Mon Nov 24 05:38:53 PST 2014

Management: Standards: Which widely used control standards are best suited to the enterprise?


Options:

Option 1: Apply GAISP
Option 2: Apply COSO
Option 3: Apply ISO-27001 (ISMS)
Option 4: Apply ISO-27002
Option 5: Apply CoBit
Option 6: Apply ITIL
Option 7: Apply all relevant government standards
Option 8: Other standards that are industry specific.

Decision:

IF the enterprise is government THEN apply GAISP and all relevant government standards,
OTHERWISE IF the enterprise is large and commercial OR the maturity is Defined or higher THEN combine GAISP, COSO, ISO-27001, ISO-27002, and industry-specific standards,
OTHERWISE IF the enterprise is small and not subject to substantial mandatory controls THEN apply GAISP and COSO,
OTHERWISE IF the enterprise is an audit organization THEN apply GAISP and CoBit,
OTHERWISE IF the enterprise is a service organization with only low consequence information technology, THEN apply GAISP and ITIL,
OTHERWISE IF combine GAISP, COSO, ISO-27001, and industry-specific standards.

OR select the standards used based on enterprise needs and the table below:

Std/WhyGAISPCOSOCoBitISO-27001ISO-27002ITILNIST
Diligence Yes Yes Yes Yes Yes Yes Yes
Comprehensive Yes Yes
Efficient Yes Yes Yes Yes Yes
Accepted Yes Yes Yes Yes Yes Yes Yes
Coverage (Executive, Management, Technical) EM E EMT EM EMT MT T
Control standards used

Basis:

Policy and control standards are often considered fundamental to enterprise information protection because they (1) mitigate risks associated with failure to meet due diligence, (2) provide relatively comprehensive coverage so as to avoid obvious missteps and missed areas of import, (3) they reduce the time and effort in defining protection programs, and (4) they are widely accepted so that they are more likely to be accepted by management and between enterprises. The also exist at different parts of the space, covering executive responsibilities (E), management controls (M), and technical operations (T). Mapping this into the standards provided above, we have the following table:

Std/WhyGAISPCOSOCoBitISO-27001ISO-27002ITILNISTOther
Diligence Yes Yes Yes Yes Yes Yes Yes Yes
Comprehensive Yes Yes
Efficient Yes Yes Yes Yes Yes Yes
Accepted Yes Yes Yes Yes Yes Yes Yes Yes
Coverage EM E EMT EM EMT MT T N/A
Control standards used

Standards that are industry specific should be embraced when they are also efficient and accepted. National Institute of Science and Technology (NIST) special publications are generally pretty good and the 800 series are widely used in US Federal systems. International Standards Organization (ISO) standards 27002 and 27001 are widely embraced and almost mandatory for doing significant business with major enterprises on a global basis. The Information Technology Infrastructure Library (ITIL) is too limited in its coverage to be really useful and it is largely comprised of references to British Standards Institute (BS) standard BS7799, and not even the newest version of that. As a result, while it has substantial acceptance among information technologists because of their use of the other elements of the ITIL approach, it is unwisely embraced as adequate when in fact it is not adequate at all.

ISO-27002 grew out of BS7799, and BS7799 continues to be updated ahead of ISO27002, which ends up being the globally embraced version of BS7799. For that reason, ISO-27002 is preferred except for entities limited to the United Kingdom. ISO-27001 (also known as ISMS) is just the control standards extracted from ISO-27002.

CoBIT:The Control Objectives for Information and Related Technology (CoBit) has an enormous amount of backing among the information technology audit community but is highly technical in its orientation and is too dogmatic in ignoring the wisdom of the ages that has been put into ISO17799 and BS7799. It is useful for dealing with auditors, but it would be better to get an auditor who knows how to deal with the better standards.

COSO:The Committee of Sponsoring Organizations (COSO) of the Treadway Commission standard is explicitly included in the regulatory interpretation of the Sarbanes-Oxley Act and is by far the best commonly known and accepted approach to enterprise risk management, as far as it goes.

GAISP:The Generally accepted Information Security Principles (GAISP) standard is the universally accepted top level requirement for information protection and should be embraced by all.

Based on these standards, policies should normally be cross-checked for {Inconsistency / Circularity / Redundancy} and reconciled to eliminate all of these conditions. They should also be mapped between and across relevant {Policies / Procedures / Requirements / Control standards} and consistency established across all of these.

Elements from these various standards are identified here (along with question areas for existence, cross-checks, mapping, and type):

