Information Security Program Assessment Tool (166215873)
Transcript of Information Security Program Assessment Tool (166215873)
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 1/39
Introduction and Guidance
ISO 4: Risk Management
ISO 5: Security Policy
Assess how an institution expresses its intent with regard to information security.
ISO 6: Organization of Information Security
ISO 7: Asset Management
ISO 8: Human Resources Security
ISO 9: Physical and Environmental Security
Assess an institution's steps taken to protect systems, buildings, and related supporting infrast
How to Use This Tool This assessment tool was created to evaluate the maturity of higher education information secStandardization (ISO) 27002 "Information technology Security techniques. Code of practice foras a whole, although a unit within an institution may also use it to help determine the maturitycompleted by chief information officer, chief information security officer or equivalent, or a desan information security officer or equivalent, familiar with their environment, to complete this
The self-assessment has been designed to be completed annually or at the frequency your insframework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maNIST, CMMI, or another maturity framework, that may be more familiar, with the same numericmaturity, 0–5. Each ISO section will be added up then averaged to provide a maturity assessm"Score Definitions" tab of the spreadsheet.
Not Performed = 0;Performed Informally = 1;Planned = 2;Well Defined = 3;Quantitatively Controlled = 4;Continuously Improving = 5
Below is a summary of the focus of each section and scoring to be used for that section. The saPlease send any feedback to [email protected].
Assess the risk management process as it relates to creating an information security strategy amanagement process, which includes not only assessing information security risks to the institmanaging and implementing controls to protect against those risks.
Assess how an institution manages its information security across the entire enterprise, includdirection.
Assess an institution's asset management program. Does it include ways to identify, track, clas
adequately protected?
Assess an institution's safeguards and processes for ensuring that all employees (including conand responsibilities of their job duties and that access is removed once employment is termina
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 2/39
Introduction and Guidance
ISO 10: Communications and Operations Management
Assess an institution’s formalized policies, procedures, and controls, which assist in data and sy
ISO 11: Access Control
ISO 12: Information Systems Acquisition, Development, and Maintenance
Assess whether an institution has security requirements established as an integral part of the d
ISO 13: Information Security Incident Management
ISO 14: Business Continuity Management
ISO 15: Compliance
Assess an institution’s processes for staying current with legal and contractual requirements to
Assess an institution’s use of administrative, physical, or technical security features to manage
resources.
Assess an institution’s information security incident management program. An effective prograadverse events.
Assess an institution’s business continuity management. A mature institution has a managed,
operations under extraordinary circumstances including the maintenance of measures to ensu
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 3/39
ISO 21827 Definitions
0 Not Performed
1 Performed Informally
2 Planned
3 Well Defined
4 Quantitatively Controlled
5 Continuously Improving
ISO 21827 https://www.sabs.co.za/content/uploads/files/SANS21827%28colour%29.pdf
There are no security controls or plans in place . The controls are nonexiste
Base practices of the control area are generally performed on an ad hoc basis. within the organization that identified actions should be performed, and they are
The practices are not formally adopted, tracked, and reported on.
The base requirements for the control area are planned, implemented, and repe
The primary distinction from Level 2, Planned and Tracked, is that in addition toprocesses used are more mature: documented, approved, and implemente
The primary distinction from Level 3, Well Defined, is that the defined, standardreviewed and updated. Improvements reflect an understanding of, and respoimpact.
The primary distinction from Level 4, Quantitatively Controlled, is that the defined, stan
reviewed and updated. Improvements reflect an understanding of, and response to,
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 4/39
ISG (ECAR) CMMI NIST COBIT
Not Implemented Non-existent Non-existent Non-existent
Planning Stages Ad hoc Initial/Ad-hoc
Partially Implemented Repeatable Repeatable but Intuitive
Close to Completion Defined & Implemented Defined Process
Fully Implemented Managed Managed & Measurable
Optimized
DocumentedPolicy
DocumentedProcedures
Procedures &Controls
MeasuredProgram
PervasiveProgram
Optimized
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 5/39
HEIS
Name of person completing assessment:
Name of department or institution (if applicable):
Date completed
Questions
1 Does your institution have a risk management program?
2
3
4 Does your institution have an information security policy that has been approved by management?
5
6 Does your institution review the policy at defined intervals to encompass significant change and mon
7
8
9
10 Is responsibility clearly assigned for all areas of the information security architecture, compliance, pro
11
12 Does your institution require the use of confidentiality or nondisclosure agreements for employees an
13
14
15
16
17 Are requirements addressed and remediated prior to granting access to data, assets, and information
This tool can be used to assess an enterprise information security pdepartment, or other. Please select from the drop down box ->
Risk Management (ISO 4)
Does your institution have a process for identifying and assessing reasonably foreseeable internal andsecurity, confidentiality, and/or integrity of any electronic, paper, or other records containing sensitive
Does your organization conduct routine risk assessments to identify the key objectives that need to beinformation security program?
