.1.3 Segregationof duties

A.10.1.4 Separation

A.10.2 Third-party

service deliverymanagement

A.10.2.1 Servicedelivery

A.10.2.2 Monitoringand review of third-party services

A.10.2.3 Managingchanges to third-party services

A.10.3 System

A.10.3.1 Capacitymanagement

A.10.3.2 Systemacceptance

A.10.4 Protectionagainst malicious andmobile code

A.10.4.1 Controls



A.10.5 Backup

43 10.5.1

45 10.6.1

50

51 10.8.1

52

A.10.10 Monitoring

53 10.10.1

A.10.4.2 Controlsagainst mobile code

A.10.5.1 Information

A.10.6 Networksecurity management

A.10.6.1 Networkcontrols

A.10.6.2 Security of

A.10.7 Mediahandling

10.7.110.7.3

A.10.7.1

A.10.7.2 Disposal of media

A.10.7.3 Informationhandling procedures

A.10.7.4 Security of systemdocumentation

A.10.8 Exchange of

A.10.8.1 Informationexchange policiesand procedures

A.10.8.2 Exchangeagreements

A.10.8.3 Physicalmedia in transit

A.10.8.4 Electronicmessaging

A.10.8.5 Businessinformation systems

A.10.9 Electroniccommerce services

10.9.1

10.9.2

A.10.9.1 Electronic

commerceA.10.9.2 Onlinetransactions

A.10.9.3 Publiclyavailable information

A.10.10.1 Auditlogging



67 11.4.6

68 11.4.7

69 11.5.1

70 11.5.2

72 11.5.3

73 11.5.4

74 11.6.2

75 11.7.1

77 11.7.2 A.11.7.2 Teleworking

78 12.1

79 12.1.1

80 12.2.1

81 12.2.2

82 12.2.3

A.11.4.5 Segregationin networks

A.11.4.6 Network

A.11.4.7 Networkrouting control

A 11.5 Operatingsystem accesscontrol

A.11.5.1 Secure log-on procedures

A.11.5.2 Useridentification andauthentication

A.11.5.3 Password

A.11.5.4 Use of system utilities

A.11.5.5 Sessiontime-out

A.11.5.6 Limitation of

A.11.6 Application

A.11.6.1 Informationaccess restriction

A.11.6.2 Sensitive

A.11.7 Mobilecomputing andteleworking

A.11.7.1 Mobile

A.12 Informationsystems acquisition,development andmaintenance

A.12.1 Security

A.12.1.1 Securityrequirements

analysis andspecification

A.12.2 Correct

A.12.2.1 Input datavalidation

A.12.2.2 Control of internal processing

A.12.2.3 Messageintegrity



83 12.2.4

84 12.3.1

85 12.3.2

86 12.4.1

87 12.4.2

88 12.4.3

89 12.5.1

90 12.5.2

91 12.5.4

92 12.5.5

93 12.6.1

A.12.2.4 Output datavalidation

A.12.3 Cryptographiccontrols

A.12.3.1 Policy on theuse of cryptographiccontrols

A.12.3.2 Keymanagement

A.12.4 Security of system files

A.12.4.1 Control of

A.12.4.2 Protection of system test dataMultiple controls;

protection of testdata not addressedseparately in SP 800-53 (e.g., AC-3, AC-4)