Policy element Exists? Checked? Mapped? Type
ISO 27001 elements
Y/N I/C/R/N S/R/C/P/N S
ISMS-0.2 Process approach Y/N I/C/R/N S/R/C/P/N S
ISMS-0.3 The ISMS follows the ISO standards Y/N I/C/R/N S/R/C/P/N S
ISMS-1 Establishment of the ISMS Y/N I/C/R/N S/R/C/P/N S
ISMS-4.2.1 Risk Management and Risk-appropriate Controls Y/N I/C/R/N S/R/C/P/N S
ISMS-4.2.2 Implementation and Operation Y/N I/C/R/N S/R/C/P/N S
ISMS-4.2.3 ISMS Monitoring and Review Y/N I/C/R/N S/R/C/P/N S
ISMS-4.2.4 ISMS Maintenance and Improvement Y/N I/C/R/N S/R/C/P/N S
ISMS-4.3.1 General Documentation Y/N I/C/R/N S/R/C/P/N S
ISMS-4.3.2 Control of Documents Y/N I/C/R/N S/R/C/P/N S
ISMS-4.3.3 Control of Records Y/N I/C/R/N S/R/C/P/N S
ISMS-5.1 Management Commitment Y/N I/C/R/N S/R/C/P/N S
ISMS-5.2.1 Resource Management - Provision of Resources Y/N I/C/R/N S/R/C/P/N S
ISMS-5.2.2 Resource Management - Training, awareness, and competence Y/N I/C/R/N S/R/C/P/N S
ISMS-6 Internal ISMS audit Y/N I/C/R/N S/R/C/P/N S
ISMS-7 Management Review of the ISMS Y/N I/C/R/N S/R/C/P/N S
ISMS-8 Continual Improvement Y/N I/C/R/N S/R/C/P/N S
ISMS-A (normative) Control Objectives and Controls Y/N I/C/R/N S/R/C/P/N S
ISMS-A.5 Security Policy Y/N I/C/R/N S/R/C/P/N S
ISMS-A.6.1 Internal Organization Y/N I/C/R/N S/R/C/P/N S
ISMS-A.6.2 External Parties Y/N I/C/R/N S/R/C/P/N S
ISMS-A.7 Asset Responsibility and Classification Y/N I/C/R/N S/R/C/P/N S
ISMS-A.8.1 Personnel - Prior to employment Y/N I/C/R/N S/R/C/P/N S
ISMS-A.8.2-3 Personnel - During and After Employment Y/N I/C/R/N S/R/C/P/N S
ISMS-A.9.1 Physical - Premises Controls Y/N I/C/R/N S/R/C/P/N S
ISMS-A.9.2 Physical - Equipment security Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.1 Operational Procedures and Responsibilities Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.2 Third Party Service Delivery Management Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.3 System Planning and Acceptance Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.4-5 Malicious code and Backup Protections Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.6-7 Network Security Management and Media Handling Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.8-9 Information Exchanges and Electronic Commerce Y/N I/C/R/N S/R/C/P/N S
ISMS-A.10.10 Monitoring Y/N I/C/R/N S/R/C/P/N S
ISMS-A.11.1-2 Access Controls Y/N I/C/R/N S/R/C/P/N S
ISMS-A.11.3 User Responsibilities Y/N I/C/R/N S/R/C/P/N S
ISMS-A.11.4 Network Access Control Y/N I/C/R/N S/R/C/P/N S
ISMS-A.11.5 Operating System Access Controls Y/N I/C/R/N S/R/C/P/N S
ISMS-A.11.6-7 Application, Information, and Mobile Computing Controls Y/N I/C/R/N S/R/C/P/N S
ISMS-A.12.1-2 System acquisition, development, and maintenance Y/N I/C/R/N S/R/C/P/N S
ISMS-A.12.3-4 Cryptographic and file system controls Y/N I/C/R/N S/R/C/P/N S
ISMS-A.12.5 Security in the development process Y/N I/C/R/N S/R/C/P/N S
ISMS-A.12.6 Technical vulnerability management Y/N I/C/R/N S/R/C/P/N S
ISMS-A.13 Incident Management Y/N I/C/R/N S/R/C/P/N S
ISMS-A.14 Business Continuity Management Y/N I/C/R/N S/R/C/P/N S
ISMS-A.15 Compliance Y/N I/C/R/N S/R/C/P/N S
ISMS-B (informative) OECD Principles Y/N I/C/R/N S/R/C/P/N S
ISO 27002 elements
ISO-4 - Risk assessment and treatment Y/N I/C/R/N S/R/C/P/N S
ISO-4.1 - Assessing security risks Y/N I/C/R/N S/R/C/P/N S
ISO-4.2 - Treating security risks Y/N I/C/R/N S/R/C/P/N S
ISO-5 - Security Policy Y/N I/C/R/N S/R/C/P/N S
ISO-5.1 - Information security policy Y/N I/C/R/N S/R/C/P/N S
ISO-5.1.1 - Information security policy document Y/N I/C/R/N S/R/C/P/N S
ISO-5.1.2 - Review and evaluation Y/N I/C/R/N S/R/C/P/N S
ISO-6 - 6 Organization of information security Y/N I/C/R/N S/R/C/P/N S
ISO-6.1 - Internal organization Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.1 - Management commitment in information security Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.2 - Information security coordination Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.3 - Allocation of information security responsibilities Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.4 - Authorization process for information processing facilities Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.5 - Confidentiality agreements Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.6 - Contact with authorities Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.7 - Contact with special interest groups Y/N I/C/R/N S/R/C/P/N S
ISO-6.1.8 - Independent review of information security Y/N I/C/R/N S/R/C/P/N S
ISO-6.2 - External parties Y/N I/C/R/N S/R/C/P/N S
ISO-6.2.1 - Identification of risks related to external parties Y/N I/C/R/N S/R/C/P/N S
ISO-6.2.2 - Addressing security when dealing with customers Y/N I/C/R/N S/R/C/P/N S
ISO-6.2.3 - Addressing security in third party agreements Y/N I/C/R/N S/R/C/P/N S
ISO-7 - 7 - Asset management Y/N I/C/R/N S/R/C/P/N S
ISO-7.1 - Responsibility for assets Y/N I/C/R/N S/R/C/P/N S
ISO-7.1.1 - Inventory of Assets Y/N I/C/R/N S/R/C/P/N S
ISO-7.1.2 - Ownership of assets Y/N I/C/R/N S/R/C/P/N S
ISO-7.1.3 - Acceptable use of assets Y/N I/C/R/N S/R/C/P/N S
ISO-7.2 - Information classification Y/N I/C/R/N S/R/C/P/N S