Security Policy (ISO 5)
Has it been published and communicated to all relevant parties?
Organization of Information Security (ISO 6)
Does your information security function have the authority it needs to manage and ensure compliancesecurity program?
Does your institution have an individual with enterprise-wide (campus) information security responsibwritten in their job description, or equivalent? Note: This may be the CIO, CISO, CSO, or other.
Is there a formal process for having the individual with information security responsibility assess and shardware, software, and services, ensuring they follow security policies and requirements?
Does your institution maintain relationships with local authorities?
Does your institution participate with local or national security groups (e.g., REN-ISAC, EDUCAUSE, InfSystems Security Association, etc.)?
Does your institution have independent security reviews completed at planned intervals or when signienvironment occur?
Does your institution specify security requirements in contracts with external entities (third party) bef
sensitive institutional information assets?
B C
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 6/39
Questions
18 Has your organization identified critical information assets and the functions that rely on them?
19 Does your institution classify information to indicate the appropriate levels of information security
20
21 Do all individuals interacting with university systems receive information security awareness trai
22
23 Do the information security programs clearly state responsibilities, liabilities, and consequences?
24 Does your institution have a process for revoking system and building access and returning assig
25
26
27
28
29 Does your institution follow vendor-recommended guidance for maintaining equipment?
30
31 Are there processes in place to detect the unauthorized removal of equipment, information, or so
Asset Management (ISO 7)
Human Resource Security (ISO 8)
Does your institution conduct specialized role-based training?
Does your institution have a process for revoking system access when there is a position change change?
Physical and Environmental Security (ISO 9)
Do your institution's data centers include controls to ensure that only authorized parties are allow
Does your institution have preventative measures in place to protect critical hardware and wiringthreats?
Does your institution have a process for issuing keys, codes, and/or cards that require appropriatbackground checks for access to these sensitive facilities?
Does your institution have a media-sanitization process that is applied to equipment prior to dispo
B C
14
34
35
36
37
38
39
40
41
42
43
44
45
46
47
49
50
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 7/39
Questions
32 Does your institution maintain security configuration standards for information systems and appli
33 Are changes to information systems tested, authorized, and reported?
34 Are duties sufficiently segregated to ensure unintentional or unauthorized modification of informa
35 Are production systems separated from other stages of the development life cycle?
36 Do agreements for external information system services specify appropriate security requiremen
37
38 Is external information system services provider compliance with security controls monitored?
39
40
41
42
43 Is your data backup process frequency consistent with the availability requirements of your organ
44 Does your institution routinely test your restore procedures?
45 Does your institution continuously monitor your wired and wireless networks for unauthorized acc
46
47
48 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS
49 Does your institution use appropriate/vetted encryption methods to protect sensitive data in tran
50 Are controls in place to protect, track, and report status of media that has been removed from se
51
52
53
Communications and Operations Management (ISO 10)
Does your institution have a process in place for assessing that external information system proviappropriate security requirements?
Are external information system service agreements executed and routinely reviewed to ensure scurrent?
Does your institution have processes in place to monitor the utilization of key system resources asystem downtime?
Are methods used to detect, quarantine, and eradicate known malicious code on information systservers, and mobile computing devices?
Are methods used to detect and eradicate known malicious code transported by electronic mail, tmedia?
Does your institution have a process for posture checking, such as current antivirus software, firew
etc., of devices as they connect to your network?
Does your institution have a segmented network architecture to provide different levels of securitclassification?
Does your institution have policies and procedures in place to protect exchanged information (witthird-party agreements) from interception, copying, modification, misrouting, and destruction?
Does your institution have a process in place to ensure data related to electronic commerce (e-conetworks is protected from fraudulent activity, unauthorized disclosure, or modification?
