What is involved in Security Controls
Find out what the related areas are that Security Controls connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security Controls thinking-frame.
How far is your company on its Security Controls journey?
Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.
To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.
Start the Checklist
Below you will find a quick checklist designed to help you think about which Security Controls related domains to cover and 147 essential critical questions to check off in that domain.
The following domains are covered:
Security Controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:
Security Controls Critical Criteria:
Define Security Controls tactics and research ways can we become the Security Controls company that would put us out of business.
– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?
– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?
– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?
– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?
– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?
– How can we incorporate support to ensure safe and effective use of Security Controls into the services that we provide?
– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?
– Is the measuring of the effectiveness of the selected security controls or group of controls defined?
– Does the cloud service provider have necessary security controls on their human resources?
– Do we have sufficient processes in place to enforce security controls and standards?
– What are your most important goals for the strategic Security Controls objectives?
– Have vendors documented and independently verified their Cybersecurity controls?
– Do we have sufficient processes in place to enforce security controls and standards?
– How would one define Security Controls leadership?
– What are the known security controls?
Access control Critical Criteria:
Align Access control visions and arbitrate Access control techniques that enhance teamwork and productivity.
– Question to cloud provider: Does your platform offer fine-grained access control so that my users can have different roles that do not create conflicts or violate compliance guidelines?
– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?
– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?
– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?
– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?
– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?
– If data need to be secured through access controls (e.g. password-protected network space), how will they be applied?
– Do access control logs contain successful and unsuccessful login attempts and access to audit logs?
– Is the process actually generating measurable improvement in the state of logical access control?
– How will you know that the Security Controls project has been successful?
– What is the purpose of Security Controls in relation to the mission?
– What is the direction of flow for which access control is required?
– Should we call it role based rule based access control, or rbrbac?
– Do the provider services offer fine grained access control?
– What type of advanced access control is supported?
– What access control exists to protect the data?
– What is our role based access control?
– Who determines access controls?
CIA Triad Critical Criteria:
Have a meeting on CIA Triad tactics and assess what counts with CIA Triad that we are not counting.
– What potential environmental factors impact the Security Controls effort?
– Are we Assessing Security Controls and Risk?
– Why are Security Controls skills important?
Countermeasure Critical Criteria:
Facilitate Countermeasure goals and use obstacles to break out of ruts.
– How can you measure Security Controls in a systematic way?
– What are the long-term Security Controls goals?
– What about Security Controls Analysis of results?
DoDI 8500.2 Critical Criteria:
Gauge DoDI 8500.2 issues and define what our big hairy audacious DoDI 8500.2 goal is.
– At what point will vulnerability assessments be performed once Security Controls is put into production (e.g., ongoing Risk Management after implementation)?
– Think about the functions involved in your Security Controls project. what processes flow from these functions?
Environmental design Critical Criteria:
Survey Environmental design quality and learn.
– What are your key performance measures or indicators and in-process measures for the control and improvement of your Security Controls processes?
– What other jobs or tasks affect the performance of the steps in the Security Controls process?
– Which Security Controls goals are the most important?
Health Insurance Portability and Accountability Act Critical Criteria:
Collaborate on Health Insurance Portability and Accountability Act tactics and proactively manage Health Insurance Portability and Accountability Act risks.
– Do the Security Controls decisions we make today help people and the planet tomorrow?
– Are accountability and ownership for Security Controls clearly defined?
ISAE 3402 Critical Criteria:
Deliberate ISAE 3402 adoptions and sort ISAE 3402 activities.
– What knowledge, skills and characteristics mark a good Security Controls project manager?
– Does the Security Controls task fit the clients priorities?
ISO/IEC 27001 Critical Criteria:
Canvass ISO/IEC 27001 management and summarize a clear ISO/IEC 27001 focus.
– How do your measurements capture actionable Security Controls information for use in exceeding your customers expectations and securing your customers engagement?
– What tools and technologies are needed for a custom Security Controls project?
Information Assurance Critical Criteria:
Illustrate Information Assurance governance and get going.
– How important is Security Controls to the user organizations mission?
– What are specific Security Controls Rules to follow?
Information security Critical Criteria:
Familiarize yourself with Information security projects and probe the present value of growth of Information security.
– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?
– Do we maintain our own threat catalogue on the corporate intranet to remind employees of the wide range of issues of concern to Information Security and the business?
– Are information security policies and other relevant security information disseminated to all system users (including vendors, contractors, and business partners)?
– Are information security events and weaknesses associated with information systems communicated in a manner to allow timely corrective action to be taken?