ISO-7.2.1 - Classification guidelines Y/N I/C/R/N S/R/C/P/N S
ISO-7.2.2 - Information labeling and handling Y/N I/C/R/N S/R/C/P/N S
ISO-8 - 8 Human resources security Y/N I/C/R/N S/R/C/P/N S
ISO-8.1 - Prior to employment Y/N I/C/R/N S/R/C/P/N S
ISO-8.1.1 - Roles and responsibilities Y/N I/C/R/N S/R/C/P/N S
ISO-8.1.2 - Screening Y/N I/C/R/N S/R/C/P/N S
ISO-8.1.3 - Terms and conditions of employment Y/N I/C/R/N S/R/C/P/N S
ISO-8.2 - During employment Y/N I/C/R/N S/R/C/P/N S
ISO-8.2.1 - Management Y/N I/C/R/N S/R/C/P/N S
ISO-8.2.2 - Information security education, awareness, and training Y/N I/C/R/N S/R/C/P/N S
ISO-8.2.3 - Disciplinary process Y/N I/C/R/N S/R/C/P/N S
ISO-8.3 - Termination or change of employment Y/N I/C/R/N S/R/C/P/N S
ISO-8.3.1 - Termination responsibilities Y/N I/C/R/N S/R/C/P/N S
ISO-8.3.2 - Return of assets Y/N I/C/R/N S/R/C/P/N S
ISO-8.3.3 - Removal of access rights Y/N I/C/R/N S/R/C/P/N S
ISO-9 - 9 - Physical and environmental security Y/N I/C/R/N S/R/C/P/N S
ISO-9.1 - Secure areas Y/N I/C/R/N S/R/C/P/N S
ISO-9.1.1 - Physical security perimeter Y/N I/C/R/N S/R/C/P/N S
ISO-9.1.2 - Physical entry controls Y/N I/C/R/N S/R/C/P/N S
ISO-9.1.3 - Securing offices, rooms, and facilities Y/N I/C/R/N S/R/C/P/N S
ISO-9.1.4 - Protecting against external and environmental threats Y/N I/C/R/N S/R/C/P/N S
ISO-9.1.5 - Working in secure areas Y/N I/C/R/N S/R/C/P/N S
ISO-9.1.6 - Public access, delivery, and loading areas Y/N I/C/R/N S/R/C/P/N S
ISO-9.2 - Equipment security Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.1 - Equipment siting and protection Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.2 - Supporting utilities Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.3 - Cabling security Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.4 - Equipment maintenance Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.5 - Security of equipment off-premises Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.6 - Secure disposal or reuse of equipment Y/N I/C/R/N S/R/C/P/N S
ISO-9.2.7 - Removal of property Y/N I/C/R/N S/R/C/P/N S
ISO-10 - Communications and operations management Y/N I/C/R/N S/R/C/P/N S
ISO-10.1 - Operational procedures and responsibilities Y/N I/C/R/N S/R/C/P/N S
ISO-10.1.1 - Documented operating procedures Y/N I/C/R/N S/R/C/P/N S
ISO-10.1.2 - Change management Y/N I/C/R/N S/R/C/P/N S
ISO-10.1.3 - Segregation of duties Y/N I/C/R/N S/R/C/P/N S
ISO-10.1.4 - Separation of development, test, and operating facilities Y/N I/C/R/N S/R/C/P/N S
ISO-10.2 - Third party service delivery management Y/N I/C/R/N S/R/C/P/N S
ISO-10.2.1 - Service delivery Y/N I/C/R/N S/R/C/P/N S
ISO-10.2.2 - Monitoring and review of third party services Y/N I/C/R/N S/R/C/P/N S
ISO-10.2.3 - Managing changes to third party services Y/N I/C/R/N S/R/C/P/N S
ISO-10.3 - System planning and acceptance Y/N I/C/R/N S/R/C/P/N S
ISO-10.3.1 - Capacity management Y/N I/C/R/N S/R/C/P/N S
ISO-10.3.2 - System acceptance Y/N I/C/R/N S/R/C/P/N S
ISO-10.4 - Protection against malicious and mobile code Y/N I/C/R/N S/R/C/P/N S
ISO-10.4.1 - Controls against malicious code Y/N I/C/R/N S/R/C/P/N S
ISO-10.4.2 - Controls against mobile code Y/N I/C/R/N S/R/C/P/N S
ISO-10.5 - Backup Y/N I/C/R/N S/R/C/P/N S
ISO-10.5.1 - Information backup Y/N I/C/R/N S/R/C/P/N S
ISO-10.6 - Network security management Y/N I/C/R/N S/R/C/P/N S
ISO-10.6.1 - Network controls Y/N I/C/R/N S/R/C/P/N S
ISO-10.6.2 - Security of network services Y/N I/C/R/N S/R/C/P/N S
ISO-10.7 - Media handling Y/N I/C/R/N S/R/C/P/N S
ISO-10.7.1 - Management of removable media Y/N I/C/R/N S/R/C/P/N S
ISO-10.7.2 - Disposal of media Y/N I/C/R/N S/R/C/P/N S
ISO-10.7.3 - Information handling procedures Y/N I/C/R/N S/R/C/P/N S
ISO-10.7.4 - Security of system documentation Y/N I/C/R/N S/R/C/P/N S
ISO-10.8 - Exchange of information Y/N I/C/R/N S/R/C/P/N S
ISO-10.8.1 - Information exchange policies and procedures Y/N I/C/R/N S/R/C/P/N S
ISO-10.8.2 - Exchange agreements Y/N I/C/R/N S/R/C/P/N S
ISO-10.8.3 - Physical media in transit Y/N I/C/R/N S/R/C/P/N S
ISO-10.8.4 - Electronic messaging Y/N I/C/R/N S/R/C/P/N S
ISO-10.8.5 - Business information systems Y/N I/C/R/N S/R/C/P/N S
ISO-10.9 - Electronic commerce services Y/N I/C/R/N S/R/C/P/N S
ISO-10.9.1 - Electronic commerce Y/N I/C/R/N S/R/C/P/N S
ISO-10.9.2 - On-line transactions Y/N I/C/R/N S/R/C/P/N S
ISO-10.9.3 - Publicly available information Y/N I/C/R/N S/R/C/P/N S
ISO-10.10 - Monitoring Y/N I/C/R/N S/R/C/P/N S
ISO-10.10.1 - Audit logging Y/N I/C/R/N S/R/C/P/N S
ISO-10.10.2 - Monitoring system use Y/N I/C/R/N S/R/C/P/N S
ISO-10.10.3 - Protection of log information Y/N I/C/R/N S/R/C/P/N S
ISO-10.10.4 - Administrator and operator logs Y/N I/C/R/N S/R/C/P/N S
ISO-10.10.5 - Fault logging Y/N I/C/R/N S/R/C/P/N S
ISO-10.10.6 - Clock synchronization Y/N I/C/R/N S/R/C/P/N S
ISO-11 - 11 - Access control Y/N I/C/R/N S/R/C/P/N S
ISO-11.1 - Business requirement for access control Y/N I/C/R/N S/R/C/P/N S
ISO-11.1.1 - Access control policy Y/N I/C/R/N S/R/C/P/N S
ISO-11.2 - User access management Y/N I/C/R/N S/R/C/P/N S
ISO-11.2.1 - User registration Y/N I/C/R/N S/R/C/P/N S