Are security related activities such as hardware configuration changes software configuration cha
B C
14
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 8/39
Questions
77 Does your institution have a process for validating the security of purchased software products an
78
79
80
81 Are processes in place to check whether message integrity is required?
82
83 Do your policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive o
84 Are standards for key management documented and employed?
85
86 Does your institution apply the same security standards for sensitive test data that you apply to s
87 Does your institution restrict and monitor access to source code libraries to reduce the risk of corr
88
89
90 Have you implemented tools and procedures to monitor for and prevent loss of sensitive data?
91 Do your contract agreements include security requirements for outsourced software development
92
93
94 Are your incident response staff aware of legal or compliance requirements surrounding evidence
95
Information Systems Acquisition, Development, and Maintenance (ISO 12)
Are new information systems or enhancements to existing information systems validated against requirements?
Have standards been established that address secure coding practices (e.g., input validation, propmanagement, etc.), and take into consideration common application security vulnerabilities (e.g., etc.)?
Are validation checks incorporated into applications to detect any corruption of information througdeliberate acts?
Incorrect output may occur, even in tested systems. Does your institution have validation checks texpected?
Have you established procedures for maintaining source code during the development life cycle areduce the risk of software corruption?
Does your institution have a configuration-management process in place to ensure that changes tfor valid business reasons and have received proper authorization?
Are reviews and tests performed to ensure that changes made to production systems do not havesecurity or operations?
Does your institution have a patch management strategy in place and responsibilities assigned foresponding to patch releases, security bulletins, and vulnerability reports?
Information Security Incident Management (ISO 13)
Are incident-handling procedures in place to report and respond to security events throughout theincluding the definition of roles and responsibilities?
Business Continuity Management (ISO 14)
Does your institution have a documented business continuity plan for information technology thatimpact analysis, is periodically tested, and has been reviewed and approved by senior staff or the
B C
14
99
100
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 9/39
ISO
1
2
3 4.1
4 4.2A.5 Security Policy
5 5.1.1
6 5.1.1
7 5.1.2
A.6.1 Internal
8 6.1.1
9 6.1.2
10 6.1.3
11 6.1.4
12 6.1.5
13 6.1.6
14 6.1.7
15 6.1.8
AssessmentQuestions
A.5.1 Informationsecurity policy
A.5.1.1 Informationsecurity policydocument
A.5.1.2 Review of theinformation securitypolicy
A.6 Organization of information security
A.6.1.1 Managementcommitment toinformation security
A.6.1.2 Informationsecurity coordination
A.6.1.3 Allocation of
information securityresponsibilities
A.6.1.4 Authorizationprocess forinformationprocessing facilities
A.6.1.5Confidentialityagreements
A.6.1.6 Contact withauthorities
A.6.1.7 Contact withspecial interestgroups
A.6.1.8 Independentreview of informationsecurity
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 10/39
A.6.2 External Parties
16 6.2.1
17 6.2.2
18 7.1.1
19 7.2.1
A.8.1.2 Screening
20 8.2.1
A.6.2.1 Identificationof risks related toexternal parties
A.6.2.2 Addressingsecurity when dealingwith customers
A.6.2.3 Addressingsecurity in third partyagreements
A.7 AssetManagement
A.7.1 Responsibilityfor assets
A.7.1.1 Inventory of assets
A.7.1.2 Ownership of assets
A.7.1.3 Acceptableuse of assets