– Do suitable policies for the information security exist for all critical assets of the value added chain (indication of completeness of policies, Ico )?
– Does this review include assessing opportunities for improvement, need for changes to the ISMS, review of information security policy & objectives?
– Is the risk assessment approach defined and suited to the ISMS, identified business information security, legal and regulatory requirements?
– Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?
– What information security and privacy standards or regulations apply to the cloud customers domain?
– Risk factors: what are the characteristics of Security Controls that make it risky?
– Is information security ensured when using mobile computing and tele-working facilities?
– Is there a business continuity/disaster recovery plan in place?
– Is an organizational information security policy established?
– Does your company have an information security officer?
– Is information security managed within the organization?
OSI model Critical Criteria:
Accommodate OSI model adoptions and shift your focus.
– Does Security Controls create potential expectations in other areas that need to be recognized and considered?
– Do we all define Security Controls in the same way?
Payment Card Industry Data Security Standard Critical Criteria:
Investigate Payment Card Industry Data Security Standard engagements and gather Payment Card Industry Data Security Standard models .
– How can skill-level changes improve Security Controls?
– Who needs to know about Security Controls ?
Physical Security Critical Criteria:
Wrangle Physical Security quality and diversify disclosure of information – dealing with confidential Physical Security information.
– How do you determine the key elements that affect Security Controls workforce satisfaction? how are these elements determined for different workforce groups and segments?
– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?
– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?
– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?
– Is the security product consistent with physical security and other policy requirements?
– Is Security Controls dependent on the successful delivery of a current project?
– Do you monitor the effectiveness of your Security Controls activities?
SSAE 16 Critical Criteria:
Gauge SSAE 16 decisions and achieve a single SSAE 16 view and bringing data together.
– In the case of a Security Controls project, the criteria for the audit derive from implementation objectives. an audit of a Security Controls project involves assessing whether the recommendations outlined for implementation have been met. in other words, can we track that any Security Controls project is implemented as planned, and is it working?
– What are your current levels and trends in key measures or indicators of Security Controls product and process performance that are important to and directly serve your customers? how do these results compare with the performance of your competitors and other organizations with similar offerings?
Security Critical Criteria:
Demonstrate Security issues and assess and formulate effective operational and Security strategies.
– Does the tool in use allow the ability to use Smart number identifiers (e.g., the ability to recognize that 999 99 9999 is not a valid Social Security number)?
– Should a company outsource its critical IT function to a third party or many third parties?
– To what extent is Cybersecurity Risk Management integrated into enterprise risk management?
– What regulations and policies are applicable in determining what is to be protected?
– Do you have an enterprise-wide risk management program that includes Cybersecurity?
– How do we end up with a world where we do not have Cybersecurity have and have nots?
– How does your organization find qualified candidates for IT security positions?
– Do the providers services have appropriate controls in place for handling PII?
– How can cloud stakeholders ensure and promote the security of Cloud computing?
– What are the security mechanisms put in place by the provider?
– Do you require customer sign-off on mid-project changes?
– Do you use contingency-driven consequence analysis?
– What is the main driver for information security expenditure?
– Do they meet your organizations compliance needs?
– What capability are we seeking to access?
– How does IT exploit a Web Application?
– Can keys be easily copied?
– How do auditors observe?
Security engineering Critical Criteria:
Shape Security engineering quality and adopt an insight outlook.
– Does Security Controls systematically track and analyze outcomes for accountability and quality improvement?
– Meeting the challenge: are missed Security Controls opportunities costing us money?
Security management Critical Criteria:
Rank Security management leadership and document what potential Security management megatrends could make our business model obsolete.
– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?
– Does the service agreement have metrics for measuring performance and effectiveness of security management?
– What new services of functionality will be implemented next with Security Controls ?
– Do Security Controls rules make a reasonable demand on a users capabilities?
– So, how does security management manifest in cloud services?
– Are damage assessment and disaster recovery plans in place?
Security risk Critical Criteria:
Deduce Security risk management and find the ideas you already have.
– Are we using Security Controls to communicate information about our Cybersecurity Risk Management programs including the effectiveness of those programs to stakeholders, including boards, investors, auditors, and insurers?
– Can we describe our organizations policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?
– Does your Cybersecurity plan include alternative methods for meeting critical functional responsibilities in the absence of IT or communication technology?
– Do you participate in sharing communication, analysis, and mitigation measures with other companies as part of a mutual network of defense?
– How do you monitor your Cybersecurity posture on business IT systems and ICS systems and communicate status and needs to leadership?
– Do we have a formal escalation process to address Cybersecurity risks that suddenly increase in severity?