ISO-11.2.2 - Privilege management Y/N I/C/R/N S/R/C/P/N S
ISO-11.2.3 - User password management Y/N I/C/R/N S/R/C/P/N S
ISO-11.2.4 - Review of user access rights Y/N I/C/R/N S/R/C/P/N S
ISO-11.3 - User responsibilities Y/N I/C/R/N S/R/C/P/N S
ISO-11.3.1 - Password use Y/N I/C/R/N S/R/C/P/N S
ISO-11.3.2 - Unattended user equipment Y/N I/C/R/N S/R/C/P/N S
ISO-11.3.3 - Clear desk and clear screen policy Y/N I/C/R/N S/R/C/P/N S
ISO-11.4 - Network access control Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.1 - Policy on use of network services Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.2 - User authentication for external connections Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.3 - Equipment identification in networks Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.4 - Remote diagnostic and configuration port protection Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.5 - Segregation in networks Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.6 - Network connection control Y/N I/C/R/N S/R/C/P/N S
ISO-11.4.7 - Network routing control Y/N I/C/R/N S/R/C/P/N S
ISO-11.5 - Operating system access control Y/N I/C/R/N S/R/C/P/N S
ISO-11.5.1 - Server login control Y/N I/C/R/N S/R/C/P/N S
ISO-11.5.2 - User identification and authentication Y/N I/C/R/N S/R/C/P/N S
ISO-11.5.3 - Password management system Y/N I/C/R/N S/R/C/P/N S
ISO-11.5.4 - Use of system utilities Y/N I/C/R/N S/R/C/P/N S
ISO-11.5.5 - Session time-out Y/N I/C/R/N S/R/C/P/N S
ISO-11.5.6 - Limitation of connection time Y/N I/C/R/N S/R/C/P/N S
ISO-11.6 - Application and information access control Y/N I/C/R/N S/R/C/P/N S
ISO-11.6.1 - Information access restriction Y/N I/C/R/N S/R/C/P/N S
ISO-11.6.2 - Sensitive system isolation Y/N I/C/R/N S/R/C/P/N S
ISO-11.7 - Mobile computing and teleworking Y/N I/C/R/N S/R/C/P/N S
ISO-11.7.1 - Mobile computing and communications Y/N I/C/R/N S/R/C/P/N S
ISO-11.7.2 - Teleworking Y/N I/C/R/N S/R/C/P/N S
ISO-12 - 12 Information system acquisition, development & maintenance Y/N I/C/R/N S/R/C/P/N S
ISO-12.1 - Security requirements of information systems Y/N I/C/R/N S/R/C/P/N S
ISO-12.1.1 - Security requirements analysis and specification Y/N I/C/R/N S/R/C/P/N S
ISO-12.2 - Correct processing in applications Y/N I/C/R/N S/R/C/P/N S
ISO-12.2.1 - Input data validation Y/N I/C/R/N S/R/C/P/N S
ISO-12.2.2 - Control of internal processing Y/N I/C/R/N S/R/C/P/N S
ISO-12.2.3 - Message integrity Y/N I/C/R/N S/R/C/P/N S
ISO-12.2.4 - Output data validation Y/N I/C/R/N S/R/C/P/N S
ISO-12.3 - Cryptographic controls Y/N I/C/R/N S/R/C/P/N S
ISO-12.3.1 - Policy on the use of cryptographic controls Y/N I/C/R/N S/R/C/P/N S
ISO-12.3.2 - Key management Y/N I/C/R/N S/R/C/P/N S
ISO-12.4 - Security of system files Y/N I/C/R/N S/R/C/P/N S
ISO-12.4.1 - Control of operational software Y/N I/C/R/N S/R/C/P/N S
ISO-12.4.2 - Protection of system test data Y/N I/C/R/N S/R/C/P/N S
ISO-12.4.3 - Access control to program source code Y/N I/C/R/N S/R/C/P/N S
ISO-12.5 - Security in development and support processes Y/N I/C/R/N S/R/C/P/N S
ISO-12.5.1 - Change control procedures Y/N I/C/R/N S/R/C/P/N S
ISO-12.5.2 - Technical review of application after system changes Y/N I/C/R/N S/R/C/P/N S
ISO-12.5.3 - Restrictions on changes to software packages Y/N I/C/R/N S/R/C/P/N S
ISO-12.5.4 - Information leakage Y/N I/C/R/N S/R/C/P/N S
ISO-12.5.5 - Outsourced software development Y/N I/C/R/N S/R/C/P/N S
ISO-12.6 - Technical vulnerability management Y/N I/C/R/N S/R/C/P/N S
ISO-12.6.1 - Control of technical vulnerabilities Y/N I/C/R/N S/R/C/P/N S
ISO-13 - 13 Information security incident management Y/N I/C/R/N S/R/C/P/N S
ISO-13.1 - Reporting information security events and weaknesses Y/N I/C/R/N S/R/C/P/N S
ISO-13.1.1 - Reporting information security events Y/N I/C/R/N S/R/C/P/N S
ISO-13.1.2 - Reporting information security weaknesses Y/N I/C/R/N S/R/C/P/N S
ISO-13.2 - Management of security incidents and improvements Y/N I/C/R/N S/R/C/P/N S
ISO-13.2.1 - Responsibilities and procedures Y/N I/C/R/N S/R/C/P/N S
ISO-13.2.2 - Learning from information security incidents Y/N I/C/R/N S/R/C/P/N S
ISO-13.2.3 - Collection of evidence Y/N I/C/R/N S/R/C/P/N S
ISO-14 - 14 Business continuity management (BCM) Y/N I/C/R/N S/R/C/P/N S
ISO-14.1 - Information security aspects of BCM Y/N I/C/R/N S/R/C/P/N S
ISO-14.1.1 - Including information security in the BCM process Y/N I/C/R/N S/R/C/P/N S
ISO-14.1.2 - Business continuity and risk management Y/N I/C/R/N S/R/C/P/N S
ISO-14.1.3 - Developing and implementing BCPs with information security Y/N I/C/R/N S/R/C/P/N S
ISO-14.1.4 - Business continuity planning framework Y/N I/C/R/N S/R/C/P/N S
ISO-14.1.5 - Testing, maintaining & re-assessing business continuity plans Y/N I/C/R/N S/R/C/P/N S
ISO-15 - 15 Compliance Y/N I/C/R/N S/R/C/P/N S
ISO-15.1 - Compliance with legal requirements Y/N I/C/R/N S/R/C/P/N S
ISO-15.1.1 - Identification of applicable legislation Y/N I/C/R/N S/R/C/P/N S
ISO-15.1.2 - Intellectual property rights (IPR) Y/N I/C/R/N S/R/C/P/N S
ISO-15.1.3 - Protection of organizational records Y/N I/C/R/N S/R/C/P/N S