A.7.2 InformationClassification
A.7.2.1 ClassificationGuidelines
A.7.2.2 Informationlabeling and handling
A.8 Human ResourcesSecurity
A.8.1 Prior toEmployment
A.8.1.1 Roles andResponsibilities
A.8.1.3 Terms andconditions of employment
A.8.2 Duringemployment
A.8.2.1 Managementresponsibilities
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 11/39
21 8.2.2
22 8.2.3
23 8.3.1
24
A.9.1 Secure areas
25 9.1.2
26 9.1.4
27 9.1.5
28 9.2.4
A.8.2.2 Awareness,education, andtraining
A.8.2.3 Disciplinaryprocess
A.8.3 Termination orchange of employment
8.3.28.3.3
A.8.3.1 Terminationresponsibilities
A.8.3.2 Return of assets
A.8.3.3 Removal of access rights
A.9 Physical andenvironmentalsecurity
A.9.1.1 Physicalsecurity perimeter
A.9.1.2 Physical entrycontrols
A.9.1.3 Securingoffices, rooms,facilities
A.9.1.4 Protectingagainst external andenvironmental
threats
A.9.1.5 Working insecure areas
A.9.1.6 Public access,delivery and loadingareas
A.9.2 Equipmentsecurity
A.9.2.1 Equipmentsiting and protection
A.9.2.2 Supportingutilities
A.9.2.3 Cablingsecurity
A.9.2.4 Equipmentmaintenance
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 12/39
29 9.2.6
30 9.2.7
31 10.1.1
32 10.1.2
33 10.1.3
34 10.1.4
35 10.2.1
36 10.2.2
40 10.3.1
41 10.4.1
A.9.2.5 Security of equipment off-premises
A.9.2.6 Securedisposal or reuse of equipment
A.9.2.7 Removal of property MP-5, PE-16
A.10 Communicationsand operationsmanagement
A.10.1 Operationalprocedures andresponsibilities
A.10.1.1 Documented
operating procedures
A.10.1.2 Changemanagement
A.10.1.3 Segregationof duties
A.10.1.4 Separation
A.10.2 Third-party
service deliverymanagement
A.10.2.1 Servicedelivery
A.10.2.2 Monitoringand review of third-party services
A.10.2.3 Managingchanges to third-party services
A.10.3 System
A.10.3.1 Capacitymanagement
A.10.3.2 Systemacceptance
A.10.4 Protectionagainst malicious andmobile code
A.10.4.1 Controls
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 13/39
A.10.5 Backup
43 10.5.1
45 10.6.1
50
51 10.8.1
52
A.10.10 Monitoring
53 10.10.1
A.10.4.2 Controlsagainst mobile code
A.10.5.1 Information
A.10.6 Networksecurity management
A.10.6.1 Networkcontrols
A.10.6.2 Security of
A.10.7 Mediahandling
10.7.110.7.3
A.10.7.1
A.10.7.2 Disposal of media
A.10.7.3 Informationhandling procedures
A.10.7.4 Security of systemdocumentation
A.10.8 Exchange of
A.10.8.1 Informationexchange policiesand procedures
A.10.8.2 Exchangeagreements
A.10.8.3 Physicalmedia in transit
A.10.8.4 Electronicmessaging
A.10.8.5 Businessinformation systems
A.10.9 Electroniccommerce services
10.9.1
10.9.2
A.10.9.1 Electronic
commerceA.10.9.2 Onlinetransactions
A.10.9.3 Publiclyavailable information
A.10.10.1 Auditlogging
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 14/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 15/39
67 11.4.6
68 11.4.7
69 11.5.1
70 11.5.2
72 11.5.3
73 11.5.4
74 11.6.2
75 11.7.1
77 11.7.2 A.11.7.2 Teleworking
78 12.1
79 12.1.1
80 12.2.1
81 12.2.2
82 12.2.3
A.11.4.5 Segregationin networks
A.11.4.6 Network
A.11.4.7 Networkrouting control
A 11.5 Operatingsystem accesscontrol
A.11.5.1 Secure log-on procedures
A.11.5.2 Useridentification andauthentication
A.11.5.3 Password
A.11.5.4 Use of system utilities
A.11.5.5 Sessiontime-out
A.11.5.6 Limitation of
A.11.6 Application
A.11.6.1 Informationaccess restriction
A.11.6.2 Sensitive
A.11.7 Mobilecomputing andteleworking
A.11.7.1 Mobile
A.12 Informationsystems acquisition,development andmaintenance
A.12.1 Security
A.12.1.1 Securityrequirements
analysis andspecification
A.12.2 Correct
A.12.2.1 Input datavalidation
A.12.2.2 Control of internal processing
A.12.2.3 Messageintegrity
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 16/39
83 12.2.4
84 12.3.1
85 12.3.2
86 12.4.1
87 12.4.2
88 12.4.3
89 12.5.1
90 12.5.2
91 12.5.4
92 12.5.5
93 12.6.1
A.12.2.4 Output datavalidation
A.12.3 Cryptographiccontrols