– How do we decide which activities to take action on regarding a detected Cybersecurity threat?
– Can our company identify any mandatory Cybersecurity standards that apply to our systems?
– Does your organization have a company-wide policy regarding best practices for cyber?
– Are response processes and procedures executable and are they being maintained?
– How do we appropriately integrate Cybersecurity risk into business risk?
– Are individuals specifically assigned Cybersecurity responsibility?
– Are systems audited to detect Cybersecurity intrusions?
– How do the actors compromise our systems?
Security service Critical Criteria:
Investigate Security service visions and devise Security service key steps.
– Certainly the increasingly mobile work force makes compliance more difficult. With more endpoints, devices and people involved, there is that much more to watch. There are devices not owned by the organization pulling data off the organizations network. Is your organizations policy consistent with that of contractors you work with?
– Do you have contracts in place with the 3rd parties that require the vendor to maintain controls, practices and procedures that are as protective as your own internal procedures?
– Organizations must be especially diligent about regularly measuring their compliance performance: Is the policy effective?
– Are special privileges restricted to systems administration personnel with an approved need to have these privileges?
– Is legal review performed on all intellectual property utilized in the course of your business operations?
– If not technically feasible, what safeguards are in place to ensure the security of private information?
– If you provide a technology service, do you test products for malicious code or other security flaws?
– Do you have written guidelines for your use of social media and its use by your employees?
– Do you ensure that all private information is encrypted whether at rest or in transit?
– Do you have legal review of your content performed by staff or outside attorney?
– Do you require sub-contractors to carry E&O insurance?
– Have you had a security audit performed in the past?
– Do you have a dedicated security officer/manager?
– What is the average contract value and duration?
– What is the IT security service life cycle?
– Do you allow remote access to your system?
– Prioritising waiting lists: How and why?
– Do we have an Arbitration Clause?
This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:
Author: Gerard Blokdijk
CEO at The Art of Service | http://theartofservice.com
Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.
To address the criteria in this checklist, these selected resources are provided for sources of further research and information:
Access control External links:
Linear Pro Access – Professional Access Control Systems
What is Access Control? – Definition from Techopedia
Multi-Factor Authentication – Access control | Microsoft Azure
CIA Triad External links:
The CIA Triad – TechRepublic
CIA Triad of Cybersecurity – InfoSec Resources
CIA Triad of Information Security – Techopedia.com
DoDI 8500.2 External links:
DoDI 8500.2 – Intelsat General Corporation
Environmental design External links:
LEED | Leadership in Energy & Environmental Design
Jessica Ross Design – Interior and Environmental Design
Health Insurance Portability and Accountability Act External links:
Health Insurance Portability and Accountability Act (HIPAA)
ISAE 3402 External links:
22. What are SSAE 16 and ISAE 3402? What happened to …
ISAE 3402 – Overview
Differences Between ISAE 3402 SSAE 16 – A-LIGN
ISO/IEC 27001 External links:
http://ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
Information Assurance External links:
Job: Information Assurance Analyst | Northtide
Job Title: INFORMATION ASSURANCE SPECIALIST
Information Assurance Training Center
Information security External links:
Title & Settlement Information Security
[PDF]TITLE III INFORMATION SECURITY – Certifications
ALTA – Information Security
OSI model External links:
The OSI Model Layers from Physical to Application – Lifewire
The OSI Model Demystified – YouTube
Seven Layer OSI model Flashcards | Quizlet
Payment Card Industry Data Security Standard External links:
Payment Card Industry Data Security Standard – CyberArk
Physical Security External links:
ADC LTD NM Leader In Personnel & Physical Security
UAB – Business and Auxiliary Services – Physical Security
SSAE 16 External links:
SSAE 16 Report | Paychex
SSAE 16 – Official Site
SSAE 16 Auditing and Reporting Services – A-LIGN
Security External links:
my Social Security | Social Security Administration
What You Can Do Online | Social Security Administration
Security engineering External links:
Master of Science Cyber Security Engineering – USC Online
Master of Science in Cyber Security Engineering – UW Bothell
Security management External links:
About Us – Skyline Security Management.
Security Management Resources
Bitdefender Central – Remote Security Management Hub
Security risk External links:
Security Risk (eBook, 2011) [WorldCat.org]
Security Risk (1954) – IMDb
Security service External links:
myBranch Online Banking Log In | Security Service
Security Service Federal Credit Union – Home | Facebook
[PDF]Defense Security Service – dss.mil
http://www.dss.mil/documents/odaa/ODAA Process Manual Version 3.2.pdf