A.12.4.3 Accesscontrol to programsource code

A.12.5 Security indevelopment andsupport processes

A.12.5.1 Changecontrol procedures

A.12.5.2 Technical

A.12.5.3 Restrictionson changes tosoftware packages

A.12.5.4 Informationleakage

A.12.5.5 Outsourced

A.12.6 Technical

VulnerabilityManagement

A.12.6.1 Control of technicalvulnerabilities

A.13 Informationsecurity incidentmanagement

A.13.1 Reporting



94

95 13.2.3

96 14.1.1

A.15 Compliance

97 15.1.3

13.1.113.1.2

A.13.1.1 Reportinginformation securityevents

A.13.1.2 Reportingsecurity weaknesses

A.13.2 Managementof informationsecurity incidents andimprovements

A.13.2.1

A.13.2.2 Learningfrom informationsecurity incidents

A.13.2.3 Collection of

A.14 Businesscontinuitymanagement

A.14.1 Informationsecurity aspects of business continuitymanagement

A.14.1.1 Including

A.14.1.2 Businesscontinuity and riskassessment

A.14.1.3 Developingand implementingcontinuity plans

including informationsecurity

A.14.1.4 Businesscontinuity planningframework

A.14.1.5 Testing,maintaining andreassessing businesscontinuity plans

A.15.1 ComplianceA.15.1.1Identification of applicable legislation

A.15.1.2 Intellectual

A.15.1.3 Protection of organizationalrecords



98 15.1.4

99 15.1.5

100 15.1.6

101 15.2.1102 15.2.2

103 15.3.1

104 15.3.2

* Direct mappings are listed above. In some cases que

**NIST to ISO mapping from http://csrc.nist.gov/public

A.15.1.4 Dataprotection andprivacy of personalinformation

A.15.1.5 Preventionof misuse of informationprocessing facilities

A.15.1.6 Regulationof cryptographiccontrols

A.15.2 Compliancewith security policiesand standards, andtechnical compliance

A.15.2.1 ComplianceA.15.2.2 Technicalcompliance checking

A.15.3 Informationsystems auditconsiderations

A.15.3.1 Informationsystems auditcontrols

A.15.3.2 Protection of information systemsaudit tools



Assessment Tool Questions* Mapped to ISO and NISNIST Controls

XX-1 controls

XX-1 controls

XX-1 controls, PM-2, PM-3, PM-9; SP 800-39,SP 800-37

CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2;SP 800-39, SP 800-37

XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP 800-39, SP 800-37

CA-1, CA-6, PM-10; SP 800-37

PL-4, PS-6, SA-9

AT-5, SI-5

CA-2, CA-7; SP 800-39, SP 800-37

Multiple controls with contact reference (e.g.,IR-6, SI-5), SP 800-39; SP 800-37



CA-3, PM-9, RA-3, SA-1, SA-9, SC-7

AC-8 , AT-2, PL-4

AU-16, CA-2, CA-3, PS-7, SA-9

CM-8, CM-9, PM-5

CM-8, CM-9, PM-5

AC-20, PL-4

RA-2

AC-16, MP-2, MP-3, SC-16

PS-3

AC-20, PL-4, PS-6, PS-7

PL-4, PM-13, PM-15, PS-6, PS-7, SA-9

XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2, AT-3, CM-9, PL-4, PS-2, PS-6,PS-7, SA-9



AT-2, AT-3, IR-2

PS-8

PS-4, PS-5

PS-4, PS-5

AC-2, PS-4, PS-5

PE-3

PE-3, PE-5, PE-6

PE-3, PE-4, PE-5

CP Family; PE-1, PE-9, PE-10, PE-11, PE-13,PE-15

AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8

PE-3 , PE-16

PE-1, PE-18

PE-1, PE-9, PE-11, PE-12, PE-14

PE-4, PE-9

MA Family



MP-5, PE-17

MP-6

MP-5 , PE-16

XX-1 controls, CM-9

CM-1, CM-3, CM-4, CM-5, CM-9

AC-5

CM-2

SA-9

SA-9

RA-3, SA-9, SA-10

AU-4, AU-5, CP-2, SA-2, SC-5

CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15, SA-17

AC-19, AT-2, PE-20, SA-8, SC-2, SC-3, SC-7,SC-14, SC-38, SI-3, SI-7



SA-8, SC-2, SC-3, SC-7, SC-14, SC-8, SC-18

CP-9

CA-3, SA-9, SC-8, SC-9

PE-16, MP Family

MP-6

SI-12, MP Family

MP-4, SA-5

AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16, SI-9

CA-3, SA-9

MP-5

CA-1, CA-3

AU-10, IA-8, SC-7, SC-8, SC-9, SC-3, SC-14

SC-3, SC-7, SC-8, SC-9, SC-14

SC-14

AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12

AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5,SC-7, SC-8, SC-9, SC-10, SC-19, SC-20, SC-21, SC-22, SC-23

Multiple controls; electronic messaging not addressed separately in SP 800-53



AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4

AU-9

AU-2, AU-12AU-2, AU-12, SI-2

AU-8

AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5, MP-1, SI-9

AC-1, AC-2, AC-21, IA-5, PE-1, PE-2

AC-1, AC-2, AC-6, AC-21, PE-1, PE-2, SI-9

IA-5

AC-2, PE-2

IA-2, IA-5

AC-11, IA-2, PE-3, PE-5, PE-18, SC-10

AC-11, MP-4

AC-1, AC-5, AC-6, AC-17, AC-18, AC-20

AC-17, AC-18, AC-20, CA-3, IA-2, IA-8

AC-19, IA-3

AC-3, AC-6, AC-17, AC-18, PE-3, MA-3, MA-4



AC-3, AC-6, AC-17, AC-18, SC-7

AC-4, AC-17, AC-18

AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC-10

IA-2, IA-4, IA-5, IA-8

IA-2, IA-5

AC-3, AC-6

AC-11, SC-10

AC-2

AC-3, AC-6, AC-14, CM-5

SC-7; SP 800-39

AC-1, AC-17, AC-18, AC-19, PL-4, PS-6

AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6

PL-7, PL-8, SA-1, SA-3, SA-4

SI-10

SI-7, SI-9, SI-10

AU-10, SC-8, SC-23, SI-7



SI-7

SC-12, SC-17

CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4

AC-3, AC-6, CM-5, CM-9, MA-5, SA-10

CM-1, CM-3, CM-9, SA-10

CM-3, CM-4, CM-9, SI-2

CM-3, CM-4, CM-5, CM-9

AC-4, IR-9, PE-19

CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-15, SA-17

RA-3, RA-5, SI-2, SI-5

Multiple controls address cryptography (e.g., IA-7, SC-8, SC-9, SC-12, SC-13)



AU-6, IR-1, IR-6, SI-4, SI-5

PL-4, SI-2, SI-4, SI-5

IR-1

IR-4

AU-7, AU-9, IR-4

CP-1, CP-2, CP-4

CP-2, PM-9, RA Family

CP Family

CP-2, CP-4

CP-2, CP-4

XX-1 controls, IA-7

CM-10

AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12



Appendix J; SI-12

AC-8, AU-6, CM-11, PL-4, PS-6, PS-8

IA-7, SC-13

XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8, SI-12CA-2, CA-7, RA-5

AU-1, AU-2

AU-9

stions were formed that covered more than one ISO area making one-to-one

tions/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf



T**NIST Family

AC: Access Control

AT: Awareness and Training

AU: Audit and Accountability

CA: Security Assessment and Authorization

CM: Configuration Management

CP: Contingency Planning

IA: Identificaton and Authentication

IR: Incident Response

MP: Media Protection

PE: Physical and Environmental Protection

PL: Planning

PS: Personnel Security

RA: Risk Assessment

SA: System and Services Acquisition



SC: System and Communications Protection

SI: System and Information Integrity

PM: Program Management



mapping difficult.



Description Value

Not Performed 0

Performed Informally 1

Planned 2

Well Defined 3

Quantitatively Controlled 4

Continuously Improving 5Not Applicable Blank

information security program assessment tool (166215873)

Documents