A.12.3.1 Policy on theuse of cryptographiccontrols
A.12.3.2 Keymanagement
A.12.4 Security of system files
A.12.4.1 Control of
A.12.4.2 Protection of system test dataMultiple controls;
protection of testdata not addressedseparately in SP 800-53 (e.g., AC-3, AC-4)
A.12.4.3 Accesscontrol to programsource code
A.12.5 Security indevelopment andsupport processes
A.12.5.1 Changecontrol procedures
A.12.5.2 Technical
A.12.5.3 Restrictionson changes tosoftware packages
A.12.5.4 Informationleakage
A.12.5.5 Outsourced
A.12.6 Technical
VulnerabilityManagement
A.12.6.1 Control of technicalvulnerabilities
A.13 Informationsecurity incidentmanagement
A.13.1 Reporting
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 17/39
94
95 13.2.3
96 14.1.1
A.15 Compliance
97 15.1.3
13.1.113.1.2
A.13.1.1 Reportinginformation securityevents
A.13.1.2 Reportingsecurity weaknesses
A.13.2 Managementof informationsecurity incidents andimprovements
A.13.2.1
A.13.2.2 Learningfrom informationsecurity incidents
A.13.2.3 Collection of
A.14 Businesscontinuitymanagement
A.14.1 Informationsecurity aspects of business continuitymanagement
A.14.1.1 Including
A.14.1.2 Businesscontinuity and riskassessment
A.14.1.3 Developingand implementingcontinuity plans
including informationsecurity
A.14.1.4 Businesscontinuity planningframework
A.14.1.5 Testing,maintaining andreassessing businesscontinuity plans
A.15.1 ComplianceA.15.1.1Identification of applicable legislation
A.15.1.2 Intellectual
A.15.1.3 Protection of organizationalrecords
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 18/39
98 15.1.4
99 15.1.5
100 15.1.6
101 15.2.1102 15.2.2
103 15.3.1
104 15.3.2
* Direct mappings are listed above. In some cases que
**NIST to ISO mapping from http://csrc.nist.gov/public
A.15.1.4 Dataprotection andprivacy of personalinformation
A.15.1.5 Preventionof misuse of informationprocessing facilities
A.15.1.6 Regulationof cryptographiccontrols
A.15.2 Compliancewith security policiesand standards, andtechnical compliance
A.15.2.1 ComplianceA.15.2.2 Technicalcompliance checking
A.15.3 Informationsystems auditconsiderations
A.15.3.1 Informationsystems auditcontrols
A.15.3.2 Protection of information systemsaudit tools
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 19/39
Assessment Tool Questions* Mapped to ISO and NISNIST Controls
XX-1 controls
XX-1 controls
XX-1 controls, PM-2, PM-3, PM-9; SP 800-39,SP 800-37
CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2;SP 800-39, SP 800-37
XX-1 controls, AC-5, AC-6, CM-9, PM-2; SP 800-39, SP 800-37
CA-1, CA-6, PM-10; SP 800-37
PL-4, PS-6, SA-9
AT-5, SI-5
CA-2, CA-7; SP 800-39, SP 800-37
Multiple controls with contact reference (e.g.,IR-6, SI-5), SP 800-39; SP 800-37
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 20/39
CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
AC-8 , AT-2, PL-4
AU-16, CA-2, CA-3, PS-7, SA-9
CM-8, CM-9, PM-5
CM-8, CM-9, PM-5
AC-20, PL-4
RA-2
AC-16, MP-2, MP-3, SC-16
PS-3
AC-20, PL-4, PS-6, PS-7
PL-4, PM-13, PM-15, PS-6, PS-7, SA-9
XX-1 controls, AC-5, AC-6, AC-8, AC-20, AT-2, AT-3, CM-9, PL-4, PS-2, PS-6,PS-7, SA-9
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 21/39
AT-2, AT-3, IR-2
PS-8
PS-4, PS-5
PS-4, PS-5
AC-2, PS-4, PS-5
PE-3
PE-3, PE-5, PE-6
PE-3, PE-4, PE-5
CP Family; PE-1, PE-9, PE-10, PE-11, PE-13,PE-15
AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE-4, PE-6, PE-8
PE-3 , PE-16
PE-1, PE-18
PE-1, PE-9, PE-11, PE-12, PE-14
PE-4, PE-9
MA Family
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 22/39
MP-5, PE-17
MP-6
MP-5 , PE-16
XX-1 controls, CM-9
CM-1, CM-3, CM-4, CM-5, CM-9
AC-5
CM-2
SA-9
SA-9
RA-3, SA-9, SA-10
AU-4, AU-5, CP-2, SA-2, SC-5
CA-2, CA-6, CM-3, CM-4, CM-9, SA-11, SA-15, SA-17
AC-19, AT-2, PE-20, SA-8, SC-2, SC-3, SC-7,SC-14, SC-38, SI-3, SI-7
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 23/39
SA-8, SC-2, SC-3, SC-7, SC-14, SC-8, SC-18
CP-9