ISO-15.1.4 - Data protection and privacy of personal information Y/N I/C/R/N S/R/C/P/N S
ISO-15.1.5 - Prevention of misuse of information processing facilities Y/N I/C/R/N S/R/C/P/N S
ISO-15.1.6 - Regulation of cryptographic controls Y/N I/C/R/N S/R/C/P/N S
ISO-15.2 - Compliance with policies, standards, and technical compliance Y/N I/C/R/N S/R/C/P/N S
ISO-15.2.1 - Compliance with security policy Y/N I/C/R/N S/R/C/P/N S
ISO-15.2.2 - Technical compliance checking Y/N I/C/R/N S/R/C/P/N S
ISO-15.3 - Information security audit controls Y/N I/C/R/N S/R/C/P/N S
ISO-15.3.1 - Information system audit controls Y/N I/C/R/N S/R/C/P/N S
ISO-15.3.2 - Protection of system audit tools Y/N I/C/R/N S/R/C/P/N S
ISO 15489-1 elements
15489-1-1 - Scope Y/N I/C/R/N S/R/C/P/N S
15489-1-4 - Coverage (Benefits) Y/N I/C/R/N S/R/C/P/N S
15489-1-5 - Regulatory environment Y/N I/C/R/N S/R/C/P/N S
15489-1-6 - Policy and responsibilities Y/N I/C/R/N S/R/C/P/N S
15489-1-7.1 - Records management requirements - Principles of programs Y/N I/C/R/N S/R/C/P/N S
15489-1-7.2 - Records management requirements - Characteristics of a record Y/N I/C/R/N S/R/C/P/N S
15489-1-8.1 - Record system design and implementation: General Y/N I/C/R/N S/R/C/P/N S
15489-1-8.2 - Record system characteristics Y/N I/C/R/N S/R/C/P/N S
15489-1-8.3 - Designing and implementing records systems Y/N I/C/R/N S/R/C/P/N S
15489-1-8.4 - Design and implementation methodology Y/N I/C/R/N S/R/C/P/N S
15489-1-8.5 - Discontinuing records management Y/N I/C/R/N S/R/C/P/N S
15489-1-9.1 - Determining what is to be captured Y/N I/C/R/N S/R/C/P/N S
15489-1-9.2 - Determining how long to retain records Y/N I/C/R/N S/R/C/P/N S
15489-1-9.3 - Records capture Y/N I/C/R/N S/R/C/P/N S
15489-1-9.4 - Registration Y/N I/C/R/N S/R/C/P/N S
15489-1-9.5 - Classification Y/N I/C/R/N S/R/C/P/N S
15489-1-9.6 - Storage and handling Y/N I/C/R/N S/R/C/P/N S
15489-1-9.7 - Access Y/N I/C/R/N S/R/C/P/N S
15489-1-9.8 - Tracking Y/N I/C/R/N S/R/C/P/N S
15489-1-9.9 - Information disposition Y/N I/C/R/N S/R/C/P/N S
15489-1-9.10 - Documenting records management Y/N I/C/R/N S/R/C/P/N S
15489-1-10 - Monitoring and auditing Y/N I/C/R/N S/R/C/P/N S
15489-1-11 - Training Y/N I/C/R/N S/R/C/P/N S
GAISP elements
2.0 PERVASIVE PRINCIPLES Y/N I/C/R/N S/R/C/P/N S
2.1 Accountability Principle Y/N I/C/R/N S/R/C/P/N S
2.2 Awareness Principle Y/N I/C/R/N S/R/C/P/N S
2.3 Ethics Principle Y/N I/C/R/N S/R/C/P/N S
2.4 Multidisciplinary Principle Y/N I/C/R/N S/R/C/P/N S
2.5 Proportionality Principle Y/N I/C/R/N S/R/C/P/N S
2.6 Integration Principle Y/N I/C/R/N S/R/C/P/N S
2.7 Timeliness Principle Y/N I/C/R/N S/R/C/P/N S
2.8 Assessment Principle Y/N I/C/R/N S/R/C/P/N S
2.9 Equity Principle Y/N I/C/R/N S/R/C/P/N S
3.0 BROAD FUNCTIONAL PRINCIPLES Y/N I/C/R/N S/R/C/P/N S
3.1 Information Security Policy Y/N I/C/R/N S/R/C/P/N S
3.2 Education and Awareness Y/N I/C/R/N S/R/C/P/N S
3.3 Accountability Y/N I/C/R/N S/R/C/P/N S
3.4 Information Management Y/N I/C/R/N S/R/C/P/N S
3.5 Environmental Management Y/N I/C/R/N S/R/C/P/N S
3.6 Personnel Qualifications Y/N I/C/R/N S/R/C/P/N S
3.7 System Integrity Y/N I/C/R/N S/R/C/P/N S
3.8 Information Systems Life Cycle Y/N I/C/R/N S/R/C/P/N S
3.9 Access Control Y/N I/C/R/N S/R/C/P/N S
3.10 Operational Continuity and Contingency Planning Y/N I/C/R/N S/R/C/P/N S
3.11 Information Risk Management Y/N I/C/R/N S/R/C/P/N S
3.12 Network and Infrastructure Security Y/N I/C/R/N S/R/C/P/N S
3.13 Legal, Regulatory, and Contractual Requirements of Information Security Y/N I/C/R/N S/R/C/P/N S
3.14 Ethical Practices Y/N I/C/R/N S/R/C/P/N S
COSO elements
COSO-Materiality What is material Y/N I/C/R/N S/R/C/P/N S
COSO-SO Setting Objectives Y/N I/C/R/N S/R/C/P/N S
COSO-EI Event Identification Y/N I/C/R/N S/R/C/P/N S
COSO-RI Risk Identification Y/N I/C/R/N S/R/C/P/N S
COSO-RR Risk Response Y/N I/C/R/N S/R/C/P/N S
COSO-CA Control Activities Y/N I/C/R/N S/R/C/P/N S
COSO-IC Information and Communications Y/N I/C/R/N S/R/C/P/N S
COSO-M Monitoring Y/N I/C/R/N S/R/C/P/N S
COSO-BM Business Modeling Y/N I/C/R/N S/R/C/P/N S
COSO-Attestation Attestation requirements Y/N I/C/R/N S/R/C/P/N S
CoBit elements
PO1 Define a Strategic IT Plan Y/N I/C/R/N S/R/C/P/N S
PO2 Define the Information Architecture Y/N I/C/R/N S/R/C/P/N S
PO3 Determine the Technological Direction Y/N I/C/R/N S/R/C/P/N S
PO4 Define IT Organization and Relationships Y/N I/C/R/N S/R/C/P/N S
PO5 Manage the IT Investment Y/N I/C/R/N S/R/C/P/N S
PO6 Communicate Aims Direction Y/N I/C/R/N S/R/C/P/N S
PO7 Manage Human Resources Y/N I/C/R/N S/R/C/P/N S
PO8 Ensure Comply w/Extern Requirements Y/N I/C/R/N S/R/C/P/N S
PO9 Assess Risks Y/N I/C/R/N S/R/C/P/N S
PO10 Manage Projects Y/N I/C/R/N S/R/C/P/N S
PO11 Manage Quality Y/N I/C/R/N S/R/C/P/N S
AI1 Identify Solutions Y/N I/C/R/N S/R/C/P/N S
AI2 Acquire and Maintain Application Software Y/N I/C/R/N S/R/C/P/N S
AI3 Acquire & Maintain Tech Architecture Y/N I/C/R/N S/R/C/P/N S
AI4 Develop and Maintain IT Procedures Y/N I/C/R/N S/R/C/P/N S
AI5 Install and Accredit Systems Y/N I/C/R/N S/R/C/P/N S
AI6 Manage Changes Y/N I/C/R/N S/R/C/P/N S
DS1 Define Service Levels Y/N I/C/R/N S/R/C/P/N S