CA-3, SA-9, SC-8, SC-9
PE-16, MP Family
MP-6
SI-12, MP Family
MP-4, SA-5
AC-1, AC-3, AC-4, AC-17, AC-18, AC-20, CA-3, PL-4, PS-6, SC-7, SC-16, SI-9
CA-3, SA-9
MP-5
CA-1, CA-3
AU-10, IA-8, SC-7, SC-8, SC-9, SC-3, SC-14
SC-3, SC-7, SC-8, SC-9, SC-14
SC-14
AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU-11, AU-12
AC-4, AC-17, AC-18, AC-20, CA-3, CP-8, PE-5,SC-7, SC-8, SC-9, SC-10, SC-19, SC-20, SC-21, SC-22, SC-23
Multiple controls; electronic messaging not addressed separately in SP 800-53
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 24/39
AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4
AU-9
AU-2, AU-12AU-2, AU-12, SI-2
AU-8
AC-1, AC-5, AC-6, AC-17, AC-18, AC-19, CM-5, MP-1, SI-9
AC-1, AC-2, AC-21, IA-5, PE-1, PE-2
AC-1, AC-2, AC-6, AC-21, PE-1, PE-2, SI-9
IA-5
AC-2, PE-2
IA-2, IA-5
AC-11, IA-2, PE-3, PE-5, PE-18, SC-10
AC-11, MP-4
AC-1, AC-5, AC-6, AC-17, AC-18, AC-20
AC-17, AC-18, AC-20, CA-3, IA-2, IA-8
AC-19, IA-3
AC-3, AC-6, AC-17, AC-18, PE-3, MA-3, MA-4
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 25/39
AC-3, AC-6, AC-17, AC-18, SC-7
AC-4, AC-17, AC-18
AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8, SC-10
IA-2, IA-4, IA-5, IA-8
IA-2, IA-5
AC-3, AC-6
AC-11, SC-10
AC-2
AC-3, AC-6, AC-14, CM-5
SC-7; SP 800-39
AC-1, AC-17, AC-18, AC-19, PL-4, PS-6
AC-1, AC-4, AC-17, AC-18, PE-17, PL-4, PS-6
PL-7, PL-8, SA-1, SA-3, SA-4
SI-10
SI-7, SI-9, SI-10
AU-10, SC-8, SC-23, SI-7
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 26/39
SI-7
SC-12, SC-17
CM-1, CM-2, CM-3, CM-4, CM-5, CM-9, CM-10, CM-11, PL-4
AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
CM-1, CM-3, CM-9, SA-10
CM-3, CM-4, CM-9, SI-2
CM-3, CM-4, CM-5, CM-9
AC-4, IR-9, PE-19
CM-10, CM-11, SA-1, SA-4, SA-8, SA-9, SA-11, SA-12, SA-15, SA-17
RA-3, RA-5, SI-2, SI-5
Multiple controls address cryptography (e.g., IA-7, SC-8, SC-9, SC-12, SC-13)
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 27/39
AU-6, IR-1, IR-6, SI-4, SI-5
PL-4, SI-2, SI-4, SI-5
IR-1
IR-4
AU-7, AU-9, IR-4
CP-1, CP-2, CP-4
CP-2, PM-9, RA Family
CP Family
CP-2, CP-4
CP-2, CP-4
XX-1 controls, IA-7
CM-10
AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI-12
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 28/39
Appendix J; SI-12
AC-8, AU-6, CM-11, PL-4, PS-6, PS-8
IA-7, SC-13
XX-1 controls, AC-2, CA-2, CA-7, IA-7, PE-8, SI-12CA-2, CA-7, RA-5
AU-1, AU-2
AU-9
stions were formed that covered more than one ISO area making one-to-one
tions/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 29/39
T**NIST Family
AC: Access Control
AT: Awareness and Training
AU: Audit and Accountability
CA: Security Assessment and Authorization
CM: Configuration Management
CP: Contingency Planning
IA: Identificaton and Authentication
IR: Incident Response
MP: Media Protection
PE: Physical and Environmental Protection
PL: Planning
PS: Personnel Security
RA: Risk Assessment
SA: System and Services Acquisition
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 30/39
SC: System and Communications Protection
SI: System and Information Integrity
PM: Program Management
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 31/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 32/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 33/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 34/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 35/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 36/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 37/39
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 38/39
mapping difficult.
7/29/2019 Information Security Program Assessment Tool (166215873)
http://slidepdf.com/reader/full/information-security-program-assessment-tool-166215873 39/39
Description Value
Not Performed 0
Performed Informally 1
Planned 2
Well Defined 3
Quantitatively Controlled 4
Continuously Improving 5Not Applicable Blank