DS2 Manage Third-Party Services Y/N I/C/R/N S/R/C/P/N S
DS3 Manage Performance and Capacity Y/N I/C/R/N S/R/C/P/N S
DS4 Ensure Continuous Service Y/N I/C/R/N S/R/C/P/N S
DS5 Ensure Systems Security Y/N I/C/R/N S/R/C/P/N S
DS6 Identify and Attribute Costs Y/N I/C/R/N S/R/C/P/N S
DS7 Educate and Train Users Y/N I/C/R/N S/R/C/P/N S
DS8 Assist and Advise IT Customers Y/N I/C/R/N S/R/C/P/N S
DS9 Manage the Configuration Y/N I/C/R/N S/R/C/P/N S
DS10 Manage Problems and Incidents Y/N I/C/R/N S/R/C/P/N S
DS11 Manage Data Y/N I/C/R/N S/R/C/P/N S
DS12 Manage Facilities Y/N I/C/R/N S/R/C/P/N S
DS13 Manage Operations Y/N I/C/R/N S/R/C/P/N S
M1 Monitor the Processes Y/N I/C/R/N S/R/C/P/N S
M2 Assess Internal Control Adequacy Y/N I/C/R/N S/R/C/P/N S
M3 Obtain Independent Assurance Y/N I/C/R/N S/R/C/P/N S
M4 Provide for Independent Audit Y/N I/C/R/N S/R/C/P/N S
Incident management Y/N I/C/R/N S/R/C/P/N S
Problem management Y/N I/C/R/N S/R/C/P/N S
Configuration management Y/N I/C/R/N S/R/C/P/N S
Change management Y/N I/C/R/N S/R/C/P/N S
Release management Y/N I/C/R/N S/R/C/P/N S
Service level management Y/N I/C/R/N S/R/C/P/N S
Financial management and IT services Y/N I/C/R/N S/R/C/P/N S
Capacity management Y/N I/C/R/N S/R/C/P/N S
IT Service continuity management Y/N I/C/R/N S/R/C/P/N S
Availability management Y/N I/C/R/N S/R/C/P/N S
ITIL elements
Control Y/N I/C/R/N S/R/C/P/N S
- Policies Y/N I/C/R/N S/R/C/P/N S
- Organization Y/N I/C/R/N S/R/C/P/N S
- Reporting Y/N I/C/R/N S/R/C/P/N S
Plan Y/N I/C/R/N S/R/C/P/N S
- SLA section Y/N I/C/R/N S/R/C/P/N S
- Underlying contracts Y/N I/C/R/N S/R/C/P/N S
- OLA section Y/N I/C/R/N S/R/C/P/N S
- Reporting Y/N I/C/R/N S/R/C/P/N S
Implement Y/N I/C/R/N S/R/C/P/N S
- Classifications Y/N I/C/R/N S/R/C/P/N S
- Personnel security Y/N I/C/R/N S/R/C/P/N S
- Security policies Y/N I/C/R/N S/R/C/P/N S
- Access controls Y/N I/C/R/N S/R/C/P/N S
- Reporting Y/N I/C/R/N S/R/C/P/N S
Evaluate Y/N I/C/R/N S/R/C/P/N S
- Self-assessment Y/N I/C/R/N S/R/C/P/N S
- External Audit Y/N I/C/R/N S/R/C/P/N S
- Internal Audit Y/N I/C/R/N S/R/C/P/N S
- Assessment as result of security incident Y/N I/C/R/N S/R/C/P/N S
- Reporting Y/N I/C/R/N S/R/C/P/N S
Maintain Y/N I/C/R/N S/R/C/P/N S
- SLA sections Y/N I/C/R/N S/R/C/P/N S
- OLA sections Y/N I/C/R/N S/R/C/P/N S
- Requests for changes, additions, deletions Y/N I/C/R/N S/R/C/P/N S
- Reporting Y/N I/C/R/N S/R/C/P/N S
NIST SP800-53 elements
SP-AC-1 - Access Control Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-AC-2 - Account Management (2) (2 2.1 2.2 2.3) (2 2.1 2.2 2.3 2.4) Y/N I/C/R/N S/R/C/P/N S
SP-AC-3 - Access Enforcement (3) (3 3.1) (3 3.1) Y/N I/C/R/N S/R/C/P/N S
SP-AC-4 - Information Flow Enforcement () (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-AC-5 - Separation of Duties () (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-AC-6 - Least Privilege () (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-AC-7 - Unsuccessful Login Attempts (7) (7) (7) Y/N I/C/R/N S/R/C/P/N S
SP-AC-8 - System Use Notification (8) (8) (8) Y/N I/C/R/N S/R/C/P/N S
SP-AC-9 - Previous Logon Notification () () () Y/N I/C/R/N S/R/C/P/N S
SP-AC-10 - Concurrent Session Control () () (10) Y/N I/C/R/N S/R/C/P/N S
SP-AC-11 - Session Lock () (11) (11) Y/N I/C/R/N S/R/C/P/N S
SP-AC-12 - Session Termination () (12) (12) Y/N I/C/R/N S/R/C/P/N S
SP-AC-13 - Supervision and Review Access Control (13) (13) (13 13.1) Y/N I/C/R/N S/R/C/P/N S
SP-AC-14 - Permitted Actions w/o Identification or Authentication (14) (14 14.1) (14 14.1) Y/N I/C/R/N S/R/C/P/N S
SP-AC-15 - Automated Marking () () (15) Y/N I/C/R/N S/R/C/P/N S
SP-AC-16 - Automated Labeling () () () Y/N I/C/R/N S/R/C/P/N S
SP-AC-17 - Remote Access (17) (17 17.1 17.2 17.3) (17 17.1 17.2 17.3) Y/N I/C/R/N S/R/C/P/N S
SP-AC-18 - Wireless Access Restrictions () (18 18.1) (18 18.1) Y/N I/C/R/N S/R/C/P/N S
SP-AC-19 - Access Control for Portable and Mobile Systems () (19) (19 19.1) Y/N I/C/R/N S/R/C/P/N S
SP-AC-20 - Personally Owned Information Systems (20) (20) (20) Y/N I/C/R/N S/R/C/P/N S
SP-AT-1 Security Awareness and Training Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-AT-2 Security Awareness (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-AT-3 Security Training (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-AT-4 Security Training Records (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-AU-1 Audit and Accountability Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-AU-2 Auditable Events (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-AU-3 Content of Audit Records (3) (3 3.1) (3 3.1 3.2) Y/N I/C/R/N S/R/C/P/N S
SP-AU-4 Audit Storage Capacity (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-AU-5 Audit Processing (5) (5) (5 5.1) Y/N I/C/R/N S/R/C/P/N S
SP-AU-6 Audit Monitoring, Analysis, and Reporting () (6) (6 6.1) Y/N I/C/R/N S/R/C/P/N S
SP-AU-7 Audit Reduction and Report Generation () (7) (7 7.1) Y/N I/C/R/N S/R/C/P/N S
SP-AU-8 Time Stamps () (8) (8) Y/N I/C/R/N S/R/C/P/N S
SP-AU-9 Protection of Audit Information (9) (9) (9) Y/N I/C/R/N S/R/C/P/N S
SP-AU-10 Non-repudiation () () () Y/N I/C/R/N S/R/C/P/N S
SP-AU-11 Audit Retention (11) (11) (11) Y/N I/C/R/N S/R/C/P/N S
SP-CA-1 Certification, Accreditation, Security Assessment Policies & Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-CA-2 Security Assessments () (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-CA-3 Information System Connections (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-CA-4 Security Certification (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-CA-5 Plan of Action and Milestones (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-CA-6 Security Accreditation (6) (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-CA-7 Continuous Monitoring (7) (7) (7) Y/N I/C/R/N S/R/C/P/N S
SP-CM-1 Configuration Management Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-CM-2 Baseline Configuration (2) (2 2.1) (2 2.1 2.2) Y/N I/C/R/N S/R/C/P/N S
SP-CM-3 Configuration Change Control () (3) (3 3.1) Y/N I/C/R/N S/R/C/P/N S
SP-CM-4 Monitoring Configuration Changes () (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-CM-5 Access Restrictions for Change () (5) (5 5.1) Y/N I/C/R/N S/R/C/P/N S
SP-CM-6 Configuration Settings (6) (6) (6 6.1) Y/N I/C/R/N S/R/C/P/N S
SP-CM-7 Least Functionality () (7) (7 7.1) Y/N I/C/R/N S/R/C/P/N S
SP-CP-1 Contingency Planning Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-CP-2 Contingency Plan (2) (2 2.1) (2 2.1) Y/N I/C/R/N S/R/C/P/N S
SP-CP-3 Contingency Training () (3) (3 3.1) Y/N I/C/R/N S/R/C/P/N S
SP-CP-4 Contingency Plan Testing () (4 .1) (4 4.1 4.2) Y/N I/C/R/N S/R/C/P/N S
SP-CP-5 Contingency Plan Update (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-CP-6 Alternate Storage Sites () (6 6.1) (6 6.1 6.2 6.3) Y/N I/C/R/N S/R/C/P/N S
SP-CP-7 Alternate Processing Sites () (7 7.1 7.2 7.3) (7 7.1 7.2 7.3 7.4) Y/N I/C/R/N S/R/C/P/N S
SP-CP-8 Telecommunications Services () (8 8.1 8.2) (8 8.1 8.2 8.3 8.4) Y/N I/C/R/N S/R/C/P/N S
SP-CP-9 Information System Backup (9) (9 9.1) (9 9.1 9.2 9.3) Y/N I/C/R/N S/R/C/P/N S
SP-CP-10 Information System Recovery and Reconstitution (10) (10) (10 10.1) Y/N I/C/R/N S/R/C/P/N S
SP-IA-1 Identification and Authentication Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-IA-2 User Identification and Authentication (2) (2) (2 2.1) Y/N I/C/R/N S/R/C/P/N S
SP-IA-3 Device Identification and Authentication () (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-IA-4 Identifier Management (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-IA-5 Authenticator Management (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-IA-6 Authenticator Feedback (6) (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-IA-7 Cryptographic Module Authentication (7) (7) (7) Y/N I/C/R/N S/R/C/P/N S
SP-IR-1 Incident Response Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-IR-2 Incident Response Training () (2) (2 2.1 2.2) Y/N I/C/R/N S/R/C/P/N S
SP-IR-3 Incident Response Testing () (3) (3 3.1) Y/N I/C/R/N S/R/C/P/N S
SP-IR-4 Incident Handling (4) (4 4.1) (4 4.1) Y/N I/C/R/N S/R/C/P/N S
SP-IR-5 Incident Monitoring () (5) (5 5.1) Y/N I/C/R/N S/R/C/P/N S
SP-IR-6 Incident Reporting (6) (6 6.1) (6 6.1) Y/N I/C/R/N S/R/C/P/N S
SP-IR-7 Incident Response Assistance (7) (7 7.1) (7 7.1) Y/N I/C/R/N S/R/C/P/N S
SP-MA-1 System Maintenance Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-MA-2 Periodic Maintenance (2) (2 2.1) (2 2.1 2.2) Y/N I/C/R/N S/R/C/P/N S
SP-MA-3 Maintenance Tools () (3) (3 3.1 3.2 3.3) Y/N I/C/R/N S/R/C/P/N S
SP-MA-4 Remote Maintenance (4) (4) (4 4.1 4.2 4.3) Y/N I/C/R/N S/R/C/P/N S
SP-MA-5 Maintenance Personnel (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-MA-6 Timely Maintenance () (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-MP-1 Media Protection Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-MP-2 Media Access (2) (2) (2 2.1) Y/N I/C/R/N S/R/C/P/N S
SP-MP-3 Media Labeling () (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-MP-4 Media Storage () (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-MP-5 Media Transport () (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-MP-6 Media Sanitization () (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-MP-7 Media Destruction and Disposal (7) (7) (7) Y/N I/C/R/N S/R/C/P/N S
SP-PE-1 Physical and Environmental Protection Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-PE-2 Physical Access Authorizations (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-PE-3 Physical Access Control (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-PE-4 Access Control for Transmission Medium () () () Y/N I/C/R/N S/R/C/P/N S
SP-PE-5 Access Control for Display Medium () (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-PE-6 Monitoring Physical Access (6) (6 6.1) (6 6.1 6.2) Y/N I/C/R/N S/R/C/P/N S
SP-PE-7 Visitor Control (7) (7 7.1) (7 7.1) Y/N I/C/R/N S/R/C/P/N S
SP-PE-8 Access Logs (8) (8 8.1) (8 8.1) Y/N I/C/R/N S/R/C/P/N S
SP-PE-9 Power Equipment and Power Cabling () (9) (9) Y/N I/C/R/N S/R/C/P/N S
SP-PE-10 Emergency Shutoff () (10) (10) Y/N I/C/R/N S/R/C/P/N S
SP-PE-11 Emergency Power () (11) (11 11.1) Y/N I/C/R/N S/R/C/P/N S
SP-PE-12 Emergency Lighting (12) (12) (12) Y/N I/C/R/N S/R/C/P/N S
SP-PE-13 Fire Protection (13) (13 13.1) (13 13.1 13.2) Y/N I/C/R/N S/R/C/P/N S
SP-PE-14 Temperature and Humidity Controls (14) (14) (14) Y/N I/C/R/N S/R/C/P/N S
SP-PE-15 Water Damage Protection (15) (15) (15 15.1) Y/N I/C/R/N S/R/C/P/N S
SP-PE-16 Delivery and Removal (16) (16) (16) Y/N I/C/R/N S/R/C/P/N S
SP-PE-17 Alternate Work Site () (17) (17) Y/N I/C/R/N S/R/C/P/N S
SP-PL-1 Security Planning Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-PL-2 System Security Plan (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-PL-3 System Security Plan Update (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-PL-4 Rules of Behavior (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-PL-5 Privacy Impact Assessment (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-PS-1 Personnel Security Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-PS-2 Position Categorization (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-PS-3 Personnel Screening (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-PS-4 Personnel Termination (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-PS-5 Personnel Transfer (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-PS-6 Access Agreements (6) (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-PS-7 Third-Party Personnel Security (7) (7) (7) Y/N I/C/R/N S/R/C/P/N S
SP-PS-8 Personnel Sanctions (8) (8) (8) Y/N I/C/R/N S/R/C/P/N S
SP-RA-1 Risk Assessment Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-RA-2 Security Categorization (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-RA-3 Risk Assessment (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-RA-4 Risk Assessment Update (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-RA-5 Vulnerability Scanning () (5) (5 5.1 5.2) Y/N I/C/R/N S/R/C/P/N S
SP-SA-1 System and Services Acquisition Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-SA-2 Allocation of Resources (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-SA-3 Life Cycle Support (3) (3) (3) Y/N I/C/R/N S/R/C/P/N S
SP-SA-4 Acquisitions (4) (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-SA-5 Information System Documentation (5) (5 .1) (5 .1 .2) Y/N I/C/R/N S/R/C/P/N S
SP-SA-6 Software Usage Restrictions (6) (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-SA-7 User Installed Software (7) (7) (7) Y/N I/C/R/N S/R/C/P/N S
SP-SA-8 Security Design Principles () (8) (8) Y/N I/C/R/N S/R/C/P/N S
SP-SA-9 Outsourced Information System Services (9) (9) (9) Y/N I/C/R/N S/R/C/P/N S
SP-SA-10 Developer Configuration Management () () (10) Y/N I/C/R/N S/R/C/P/N S
SP-SA-11 Developer Security Testing () (11) (11) Y/N I/C/R/N S/R/C/P/N S
SP-SC-1 System and Communications Protection Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-SC-2 Application Partitioning () (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-SC-3 Security Function Isolation () () (3) Y/N I/C/R/N S/R/C/P/N S
SP-SC-4 Information Remnants () (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-SC-5 Denial of Service Protection (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-SC-6 Resource Priority () (6) (6) Y/N I/C/R/N S/R/C/P/N S
SP-SC-7 Boundary Protection (7) (7 7.1) (7 7.1) Y/N I/C/R/N S/R/C/P/N S
SP-SC-8 Transmission Integrity () (8) (8 8.1) Y/N I/C/R/N S/R/C/P/N S
SP-SC-9 Transmission Confidentiality () (9) (9 9.1) Y/N I/C/R/N S/R/C/P/N S
SP-SC-10 Network Disconnect () (10) (10) Y/N I/C/R/N S/R/C/P/N S
SP-SC-11 Trusted Path () () () Y/N I/C/R/N S/R/C/P/N S
SP-SC-12 Cryptographic Key Establishment and Management () (12) (12) Y/N I/C/R/N S/R/C/P/N S
SP-SC-13 Use of Validated Cryptography (13) (13) (13) Y/N I/C/R/N S/R/C/P/N S
SP-SC-14 Public Access Protections (14) (14) (14) Y/N I/C/R/N S/R/C/P/N S
SP-SC-15 Collaborative Computing () (15) (15) Y/N I/C/R/N S/R/C/P/N S
SP-SC-16 Transmission of Security Parameters () () () Y/N I/C/R/N S/R/C/P/N S
SP-SC-17 Public Key Infrastructure Certificates () (17) (17) Y/N I/C/R/N S/R/C/P/N S
SP-SC-18 Mobile Code () (18) (18) Y/N I/C/R/N S/R/C/P/N S
SP-SC-19 Voice Over Internet Protocol () (19) (19) Y/N I/C/R/N S/R/C/P/N S
SP-SI-1 System and Information Integrity Policy and Procedures (1) (1) (1) Y/N I/C/R/N S/R/C/P/N S
SP-SI-2 Flaw Remediation (2) (2) (2) Y/N I/C/R/N S/R/C/P/N S
SP-SI-3 Malicious Code Protection (3) (3 3.1) (3 3.1 3.2) Y/N I/C/R/N S/R/C/P/N S
SP-SI-4 Intrusion Detection Tools and Techniques () (4) (4) Y/N I/C/R/N S/R/C/P/N S
SP-SI-5 Security Alerts and Advisories (5) (5) (5) Y/N I/C/R/N S/R/C/P/N S
SP-SI-6 Security Functionality Verification () (6) (6 6.1) Y/N I/C/R/N S/R/C/P/N S
SP-SI-7 Software and Information Integrity () () (7) Y/N I/C/R/N S/R/C/P/N S
SP-SI-8 Spam and Spyware Protection () (8) (8 8.1) Y/N I/C/R/N S/R/C/P/N S
SP-SI-9 Information Input Restrictions () (9) (9) Y/N I/C/R/N S/R/C/P/N S
SP-SI-10 Information Input Accuracy, Completeness, and Validity () (10) (10) Y/N I/C/R/N S/R/C/P/N S
SP-SI-11 Error Handling () (11) (11) Y/N I/C/R/N S/R/C/P/N S
SP-SI-12 Information output handling and retention () (12) (12) Y/N I/C/R/N S/R/C/P/N S
Policy elements
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved