SEARCHITSecurity Assessment Tool

SEARCH IT Security Self- and Risk-Assessment Tool
Table of Contents
Introduction
Gathering Preliminary Information for a Security Self- and Risk-Assessment Project

System Questionnaire Cover Sheet
Management Technical
1. Risk Management 15. Identification and Authentication
2. Review of Security Controls 16. Logical Access Controls
3. Lifecycle 17. Audit Trails
4. Authorize Processing (Certification and Accreditation)
5. System Security Plan State and Local Law Enforcement-Specific IT Security Controls
18. FBI CJIS Compliance
Operational
6. Personnel Security
7. Physical and Environment Protection
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and System Software Maintenance
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education
14. Incident-Response Capability
Return to Table of Contents
Introduction
• This SEARCH IT Security Self- and Risk-assessment Tool© is based on two NIST Special Publications: 800-26 (Security Self-Assessment Guide
for Information Technology Systems, November 2001) and 800-53 (Recommended Security Controls for Federal Information Systems, February
2005).
• This self-assessment tool utilizes an extensive questionnaire containing specific control objectives and suggested techniques against which the
security of a system or group of interconnected systems can be measured.
• The questionnaire can be based primarily on an examination of relevant documentation and a rigorous examination and test of the controls.
• This tool does not establish new security requirements.
• The control objectives are abstracted directly from long-standing requirements found in statute, policy, and guidance on security and privacy.
• The goal of this tool is to provide a standardized approach to assessing an information system.
• To assist the user, a reference source is listed after each control objective question listed in the questionnaire. (Note: All references are
hyperlinked to the referenced documents.)
• The tool may be used to assess the status of security controls for a system, an interconnected group of systems, or agencywide.
• This tool is not intended to be a comprehensive review or list of control objectives and related techniques.
• The control objectives and techniques presented are generic enough that they can be applied to both private- and public-sector organizations.
• This tool can be used by all levels of management within the criminal justice community who are responsible for IT security at the system level or
organization level.
TERMS OF USE
The SEARCH IT Security Self- and Risk-Assessment Tool© is intended to assist you in your IT security planning. It was developed to provide
strategies and a methodology for gauging your IT security risks and needs. It should not be construed as legal advice for any specific factual
situation. It does not replace or supersede any laws, policies, procedures, rules and ordinances applicable to your jurisdiction. It is used at your own
risk, and the user assumes all liability for its use. The Tool is a companion to Law Enforcement Tech Guide for Information Technology Security:
How to Assess Risk and Establish Effective Policies©. Both the Tool and the Tech Guide were produced for the U.S. Department of Justice Office
of Community Oriented Policing Services by SEARCH. Because of the nature of this product, users may modify the Tool. We ask that if the Tool is
revised and/or reproduced and redistributed, that credit be given to SEARCH, The National Consortium for Justice Information and Statistics, as the
creator of this software product.
For questions or assistance regarding the use of this Tool, contact SEARCHITTool@search.org.
Gathering Preliminary Information for a

Security Self- and Risk-assessment Project
How do you start the self-assessment process? If you have never done a self-assessment evaluation, it can be confusing as to exactly where you need to begin. The best
place to start is to locate and gather existing information that is already available either within your organization or from higher levels in your governmental structure. The
purpose of this activity is to try to assemble all available information into one place for easy reference. Once this information is gathered, you can then begin to answer the
questions in this SEARCH IT Security Self- and Risk-assessment Tool. A side benefit of this exercise is that most of the information that you gather can be applied to more
than one area. In addition, the more information that you gather, the easier it will be when you start to answer the self-assessment questions.
For your benefit, we have created a list of possible information sources that you should investigate. It will be up to you to dig out the information for your project. Most of the
information that you find should be helpful to your security self-assessment process. However, because each agency is different, your agency may or may not have some of
the sources listed below. Because of this, you should try to locate other sources of information, unique to your environment, that will be helpful to your security activities.
The self-assessment process itself is not an easy or quick exercise! You need to understand that it will take a significant investment of time, agency personnel resources, and
research to complete and it will require you to do quite a bit of research. Your goal is to try to really understand your IT system so that all pertinent risks are discovered.
Kickoff: Gathering the Preliminary Organization Data
Initially, you should gather the following data concerning your organization and how it relates to higher agencies in your governmental structure. Additionally, you need to
identify the systems for which you what to develop security policies. The information you need to gather is:
1. Identify and list all the controlling organizations of your agency, up to and including the federal level, if applicable.
a. If you are a local police department, the first level outside your agency will probably be your city or county government.
b. If you are working at the state level, you may not have a controlling organization if the head of your agency already reports to the governor or a committee of
the state legislature.
c. The federal level becomes important if your agency either uses services from or receives funding from a federal agency.
The list you develop should contain the following information at the minimum:
a. Agency name.
b. Relationship to your organization.
c. Enumerate areas of control related to your organization. What oversight does this agency exercise with respect to your organization?
d. Enumerate the first-level contacts within those agencies that your people would normally contact. These are the “go-to” people in the other agency.
2. List the systems and/or locations that you initially want to include for your security self-assessment activities. As the self-assessment project progresses, you may
discover that you need to add more systems / locations to your list as you discover how your system is used or how it is interconnected to other systems.
a. For each location in your list, create a list of the IT systems that you want to assess.
b. For each system, create a list of people who understand the system, both technically and functionally.
The next collection of information that you need to gather relates directly to the National Institute of Standards and Technology (NIST) self-assessment
questionnaire. The list is divided into the three control categories, as enumerated by NIST.
Management Controls
This section deals with the techniques and concerns that are normally addressed by management. Your senior management team is responsible for the overall management
of your IT systems. They are also responsible for setting the level of risk your agency is willing to accept. As preparation for the self-assessment questionnaire, you should
gather and organize as much of the following information as possible.
1. Acquire the business / mission statement(s) of your agency. Ideally, this has been written down in some detail.
2. Audit reports will potentially provide you with a lot of good information related to your organization and IT systems. Specifically, you need to identify and collect
any existing audit reports that relate to:
a. Your agency–-the audit reports may have been created for any purpose (financial, security, or otherwise) or
b. The IT infrastructure–-the audit repots may have been created for the data network, physical security, emergency preparedness, etc.
3. Obtain copies of any existing agency policies, procedures, memoranda, etc., related to IT systems control and/or IT security in particular.
4. Obtain copies of building design and construction details for any location that houses IT systems or users of IT systems that are part of this self-assessment
activity.
5. Obtain, if they exist, the project plans, project specifications, proposals, requests for price requests (RFPs), etc., for all IT systems that are part of this self-
assessment.
6. Do you have any agreements that have been made between your department and any other entities that relate to the IT systems that are part of this self-
assessment? Some of the agreements may be:
a. Service agreements–-these agreements are typically between the service provider (usually the IT department, which maybe part of another agency) and your
organization.
b. Availability agreements–-these agreements would typically be made with your end users to guarantee system availability. In addition, they may also cover
their responsibilities to maintain security, confidentiality, and controlled access to the system.
7. Identify the most senior person in your organization responsible for each IT system under review.
a. Obtain a copy of their job description.
b. Obtain any memoranda or letters of understanding addressed to this person related to the IT system under review.
8. Identify the organization that is responsible for maintaining the IT system. Gather the following information:
a. If the IT system is a commercial product:
i. Obtain a copy of the license agreement.
ii. Obtain a copy of the support agreement.
iii. Determine what policies/procedures they have related to maintenance and support of the IT system.
iv. Does this organization maintain records of system changes, modifications, and/or upgrades?
b. If the system was developed in-house (this may be the city or county IT department):
i. Obtain system design documentation.
ii. Obtain copies of structured walkthroughs or other development documentation that were created when the system was built.
iii. Obtain copies of maintenance logs.
iv. Obtain copies of all requests for system changes/modifications.
9. Obtain the initial and subsequent budget justifications for the IT system. Determine what were the financial justifications for the IT system.
10. Identify any other IT systems that either supply information to, or receive information from, the IT system under review. Obtain the same information for those
systems as you are doing for this system.
11. Does your agency have any business resumption plans? If so, obtain copies of these plans.
Operational Controls
Operational controls address security methods implemented and executed by people (as opposed to systems). Since people are usually the weakest link in the chain of
security, this area is important to understand. Your employees and users of the IT systems must understand their jobs and how they affect and are responsible for
security. Accordingly, you will need to gather the following information:
1. Identify all persons who use, maintain, or otherwise interact with the IT system under review.
a. Obtain a copy of the personnel policies related to the job performance of these persons.
b. Obtain the job descriptions of these persons.
2. Obtain a copy of the personnel policy for your organization and any other organization that provides support for the IT system under review.
3. Identify the person or persons who are responsible for controlling and/or administering the IT system under review.
a. Request, if they exist, any memoranda, procedures, or guides that are used in the administration of the IT system.
b. If these persons reside in other agencies, obtain copies of their job descriptions and a copy of that agency’s personnel policies.
4. Identify the group or persons responsible for the maintenance / support of the IT system under review.
a. Request, if they exist, any memoranda, procedures, or guides that are used in the maintenance / support of the IT system under review.
b. If these persons reside in other agencies, obtain copies of their job descriptions and a copy of that agency’s personnel policies.
5. Identify the agency and/or persons responsible for the physical security of any location where the IT system is either used or resides.
a. Obtain copies of any policies, memoranda, procedures, guidelines, etc., that determine how physical security is established and maintained.
b. If the responsible agency lies outside of your organization, obtain copies of their job descriptions for persons responsible for security and a copy of that agency’s
personnel policies.
6. Identify the agency and/or persons responsible for the building maintenance and support at any location where the IT system under review is either used or resides.
a. Obtain copies of any policies, memoranda, procedures, guidelines, etc., that determine how this support established and maintained.
b. If the responsible agency lies outside of your organization, obtain copies of the job descriptions of persons involved in supporting the physical plant and a copy of
that agency’s personnel policies.
7. Determine if any outside agencies have disaster plans relating to the physical plant where your users and/or IT system resides. If they exist, obtain copies of these
plans.
a. Do these plans provide for backup power, utilities, air conditioning, etc.?
8. Have any controls, policies, or procedures been developed that address data security? If so, obtain copies of these items.
9. Has any contingency planning been done for the IT system under review? If so, obtain a copy of the plan.
10. Are there any controls and/or audits that relate to data integrity? If so, obtain copies of the material.
11. If your organization has a training section, is it tasked with security awareness training? If so, obtain a copy of their training charter and training material related to
security.
12. Does your organization have an incident response team? If so, does it have any plans for a response to an IT security breach? If so, then obtain a copy of their
charter and procedures.
Technical Controls
1. For each system identified, gather the following information so that it is readily available for the self-assessment process. A written report may be the best method of
assembling this data. Specifically, you will need to:
a. Identify the system
i. What is the system name?
ii. Describe what the system is used for. Use one-half to one full page for the description.
iii When was it first installed?
iv. What is the current release or version number of the system?
v. What are the major system components? Create a written technical overview of the system.
vi. Who is responsible for the maintenance of the system?
vii. Does this group maintain a list of system changes, updates, modifications, maintenance, etc.? If so, collect a copy of this information.
viii. Identify the location of the installed system.
ix. Identify and record all system configuration parameters made during and subsequent to the system’s installation. Identify, if possible, any justifications made for
the selection of system configuration parameters.
b. Create a data flow diagram

i. Identify input data, its source, and form.
ii. Identify output data, where it is used, and in what form.
iii. Identify stored data within the system.
1) Where is it stored?
2) Is the data backed up and, if so, where are the backups stored?
c. Create a work flow diagram
i. Identify all locations where the system is accessed from.
ii. Identify the persons and groups that access the system and how they relate to the data flow of the system.
2. If the system requires authorization for use, identify the person or group responsible for administration.
a. Obtain, if they exist, any policies or procedures this group uses to administer access to the system.
b. Does this group have any review polices relating to the administration activities? If so, obtain copies of the policies.
3. Does any person or group profess to be owners of the system? If they can be identified, obtain a list of their expectations related to the operation of the system.
Next Steps
At this point, you will have collected a large amount of information relating to the IT systems you preparing to audit. The above information should be organized so you
can locate the various pieces easily. All the work you have done will be of great benefit as you begin the self-assessment process.

System Questionnaire Cover Sheet
System Name, Title, and Unique Identifier: _______________________________________________________
Major Application ____________________ or General Support System __________________
Name of Assessors:
Date of Evaluation: _________________________
Name of System
List of Connected Systems:
Purpose and Objective of Assessment:

Management
Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.
1. Risk Management
Risk is the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. The following
questions are organized according to two critical elements. The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
Level 1. Documented
Level 2. Documented
PolicyLevel 3. Implemented
Procedures
Level 4. Tested
Procedures
Level and 5.Evaluated
Fully
and Controls
Integrated Remote:
Procedures
Procedures Low:
and Controls
and
The Controls
risk The
probablyAvoidance:
risk iswill
manageable Ranking
not occur Avoidance
throughthe risk
because is according
planning
the
oftenriskused
would
andfortobe
your
action,
risks
difficult
and
thatthe
have
to realize,
the capacity
or for negative impact, but have little
a. Does your a. agency
Does your
havea. agency
a Have
formallythe
havedocumented
procedures
a.
formal,
Is a measurement
complete,
and
and
a. Does
controls
disseminated
and
your
program
well-documented
been
agency implemented?
policy
in place
havethere
a
that
fully
routinely
operational,
are solid evaluates
impacts
means comprehensive
the
generally
in place
knownadequacy
to
are security
categorization,
recourse.
limit andrisk
minimal.
the Inprogram
security that
quantification,
appropriately. is an a
projects, integral
andpart
decision tolerance
to of yourrisks
avoid of often means a decision not to let your
Effectiveness Ranking
References
on that security procedures
control?for b. Are
the the
policies
following
effectiveness
defined statements
at agency’s
level
of security
1?true?
culture?
policies, procedures, and controls? agency put itselfeachin based on the likelihood,
the situation severity,
where it could and
incur the risk. Therefore, your decision would also be to
NIST SP 800-53 b. Does
RA-2 the policy
b. Do define
the procedures:
1)
i. Are
purpose
the owners
and
b. Are
scope
and
theusers
offollowing
the
b. Are
aware
policy,
theelements
of
2)
following
the security
in place?
statements
policies true?
and procedures? avoid the cause
Possible: The Medium:
risk has The
a chance
risk will
tolerance
of
of occurring, the
be mitigated
levels.
risk.
butthrough
Risk
This simple weighting
it may be planning
difficultand
Decisions
or there
action,
allows
are controls in
Assessment Questions OMB Circularresponsibilities
A-130, III i. List required
the control
for
ii. Have
itsareas
execution,
theand
policies
i. An
clearly
and
effective
and3)
state
compliance
procedures
i. There
program
the agency’s
is an
been
requirements
foractive
evaluating
position?
formally
agencywide
adopted
the adequacy
security
and the
and
program
technical
effectiveness
that
controls
achieves
of security
for
cost-effective
the
policies,
agency security.
to easily rank the priority of
place to helpalthough
avoid theifrisk.
it occurs, it will still have some impact on some of the
L.1
and L.2 installed?
penalty specification?
ii. Document L.3
their applicability—clearly
procedures, and ii. list L.4
ITcontrols.
security
when, where, how, L.5
is an integratedto whom,
practice within the asset (IT system).
more important Assume:
areas of The
action required to eliminate the greatest risks
decision to assume a risk means accepting the risk as-is, and not implementing any
concern.
and about what iii. Isthea security
procedure
ii. Ameasurement
mechanism
applies? iii. Security
for
program
identifying
vulnerabilities
in place?
vulnerabilities
(ongoing
are understood
security
revealedcompliance
and
by security
managed. incidents first.
or security
iii. List the assignment
measurement) of alerts.
IT responsibilities
iv. Threatsand define
are continually Likely:
Feedback/
explicit behavior? Due to
reevaluated, conditions
and
policies
controls and
or procedures
capabilities,
are adapted to a the
to lessen
risk
changing
it. to
is security
likely This is often the decision in cases where the risk is so minimal and of
occur.
environment.
Policy Proceduresiv. Hasofmanagement
iv. Identify points
Implemented
contact
iii. Aand
process
where
formally
v.
Measuring
for supplementary
Additional
reporting
authorized and/or
significant
the information
use
moreofsecurity be High:
cost-effective
the can
system?
weaknesses
Description
The
security
limited
risk
andalternatives
ensuring
of
will have Identified
impact
rapid
are
should
serious
Examples
Risk
identified
it occur
impacts
and effective
ofas and
possible
the
that
need
theLikelihood
without cost
weighting:
arises.
of implementing
extensive Severity
a mechanism Risk Tolerance
to minimize Action
or reduce it wouldPriority
Reassessment be far greater than the agency’s concern.
found? v. Have employee remedialjob descriptions
action.
vi. Costs and been benefits
updated ofto
security
includeare planning
security
measured and action,
responsibilities
as precisely its
as consequences
that practicable. would be
1= Likely+High+Assume severe.
Risk Management IT systems exist in ever-changing environments.
Consequently, the risk profile of your IT system changes the implemented controlsvii. require?
Status metrics for the security program are established and 2= met. Possible+Medium+Mitigate
over time. Does your agency have any policyvi. thatHave employees been trained on security procedures? Mitigate: This is the most common decision to make for identified risks: to implement policies,
3= Remote+Low+Transfer
In order toaunderstand the risks tosystem
your IT risk
system, the procedures, and other security controls to limit the risk to an acceptable level.
1.1. Critical Element: requires reassessment of IT on a
system
periodicmust be fully
basis? documented.
This needs to be At a minimum,
done to manage it the
Is risk periodically assessed? should Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
overall contain
risks of the
the following:
IT system and1) akeep
description
the levelof of
all risks
functions,
acceptable2)toamanagement.
data dictionary of all data collected / used accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
1.1.1 Is the current system configuration by the system, and 3) a description of all reports / output
data. In addition, links to other systems must be fully
documented, including links to other systems?
documented. This documentation should contain: 1) a
description of the
Yourlink (whatshould
agency it is, how
haveit ais policy
established,
that requires periodic
1.1.2 Are risk assessments performed and and so forth), and 2) a reassessments
security description of the of ITdata sent over
systems. Your agency
documented on a regular basis or wheneverthe thelink and under
shouldwhat circumstances.
document the results of the assessments and
system, facilities, or other conditions change, and is store them for reference.
management made aware of any new risks?
1.1.3 As changes are made to the system, are risk

assessments completed and presented to
management?
1.1.4 Have data sensitivity and integrity of the data

been considered?
1.1.5 Have threat sources, both natural and man-

made, been identified?
1.1.6 Have you identified, documented, and

maintained a current list of known system
vulnerabilities, system flaws, or weaknesses that
could be exploited?
1.1.7 Has an analysis been conducted that

determines whether the security requirements in
place adequately mitigate vulnerabilities?
Sensitive data -- Any data whose release could cause adverse
consequences to your agency.
1.2. Critical Element:
Data integrity -- The high probability that data are not altered
Does the manager responsible for the system
inadvertently.
understand the risk to systems under his or her
control and determine the acceptable
All data collected level in
and processed of your IT system should be
risk? classified as to their sensitivity and by their integrity
requirements. Data such as social security numbers, child
protective services case data, and investigative data would be
considered sensitive data. Data such as drug test results would
1.2.1 Are finalrequire a high level of and
risk determinations integrity.
related
management approvals documented and maintained
on file?
1.2.2 Has a mission/business impact analysis been

conducted?
NISTtoSP
1.2.3 Have controls been identified 800-53 RA-3
sufficiently
mitigate identified risks? FISCAM SP-1

NIST SP 800-53 RA-2
FISCAM SP-1
NOTES:
Threat -- The potential that something bad may happen
to your IT system.
Some natural threat sources are earthquake, tsunamis,

or fire. Some man-made threat sources are theft of
hardware, fire, hacking, theft of data, etc.
Your agency should

NIST have
SP 800-53
a policyCA-5,
in place
RA-3
that requires a
periodic assessment
NIST SPof the
800-30
potential threats to your IT
system. Write this list down and maintain it.
Your agency will need to conduct research to determine

This question assumes the following:
Threat -- The potential that something bad may happen
to your IT system.
Some natural threat sources are earthquake, tsunamis,

or fire. Some man-made threat sources are theft of
hardware, fire, hacking, theft of data, etc.
Your agency should

NIST have
SP 800-53
a policyCA-5,
in place
RA-3
that requires a
periodic assessment
NIST SPof the
800-30
potential threats to your IT
system. Write this list down and maintain it.
Your agency will need to conduct research to determine

This question assumes the following:
what threats might apply to your IT system. If you are
1) An existing security policy program is in place.
using commercial software, your vendor may be able to
2) Your management team has reviewed the prepolicy
help you with the list.
risks and recommended security policies.
3) You have developed security controls, contained
within security policies, that are expected to reduce the
risks to acceptable levels.
From the above information, you need to determine the

probability that the security controls will reduce the risk
exposures down to levels that are acceptable to the
management team.
NIST SP 800-53 RA-3

NIST SP 800-30
Management must be involved in all levels of risk-management

activities. Senior management sets and determines the acceptable
risk levels for your agency.
Written records are one of the keys to an effective risk-management

program. Without written records, you cannot keep track of where
your agency started
NIST or
SPwhy the decisions
800-53 RA-3 were made to bring you to
where you areFISCAM
now. SP-1
The risk-management process first identifies risks associated with your

IT system. The impact analysis refers to what would happen if one or
more of these risks became reality. The impact focuses on the three
security goals of integrity, availability, and confidentiality. You need to
quantify, for each risk, the loss of integrity, the loss of availability, and
the loss of confidentiality.
NIST SP 800-53 RA-3
NIST SP 800-30
NIST SP 800-53 CA-5, RA-3

NIST SP 800-30
The risk-management process first identifies risks associated with your
IT system. The impact analysis refers to what would happen if one or
more of these risks became reality. The impact focuses on the three
security goals of integrity, availability, and confidentiality. You need to
quantify, for each risk, the loss of integrity, the loss of availability, and
the loss of confidentiality.
NIST SP 800-53 RA-3
NIST SP 800-30
NIST SP 800-53 CA-5, RA-3

NIST SP 800-30
Comments
A13: IT systems exist in ever-changing environments. Consequently, the risk profile of your IT system changes over time. Does your agency have any policy that requires a reassessment of IT system risk on a periodic basis? This needs to be done to manage the overall risks of the IT system and keep the level of risks acceptable to
management.
A14: In order to understand the risks to your IT system, the system must be fully documented. At a minimum, it should contain the following: 1) a description of all functions, 2) a data dictionary of all data collected / used by the system, and 3) a description of all reports / output data. In addition, links to other systems must be fully documented. This
documentation should contain: 1) a description of the link (what it is, how it is established, and so forth), and 2) a description of the data sent over the link and under what circumstances.
A15: Your agency should have a policy that requires periodic security reassessments of IT systems. Your agency should document the results of the assessments and store them for reference.
A17: Sensitive data -- Any data whose release could cause adverse consequences to your agency.
Data integrity -- The high probability that data are not altered inadvertently.
All data collected and processed in your IT system should be classified as to their sensitivity and by their integrity requirements. Data such as social security numbers, child protective services case data, and investigative data would be considered sensitive data. Data such as drug test results would require a high level of integrity.
A18: Threat -- The potential that something bad may happen to your IT system.
Some natural threat sources are earthquake, tsunamis, or fire. Some man-made threat sources are theft of hardware, fire, hacking, theft of data, etc.
A19: Your agency should have a policy in place that requires a periodic assessment of the potential threats to your IT system. Write this list down and maintain it.
Your agency will need to conduct research to determine what threats might apply to your IT system. If you are using commercial software, your vendor may be able to help you with the list.
A20: This question assumes the following:

1) An existing security policy program is in place.
2) Your management team has reviewed the prepolicy risks and recommended security policies.
3) You have developed security controls, contained within security policies, that are expected to reduce the risks to acceptable levels.
From the above information, you need to determine the probability that the security controls will reduce the risk exposures down to levels that are acceptable to the management team.
A22: Management must be involved in all levels of risk-management activities. Senior management sets and determines the acceptable risk levels for your agency.
A23: Written records are one of the keys to an effective risk-management program. Without written records, you cannot keep track of where your agency started or why the decisions were made to bring you to where you are now.
A24: The risk-management process first identifies risks associated with your IT system. The impact analysis refers to what would happen if one or more of these risks became reality. The impact focuses on the three security goals of integrity, availability, and confidentiality. You need to quantify, for each risk, the loss of integrity, the loss of availability,
and the loss of confidentiality.
B11: NIST SP 800-53 RA-2

OMB Circular A-130, III
B17: NIST SP 800-53 RA-2

FISCAM SP-1
B18: NIST SP 800-53 RA-3

FISCAM SP-1
B19: NIST SP 800-53 CA-5, RA-3

NIST SP 800-30
B20: NIST SP 800-53 RA-3

NIST SP 800-30
B23: NIST SP 800-53 RA-3

FISCAM SP-1
B24: NIST SP 800-53 RA-3

NIST SP 800-30
B25: NIST SP 800-53 CA-5, RA-3

NIST SP 800-30
C10: Level 1. Documented Policy

a. Does your agency have a formally documented and disseminated policy on that security control?
b. Does the policy define 1) purpose and scope of the policy, 2) responsibilities required for its execution, and 3) compliance requirements and penalty specification?
D10: Level 2. Documented Procedures

a. Does your agency have formal, complete, and well-documented procedures for the policies defined at level 1?
b. Do the procedures:
i. List the control areas and clearly state the agency’s position?
ii. Document their applicability—clearly list when, where, how, to whom, and about what the procedure applies?
iii. List the assignment of IT responsibilities and define explicit behavior?
iv. Identify points of contact and where supplementary information can be found?
E10: Level 3. Implemented Procedures and Controls

a. Have the procedures and controls been implemented?
b. Are the following statements true?
i. Are the owners and users aware of the security policies and procedures?
ii. Have the policies and procedures been formally adopted and the technical controls installed?
iii. Is a security measurement program in place? (ongoing security compliance measurement)
iv. Has management formally authorized the use of the system?
v. Have employee job descriptions been updated to include security responsibilities that the implemented controls require?
vi. Have employees been trained on security procedures?
F10: Level 4. Tested and Evaluated Procedures and Controls
a. Is a measurement program in place that routinely evaluates the adequacy and effectiveness of security policies, procedures, and controls?
b. Are the following elements in place?
i. An effective program for evaluating the adequacy and effectiveness of security policies, procedures, and controls.
ii. A mechanism for identifying vulnerabilities revealed by security incidents or security alerts.
iii. A process for reporting significant security weaknesses and ensuring rapid and effective remedial action.
G10: Level 5. Fully Integrated Procedures and Controls

a. Does your agency have a fully operational, comprehensive security program that is an integral part of your agency’s culture?
i. There is an active agencywide security program that achieves cost-effective security.
ii. IT security is an integrated practice within the asset (IT system).
iii. Security vulnerabilities are understood and managed.
iv. Threats are continually reevaluated, and controls are adapted to a changing security environment.
v. Additional and/or more cost-effective security alternatives are identified as the need arises.
vi. Costs and benefits of security are measured as precisely as practicable.
vii. Status metrics for the security program are established and met.
I10: Remote: The risk probably will not occur because the risk would be difficult to realize, or there are solid means in place to limit the risk appropriately.
Possible: The risk has a chance of occurring, but it may be difficult or there are controls in place to help avoid the risk.
Likely: Due to conditions and capabilities, the risk is likely to occur.
J10: Low: The risk is manageable through planning and action, and the impacts generally are minimal.
Medium: The risk will be mitigated through planning and action, although if it occurs, it will still have some impact on some of the more important areas of concern.
High: The risk will have serious impacts and without extensive planning and action, its consequences would be severe.
K10: Avoidance: Avoidance is often used for risks that have the capacity for negative impact, but have little known recourse. In security projects, a decision to avoid risks often means a decision not to let your agency put itself in the situation where it could incur the risk. Therefore, your decision would also be
to avoid the cause of the risk.
Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would
be far greater than the agency’s concern.
Mitigate: This is the most common decision to make for identified risks: to implement policies, procedures, and other security controls to limit the risk to an acceptable level.
Transfer: Transfer the responsibility for a system or the risk itself to another party that can better accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
L10: Ranking the risk according to your categorization, quantification, and tolerance of each based on the likelihood, severity, and tolerance levels. This simple weighting allows for the agency to easily rank the priority of action required to eliminate the greatest risks first.
Examples of possible weighting:

1= Likely+High+Assume
2= Possible+Medium+Mitigate
2. Review of Security Controls
Routine evaluations and response to identified vulnerabilities are important elements of managing the risk of a system. The following questions are organized according to two critical elements. The levels for each of these
critical elements should be determined based on the answers to the subordinate questions.
Very few IT systems are stand-alone systems. Most systems receive data from and/or supply data to other systems.
The security of your target system under review is dependent on the security of these other systems. It is critical
References
that you identify ALL interconnected systems and understand how they relate to your target system.
Risk Decisions
Assessment
Management Questions
has the responsibility to request a review of these security interrelationships. Comments
L.1 L.2 L.3 L.4 L.5 Remote: The risk probably Low:willThe
not
risk
occur
is manageable
because the through
risk Ranking
Avoidance:
would
planning the
and risk
be difficult toaccording
action,
Avoidance realize,
isand orto
the
often your
used for risks that have the capacity for negative impact, but have little
Level 1. Documented LevelPolicy
2. Documented LevelProcedures
3. Implemented Level Procedures
4. Tested and
and Controls
Evaluated
LevelProcedures
5. Fully Integrated
and Controls there are
Procedures andsolid means inimpacts
Controls place togenerally
limit the risk
are minimal.
appropriately.knowncategorization, quantification,
recourse. In security projects,and tolerance
a decision to avoid risks often means a decision not to let your
a. Does your agency a. Does
have your
a formally
agency
a.
documented
have
Have formal, a. IsFeedback/
the procedures
andcomplete,
disseminated
and
a measurement
and
controls
well-documented
policybeen program
implemented?
a. Doesin place
your agency
that routinely
have a evaluates
fully operational,
the adequacy
comprehensive
and security program that is anagency ofput
integraleach
part based
itself
of youron the
in the likelihood,
situation whereseverity,
it could and
Policy Procedures Implemented Measuring Description of Identified Risk Likelihood Severity Risk
tolerance Tolerance
levels. This simple Action
weightingPriority
allows
on that security control?
procedures for theb. policies
Are thedefined
following Reassessment
at effectiveness
level
statements
1? true?
of security policies,
agency’sprocedures,
culture? Possible: The risk has Medium:
and controls? a chance ofThe
occurring,
risk willbut
be it mayavoid
mitigated the cause
be difficult
through or of the
planning
there arerisk.
andcontrols
action,in
NIST SP 800-53 b.CA-1
Does the policy b.define
Do the1) procedures:
purpose and
i. Arescope
the owners
of the policy,
and
b. Are
users
2)theaware
following
of theelements
security
b. Areinpolicies
the
place?
following
and procedures?
statements true? for the agency to easily rank the priority of
Review of Security Controls place to help avoid the risk.
although if it occurs, it will still have some impact on some of the
OMB Circular A-130, III action required to eliminate the greatest risks
responsibilities required
i. List the
for control
its execution,
areas
ii. Have
and
andthe
clearly
3)policies
compliance
state
i.and
An the
effective
procedures
requirements
agency’sprogram
position?
been formally
for
i. evaluating
There adopted
is anthe
active
and
adequacy
the
agencywide
technical
and effectiveness
security
controlsprogram
of security
thatmore
achieves
policies,cost-effective
important concern.Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any
areas ofsecurity.
FISCAM SP-5 and penalty specification?ii. Document their installed?
applicability—clearly procedures,
list when, and
where,
controls.
how, ii.
toITwhom,
security is an integrated practice first.
NIST SP 800-18 Likely: within
Due tothe asset (IT
conditions system).
and policies
capabilities, the risk is likely or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of
to occur.
and about what the iii.procedure
Is a security
applies?
measurement
ii. A mechanismprogramfor identifying
in place?
iii. Security
(ongoing
vulnerabilities
vulnerabilities
security
revealed
compliance
arebyunderstood
security incidents
and managed.
or security
High: The risk will have serious impacts
limited impact shouldextensive
and without it occur that the cost of implementing a mechanism to minimize or reduce it would
2.1. Critical Element: iii. List the assignment
measurement)
of IT responsibilities
alerts. and define explicitiv. behavior?
Threats are continually reevaluated, and controls are adapted to a changing securitybe Examples
environment. of possible weighting:
planning and action, its consequences farwould
greaterbethan the agency’s concern.
severe.
Have the security controls of the system and iv. Identify points ofiv.contact
Has management
and where iii.formally
supplementary
A process authorized
for reporting
information
thev.use
significant
Additional
of
can
thebesystem?
security
and/or more
weaknesses
cost-effective
and ensuring
securityrapid
alternatives are identified as the need arises.1= Likely+High+Assume
and effective
interconnected systems been reviewed? found? v. Have employee job remedial
descriptions
action.been updatedvi. Costs
to include
and benefits
security
ofresponsibilities
security are measured
that as precisely as practicable. 2= Possible+Medium+Mitigate
Mitigate : This is the most common decision to make for identified risks: to implement policies,
the implemented controls require? vii. Status metrics for the security program are established and met.
procedures, and other security controls to limit the risk to an acceptable level.
Management should mandate that corrective actions must be implemented for security vi. Have employees been trained on security procedures?
issues.
2.1.1 Has This will generally
the system and allrequire some
network form of communication on security issues to be
boundaries
presented to management on a recurring basis.
Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
been subjected to periodic reviews? SystemsNIST
andSP
networks
800-53 change
CA-2 all the time. You should have a policy in place that requires a accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
formalFISCAM
review ofSP-5.1
system and network interconnections relating your IT systems.
2.1.2 Has an independent review been performed

when a significant change occurred? A common
NISThumanSP 800-53
tendency
CA-4 is to be oblivious to various facts at various
times. FISCAM
It is simply
SP-5.1
difficult for any single person to see all the security
issues OMB
concerning
Circular
a particular
A-130, III IT system. An independent review brings
2.1.3 Are routine self-assessments conducted? anotherNIST
set ofSPeyes
800-18
to look at your system and perhaps see things that
you missed. You should encourage independent reviews of your system
The self-assessment
NIST SP 800-53 process
CA-2 is not an all-or-nothing activity. You may choose to do a
to gain this perspective.
simpleNIST
self-assessment
SP 800-18on an annual basis for small systems. Only if you identify that
2.1.4 Are tests and examinations of key controls complex changes have occurred should you do a more in-depth self-assessment. It is
routinely made, i.e., network scans, analyses of really up
These NIST
tests
to you
and
SP 800-53
to
examinations
determine
CA-2how are part
oftenofself-assessments
the security measurement
should be conducted.
router and switch settings, penetration testing? program.
OMBThe Circular
purpose A-130,
of this8B3program is to establish ongoing tests to verify
that your
NIST security
SP 800-18
controls (which derive from your security policies) are
effective in reducing risks as expected. These tests and subsequent
reporting should be as automated as possible to reduce the possibility that
2.1.5 Are security alerts and security incidents someone will fail to accomplish a required task.
analyzed and remedial actions taken? This activity
NIST isSPpart
800-53
of theIR-4
security metric program. You should verify
that management
FISCAM SP-3-4has appointed a person or a group that is responsible
for reacting
NIST toSPand
800-18
handling security alerts and incidents.
Does management ensure that corrective actions
are effectively implemented? Identify how management has elected to receive input on security matters. If
there is no formal process, a process needs to be created to ensure effective
2.2.1 Is there an effective and timely process for
communication.
reporting significant weakness and ensuring NIST SP 800-53 CA-4
effective remedial action? FISCAM SP-5.1, 5.2
NIST SP 800-18
NOTES:
A11: Very few IT systems are stand-alone systems. Most systems receive data from and/or supply data to other systems. The security of your target system under review is dependent on the security of these other systems. It is critical that you identify ALL interconnected systems and understand how they relate to your target system.
Management has the responsibility to request a review of these security interrelationships.
A12: Systems and networks change all the time. You should have a policy in place that requires a formal review of system and network interconnections relating your IT systems.
A13: A common human tendency is to be oblivious to various facts at various times. It is simply difficult for any single person to see all the security issues concerning a particular IT system. An independent review brings another set of eyes to look at your system and perhaps see things that you missed. You should encourage independent reviews of your system to gain this perspective.
A14: The self-assessment process is not an all-or-nothing activity. You may choose to do a simple self-assessment on an annual basis for small systems. Only if you identify that complex changes have occurred should you do a more in-depth self-assessment. It is really up to you to determine how often self-assessments should be conducted.
A15: These tests and examinations are part of the security measurement program. The purpose of this program is to establish ongoing tests to verify that your security controls (which derive from your security policies) are effective in reducing risks as expected. These tests and subsequent reporting should be as automated as possible to reduce the possibility that someone will fail to accomplish a required task.
A16: This activity is part of the security metric program. You should verify that management has appointed a person or a group that is responsible for reacting to and handling security alerts and incidents.
A18: Management should mandate that corrective actions must be implemented for security issues. This will generally require some form of communication on security issues to be presented to management on a recurring basis.
A19: Identify how management has elected to receive input on security matters. If there is no formal process, a process needs to be created to ensure effective communication.
B9: NIST SP 800-53 CA-1

FISCAM SP-5
NIST SP 800-18
B12: NIST SP 800-53 CA-2

FISCAM SP-5.1
B13: NIST SP 800-53 CA-4

FISCAM SP-5.1
NIST SP 800-18
B14: NIST SP 800-53 CA-2

NIST SP 800-18
B15: NIST SP 800-53 CA-2

OMB Circular A-130, 8B3
NIST SP 800-18
B16: NIST SP 800-53 IR-4

FISCAM SP-3-4
NIST SP 800-18
B19: NIST SP 800-53 CA-4

FISCAM SP-5.1, 5.2
NIST SP 800-18





K8: Avoidance: Avoidance is often used for risks that have the capacity for negative impact, but have little known recourse. In security projects, a decision to avoid risks often means a decision not to let your agency put itself in the situation where it could incur the risk. Therefore, your decision would also be to avoid the cause of the risk.
Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than the agency’s concern.
M8: Ranking the risk according to your categorization, quantification, and tolerance of each based on the likelihood, severity, and tolerance levels. This simple weighting allows for the agency to easily rank the priority of action required to eliminate the greatest risks first.

3. Lifecycle
Like other aspects of an IT system, security is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle, but most
contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal. The following questions are organized according to two critical elements.
The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
If your agency is considering implementing a major IT system, then you need to select one of the several system development life
cycle methodologies available. It is not that one methodology is better that another, but it is far more important that one is selected
References
and followed for the life of the project.
Risk Decisions
Assessment Questions Remote: The Low:
risk The
probablyAvoidance:
risk Ranking
iswill
manageable
not occurthe risk
Avoidance according
through
because to
isplanning
the
often
risk your
used
would
and for
action,
be
risks
difficult
and
thatthe
have
to realize,
the capacity
or for negative impact, but have little Comments
L.1 L.2 L.3 L.4 L.5 there are solidimpacts
meansgenerally
in place
known categorization,
to
are
recourse.
limit
minimal.
the risk quantification,
In security
appropriately.
projects,and tolerance
a decision toof
avoid risks often means a decision not to let your
Level 1. Documented Level 2. Policy
DocumentedLevel 3. Procedures
ImplementedLevel 4.Procedures
TestedLevel and and
Evaluated
5. Fully
ControlsIntegrated
Procedures Procedures
and Controls
and Controls agency each
putbased
itself on the situation
in the likelihood, severity,
where andincur the risk. Therefore, your decision would also be to
it could
a. Does your agency a. Does have
your a formally
agency
a. Have have
documented
theformal,
procedures
a. Iscomplete,
aand
measurement
and Feedback/
disseminated
controls
and
a. Does
well-documented
program
been
your
policy implemented?
agency
in place havethat
a fully
routinely
operational,
evaluatescomprehensive
the adequacy
tolerancesecurity
andlevels. program that isweighting
This simple an integral part of your
allows
Policy on that Procedures
securityprocedures
Implemented
control? for b. the Arepolicies
Measuring
the following
defined
effectiveness
statements
at level Reassessment
1?
ofagency’s
security
true? culture?
Possible:
DescriptionThe
policies, procedures, and controls?
Medium:
of Identified aavoid
risk has The riskthe
Risk
chance ofcause
will of the
occurring, risk.
Likelihood
be mitigated but through
it may be planningSeverity
difficult and
or there
action, Risk Tolerance
are controls in Action Priority
for the agency to easily rank the priority of
NIST SP 800-53 SA-1 b. Does the policy b. Do define
the procedures:
1) purpose
i. Are the andowners
scope b. Are
of
and the
the
users
policy,
following
aware
b.2) Areof
elements
the
thefollowing
security
in place? place
policies
statements andtotrue?
helpalthough
avoid theifrisk.
procedures? it occurs, it will still have some impact on some of the
Lifecycle OMB Circular A-130, III responsibilitiesi.required
List the control
for itsii.execution,
Have
areasthe andpolicies
and
clearly
i. An
3) compliance
effective
and
stateprocedures
theprogram
i.
agency’s
There
requirements
been
is
for
position?
anformally
evaluating
active agencywide
adopted
the adequacy
more important
andsecurity
theand
technical
program
Assume:
effectiveness
controls
areas of The
that achieves
of security
concern.
cost-effective
policies, security.
first.
mayLikely:
policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of
The NISTFISCAM CC-1.1
Special Publication 800-30andcanpenalty specification?
assist you ii.inDocument
determiningtheir installed?
the applicability—clearly
sensitivity procedures,
of the system. list and
The when,
ii.controls.
IT security
where,
sensitivity of the how,
issystem
an to
integrated
whom, Due to
be practice conditions
within the asset and(ITcapabilities,
system). the risk is likely to occur.
driven by the nature of the data or by specific legislation. and about In anywhat iii.
the
event, Isyou
procedure
a security
should ii. measurement
applies?
A mechanism
understand iii.
why the program
forSecurity
identifying
system in
is vulnerabilities
place? vulnerabilities
sensitive (ongoing
before aresecurity High:
understood
revealed The
compliance
byand
security limited
risk
managed. will
incidentsimpact
have
Examples
should
orserious
security it occurand
impacts
of possible
that
weighting:
the cost
without of implementing a mechanism to minimize or reduce it would
extensive
youThe required
begin elements
the risk to secure
management your system may
process. iii.come fromassignment
List the several sources.
measurement) of ITSome of the sources
responsibilities
alerts. iv.may
and be: explicit
Threats
define are continually
behavior? reevaluated, planning andbe
and controls
far greater
action,
are1= its
adapted
than the agency’s
consequences
to a changing
Likely+High+Assume would concern.
be
securitysevere.
environment.
1) Management directive. iv. Identify points iv. Hasof contact
management and
iii. Awhere
process
formally
supplementary
for
v.
authorized
reporting
Additional information
significant
theand/or
use ofmorethe
security
cansystem?
cost-effective
be weaknesses security
and ensuring
alternatives
2=rapid are
andidentified
effectiveas the need arises.
Possible+Medium+Mitigate
As2)
Security
During
Since
part
Has a system development lifecycle methodology security
or
of
NIST
needs
NIST
before
the security
controls
Legislation.SP
to
SPsystem
be
800-54
800-53
designed
management
may design,
RA-1
be
CM-3into
implemented
your
the
process,
agency
system,inyour
should
various
notfound?
agency
added areas
on
should
outside
later.record
Ityour
v. is and
Have agency,
file allthe
employee changes
agreements
remedial toaction.
thewith
job descriptionssystem.
vi. Costs This
been andinformation
updated
benefits to is
of then
include
security
security
are measured Mitigate
responsibilities
as precisely
that : This
as is the most common decision to make for identified risks: to implement policies,
practicable.
been developed? referenced
significantly
identify
outside entities
security
GISRA
FISCAM
3) Externalduring
lessshould
risks
expensive
subsequent
CC-1.1
controls through
be intothe
(i.e., writing.
add
analysis
self-assessment
FBIsecurity
of the
Criminalduring
data
activities.
the
to Information
Justice be
design
Thisprocess
is the only
than
Services
the way
[CJIS]you
implemented can successfully
Division'scontrols track
CJIS Security
require? modifications
vii. Policy.
Status metrics to and
for the security program are established procedures, andandmet. other security controls to limit the risk to an acceptable level.
maintenance
after
processed
theNIST
system
and/or
ofSPyour
has
research
been
IT systems.
800-54 implemented.
of legislation controlling or
RA-1 vi. Have employees been trained on security procedures?
driving
For NIST
example:
the SP 800-53
process.
Assume your SA-2
county IT department is responsible for all IT system operations. If your
OMB
The Circular A-130,
risk-assessment
Clinger-Cohen processIII is the best way to establish Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
agency isFISCAM
running CC-1.1,
a sensitive1.2application, then it would be reasonable that the systems manager accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
Initiation Phase perform ITbackground
system securitychecks requirements.
on all system personnel. Agreements of this type should be in writing.
NIST SP 800-18
3.1.1 Is the sensitivity of the system determined?
3.1.2 Does the plan document the resources

required to adequately secure the system?
3.1.3 Are authorizations for software modifications

documented and maintained?
3.1.4 Does the budget request include the security

resources required for the system?
Development/Acquisition Phase
This
Does
Like
In support
the
question
your
NIST
rest
agency,
ofof
the
simply
SP
the
security
800-54
when
risk
asks
management
contracting
if
accreditation
SA-4
security planning
with
process,
process,
outside
isallpart
the
test
suppliers,
organization
ofresults
the process.
include
should
conducts
security
be documented.
anrequirements
assessment of
and/or
the security specifications, either
NIST SP 800-54 CM-2
3.1.6 During the system design, are securitysecurity
explicitlycontrols
NIST
or by SP
The firstNIST
NIST
issueSP
reference,
is:
in800-18
the information
SP800-54
800-54
in IT system
What is RA-3,
OMB
an
SA-4
RA-3
system
“IT SA-4
acquisition
to determine
architecture”?
contracts
the based
extentonto an
which
assessment
the controls
of risk?
are In other words, can the system be
updated to handle
implemented new Circular
correctly, risks thatA-130,
operating are 8B3 and
as intended,
discovered during
producing
the lifetime
the desired
of theoutcome
system? with respect to
requirements identified? NIST
NISTSP SP800-30
800-18
meeting the security requirements for the system.
An IT architecture is a set of decisions that describe how an IT system should be constructed, how the structural elements of the
system
3.1.7 Was an initial risk assessment performed to should be created, and what the relationships should be between those elements. It is unlikely that your agency has an IT
determine security requirements? architecture. However, an IT architecture can be quite simple and very general.
If your agency has an IT architecture--which is really a set of design parameters that is applied generally to all systems in your
organization--then you can answer this question: “If you have an IT architecture, does the specific system under review adhere to
3.1.8 Is there a written agreement with program
managers on the security controls employed those
and parameters?" If not, then you need to explain the differences, and why the system deviates from the standards established for
your agency.
residual risk?
3.1.9 Are security controls consistent with and an

integral part of the IT architecture of the agency?
3.1.10 Do the solicitation documents (e.g., requests

for proposals) include security requirements and
evaluation/test procedures?
3.1.11 Do the requirements in the solicitation

documents permit updating security controls as new
threats/vulnerabilities are identified and as new
technologies are implemented?
Implementation Phase

A security
"Official"
The
Is
Depending
it organization
Are changes controlled as programs progress the intent
NIST
is
NIST
policy
on
whatever
NISTthe
SP
ofSP
NIST
NIST
simply
should
management
SP
800-54
classification
800-54
your
800-54
SP
SP
states
ensure
800-54
800-54
policies
S5-1
CA-3
MP-6
what
MP-6,
to
or
that
fund
sensitivity
say
PL-3
MP-6,
needs
1)MP-7
they
the
adequate
to
MP-7
staff
are
of
happen.
or
the
necessary
how
dataSecurity
any
to to
controlling
keep
controls are either the programs or procedures that actually implement the intent of
Do you
legislation
documentation
the
be have proven procedures and/or mechanisms to enable you to truly purge and/or destroy
through testing to final approval? Thisdestroyed,
security
OMB
NIST
is oneNIST
defines
NISTOMB
policies.
plan
NIST do
Circular
SP
for
SP
OMB
NIST
area NIST
current?
NIST
SPSPyou
Circular
800-18
them.
thatthe
800-18
keep
SPCircular
IT
SP
800-54A-130,
800-54
SP
will The
system
800-18
A-130,
records
NIST
800-54
800-54responsibility
require
SA-5
SA-11 A-130,
III
SP
SA-8, and
someof
III
SA-8, its
these
800-54
CA-4SA-11 III to
actions?
dispose
CA-4,
investigation
SA-11 to of or archive records
SA-5
data? constituent
rests solely
FISCAMon
components
FISCAM
the
FISCAM
CC-2.1
legislative
CC-AC-3.4
isCC-2.1
available,
or policy
determine NIST
FISCAM
what
It is prudent FISCAM
FISCAM
SP
tolaws
800-18
CC-1.1,
apply
verify
NIST
CC-2.1
CC-2.1
the to
1.2SP
your
proper IT2)system.
definitions
800-18it
operation
of the data.
of Since
a system before it is placed into production.
For
protects
eachexample,
NIST
the
state isNIST
NIST documentation
ifNIST
SP
you
NIST
SP
800-18
had
different,
NIST
SP 800-18
SP SP-800-18
a800-18
security
800-18
800-18
SP you when
will required,
needpolicy thatand
to have said all passwords must be at least eight characters in length, then the security control(s) would be
legal
assistance anything
For
3) distributes
example,
that ifthe
helped
youdocumentation
have
to enforce
a database
to determine what legislation or policies this
to authorized
policy.
of whatDepending
your groupon orders
the system,
for lunch
the control may simply be a part of a configuration window that enforces a
3.2.1 Are design reviews and system tests run priorpassword
certain
once
personnel.
apply atoweek, there
length.
your system.probably
Forwould
other not
systems,
be any
it may
issuesbeconnected
a short section
with the
of code that controls the minimum password length.
to placing the system in production? disposal
Is your or archivingup
documentation ofto
this data. However, if you happen to have a backup
date?
tape
The question
that contains
For example, assumes
if youcase
arethat
records
a your
law from
agency
child
enforcement hasprotective
security
agency policies
services,that
and it iscover
doubtful
the security aspects of what happens when external systems interface with
your
that you
systems.
are using would It
bealso
the FBI's permitted
assumes
National to that
throw
Crime youthehave
tapedeveloped
Information away if part
Center security
of thecontrols
tape is that implement and enforce your security policies and that they have been
designed
thought tofor
(NCIC), then bethese
defective.
you foreign
will need systems.
to complyThewithquestion
CJIS is simply asking whether you have given these controls to the owners of the foreign systems and
if they have
Security Policybeen implemented.
Version 4.0.
For example: You are responsible for the IT system that is used by child protective services. Another agency in the county government needs to
have access to some of the data to do its job. Because of the sensitivity of the data and the legislation covering the use of the data, you have
created a security policy that states that all users of the system must be identified before they can access the data. The other agency is using a
batch program to access and process this data. Because of your policy, you need to be assured that security controls are in place so that only the
authorized batch program has access to your data. Whether you developed the controls, or the other agency did, you need to verify that the
controls are in place and effective in controlling access to your data.
Depending
A
"Official"
The
Is security
it organization
the intent
NIST
is
NIST
policy
on
whatever
NIST the
SP
ofSP
NIST
NIST
simply
should
management
SP
800-54
classification
800-54
your
800-54
SP
SP
states
ensure
800-54
800-54
policies
S5-1
CA-3
MP-6
what
MP-6,
to
or
that
fund
sensitivity
say
PL-3
MP-6,
needs
1)MP-7
they
the
adequate
to
MP-7
staff
are
of
happen.
or
the
necessary
how
dataSecurity
any
to to
controlling
keep
controls are either the programs or procedures that actually implement the intent of
Do you
legislation
documentation
the
be have proven procedures and/or mechanisms to enable you to truly purge and/or destroy
Thisdestroyed,
security
OMB
NIST
is one NIST
defines
NIST
NISTOMB
policies.
plan
area do
Circular
SPfor
NIST
SP SP
OMB
NIST
current?
SPyou
Circular
that800-18
them.
the
800-18
SP
800-54keep
Circular
IT
SP
800-54
willA-130,
The
system
800-18
A-130,
records
NIST
800-54
require
SA-5responsibility
SA-11
SA-8,A-130,
III
SP and
of
III
CA-4
some its
these
800-54
SA-11 III CA-4,
to
actions?
investigationdisposeto of or archive records
SA-5
rests data?
constituent
solely
FISCAMon
components
FISCAMthe
FISCAM
CC-2.1
legislative
CC-AC-3.4
isCC-2.1
available,
or policy
determine NIST
FISCAM
what FISCAM
SP laws800-18
CC-1.1,
applyNIST
CC-2.1
to
1.2 SP
your IT2)system.
definitions
800-18 it of the data.
Since
For
protects
eachexample,NIST
the
state isNIST
NIST documentation
ifNIST
SPyou
NIST
SP
different,
SP 800-18
had
800-18
SP SP-800-18
800-18 a security
800-18
you when
will need required,
policy
to have thatandsaid all passwords must be at least eight characters in length, then the security control(s) would be
legal
anything
For
3) distributes
example,
assistance that ifthe
helped
you
to determinedocumentation
have
to enforce
a database
what this
to authorized
policy.
of what
legislation Depending
your groupon
or policies orders
the system,
for lunchthe control may simply be a part of a configuration window that enforces a
certain
once
personnel.
apply atoweek,
password there
your system. length.
probablyForwould
other notsystems,
be any it may
issuesbeconnected
a short sectionwith the
of code that controls the minimum password length.
disposal
Is your or archivingup
documentation oftothis data. However, if you happen to have a backup
date?
The
tape question
that contains
assumes case that
records
your from
agency
For example, if you are a law enforcement agency and child has protective
security policies
services, that
it iscover
doubtful
the security aspects of what happens when external systems interface with
yourusing
that
are you
systems.
would
the FBI's It
bealso
permitted
assumes
National to that
Crimethrow you thehave
Information tapedeveloped
away if part
Center security
of thecontrols
tape is that implement and enforce your security policies and that they have been
3.2.2 Are the test results documented? designedthen
thought
(NCIC), tofor
bethese
youdefective.
willforeign
need systems.
to complyThe withquestion
CJIS is simply asking whether you have given these controls to the owners of the foreign systems and
if they have
Security Policy been implemented.
Version 4.0.
3.2.3 If required to meet a required federal For example: You are responsible for the IT system that is used by child protective services. Another agency in the county government needs to
have access toDepending
standard, is certification testing of security controls some of theon data to do its job.
the complexity Because of the sensitivity of the data and the legislation covering the use of the data, you have
of the
conducted and documented? created a security policy that states that all users of the system must be identified before they can access the data. The other agency is using a
changes, you may choose to retest the
batch program to access and process this data. Because of your policy, you need to be assured that security controls are in place so that only the
system to verify proper operation of the
authorized batch program has access to your data. Whether you developed the controls, or the other agency did, you need to verify that the
3.2.4 If security controls were added since controls are insecurity controls.
place and effective in controlling access to your data.
development, has the system documentation been
modified to include them?
3.2.5 If security controls were added since

development, have the security controls been tested
and the system recertified?
3.2.6 Has the application undergone a technical

evaluation to ensure that it meets applicable state,
local, and federal laws, regulations, policies,
guidelines, and standards?
Operation/Maintenance Phase
3.2.7 Has a system security plan been developed

and approved?
3.2.8 If the system connects to other systems, have

controls been established and disseminated to the
owners of the interconnected systems?
3.2.9 Is the system security plan kept current?
Disposal Phase
3.2.10 Are official electronic records properly

disposed of or archived?
3.2.11 Are information or media purged,
overwritten, degaussed, or destroyed when disposed
of or used elsewhere?
3.2.12 Is a record kept of who implemented the

disposal actions and verified that the information or
media were sanitized?
NOTES:
A10: If your agency is considering implementing a major IT system, then you need to select one of the several system development life cycle methodologies available. It is not that one methodology is better that another, but it is far more important that one is selected and followed for the life of the project.
A13: The NIST Special Publication 800-30 can assist you in determining the sensitivity of the system. The sensitivity of the system may be driven by the nature of the data or by specific legislation. In any event, you should understand why the system is sensitive before you begin the risk management process.
A14: The required elements to secure your system may come from several sources. Some of the sources may be:
1) Management directive.
2) Legislation.
3) External controls (i.e., the FBI Criminal Justice Information Services [CJIS] Division's CJIS Security Policy.
A15: As part of the security management process, your agency should record and file all changes to the system. This information is then referenced during subsequent self-assessment activities. This is the only way you can successfully track modifications to and maintenance of your IT systems.
A16: Security needs to be designed into the system, not added on later. It is significantly less expensive to add security during the design process than after the system has been implemented.
A19: During or before system design, your agency should identify security risks through analysis of the data to be processed and/or research of legislation controlling or driving the process.
A20: The risk-assessment process is the best way to establish IT system security requirements.
A21: Since security controls may be implemented in various areas outside your agency, the agreements with outside entities should be in writing.
For example: Assume your county IT department is responsible for all IT system operations. If your agency is running a sensitive application, then it would be reasonable that the systems manager perform background checks on all system personnel. Agreements of this type should be in writing.
A22: The first issue is: What is an “IT architecture”?
An IT architecture is a set of decisions that describe how an IT system should be constructed, how the structural elements of the system should be created, and what the relationships should be between those elements. It is unlikely that your agency has an IT architecture. However, an IT architecture can be quite simple and very general.
If your agency has an IT architecture--which is really a set of design parameters that is applied generally to all systems in your organization--then you can answer this question: “If you have an IT architecture, does the specific system under review adhere to those parameters?" If not, then you need to explain the differences, and why the system deviates from the
standards established for your agency.
A23: This question simply asks if security planning is part of the process.
A24: Does your agency, when contracting with outside suppliers, include security requirements and/or security specifications, either explicitly or by reference, in IT system acquisition contracts based on an assessment of risk? In other words, can the system be updated to handle new risks that are discovered during the lifetime of the system?
A29: It is prudent to verify the proper operation of a system before it is placed into production.
A30: Like the rest of the risk management process, all test results should be documented.
A31: In support of the security accreditation process, the organization conducts an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
A32: Is your documentation up to date?
A33: Depending on the complexity of the changes, you may choose to retest the system to verify proper operation of the security controls.
A34: This is one area that will require some investigation to determine what laws apply to your IT system. Since each state is different, you will need to have legal assistance to determine what legislation or policies apply to your system.
For example, if you are a law enforcement agency and are using the FBI's National Crime Information Center (NCIC), then you will need to comply with CJIS Security Policy Version 4.0.
A36: The organization should ensure that 1) adequate documentation for the IT system and its constituent components is available, 2) it protects the documentation when required, and 3) distributes the documentation to authorized personnel.
A37: A security policy simply states what needs to happen. Security controls are either the programs or procedures that actually implement the intent of the security policies.
For example, if you had a security policy that said all passwords must be at least eight characters in length, then the security control(s) would be anything that helped to enforce this policy. Depending on the system, the control may simply be a part of a configuration window that enforces a certain password length. For other systems, it may be a short section of code
that controls the minimum password length.
The question assumes that your agency has security policies that cover the security aspects of what happens when external systems interface with your systems. It also assumes that you have developed security controls that implement and enforce your security policies and that they have been designed for these foreign systems. The question is simply asking whether
you have given these controls to the owners of the foreign systems and if they have been implemented.
For example: You are responsible for the IT system that is used by child protective services. Another agency in the county government needs to have access to some of the data to do its job. Because of the sensitivity of the data and the legislation covering the use of the data, you have created a security policy that states that all users of the system must be identified
before they can access the data. The other agency is using a batch program to access and process this data. Because of your policy, you need to be assured that security controls are in place so that only the authorized batch program has access to your data. Whether you developed the controls, or the other agency did, you need to verify that the controls are in place
and effective in controlling access to your data.
A38: Is it the intent of management to fund the staff necessary to keep the security plan current?
A41: "Official" is whatever your policies say they are or how any controlling legislation defines them. The responsibility to dispose of or archive records rests solely on the legislative or policy definitions of the data.
For example, if you have a database of what your group orders for lunch once a week, there probably would not be any issues connected with the disposal or archiving of this data. However, if you happen to have a backup tape that contains case records from child protective services, it is doubtful that you would be permitted to throw the tape away if part of the tape is
thought to be defective.
A42: Do you have proven procedures and/or mechanisms to enable you to truly purge and/or destroy data?
A43: Depending on the classification or sensitivity of the data to be destroyed, do you keep records of these actions?
B8: NIST SP 800-53 SA-1

FISCAM CC-1.1
B13: NIST SP 800-54 RA-1

FISCAM CC-1.1, 1.2
NIST SP 800-18
B14: NIST SP 800-53 SA-2

Clinger-Cohen
B15: NIST SP 800-53 CM-3

FISCAM CC-1.1
B16: NIST SP 800-54 RA-1
GISRA
B19: NIST SP 800-54 SA-4

NIST SP 800-18
B20: NIST SP 800-54 RA-3, SA-4

NIST SP 800-30
B21: NIST SP 800-54 RA-3

NIST SP 800-18
B22: NIST SP 800-54 CM-2

OMB Circular A-130, 8B3
B23: NIST SP 800-54 SA-4

NIST SP 800-18
B24: NIST SP 800-54 SA-4

NIST SP 800-18
B29: NIST SP 800-54 SA-8, SA-11

FISCAM CC-2.1
NIST SP 800-18
B30: NIST SP 800-54 SA-8, SA-11

FISCAM CC-1.1, 1.2
NIST SP 800-18
B31: NIST SP 800-54 CA-4, SA-5

NIST SP 800-18
B32: NIST SP 800-54 SA-5

NIST SP 800-18
B33: NIST SP 800-54 CA-4

FISCAM CC-2.1
NIST SP 800-18
B34: NIST SP 800-54 SA-11

NIST SP 800-18
B36: NIST SP 800-54 S5-1

FISCAM CC-2.1
NIST SP 800-18
B37: NIST SP 800-54 CA-3

NIST SP 800-18
B38: NIST SP 800-54 PL-3

FISCAM CC-2.1
NIST SP-800-18
B41: NIST SP 800-54 MP-6

NIST SP 800-18
B42: NIST SP 800-54 MP-6, MP-7

FISCAM CC-AC-3.4
NIST SP 800-18
B43: NIST SP 800-54 MP-6, MP-7

NIST SP 800-18




K7: Avoidance: Avoidance is often used for risks that have the capacity for negative impact, but have little known recourse. In security projects, a decision to avoid risks often means a decision not to let your agency put itself in the situation where it could incur the risk. Therefore, your decision would also be to avoid the cause
of the risk.
Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than
the agency’s concern.

4. Authorize Processing (Certification and Accreditation)
This will normally apply to only those systems requiring compliance with federal standards. If your agency does not need to comply with
federal standards, some of the following may not apply. Authorize processing (Note: Some agencies refer to this process as "certification and
accreditation") provides a form of assurance of the security of the system. The following questions are organized according to two critical
elements. The levels for each of these critical elements should be determined based on the answers to the subordinate questions. This may
be applicable to any agency receiving federal funds.
References
Remote: The risk probably will not occur because the risk would beRisk Decisions
difficult to realize, or
Level 1. Documented Level 2.Policy
DocumentedLevel 3. Procedures
Implemented
Level 4.Procedures
Tested andLevel
and
Evaluated
5.Controls
FullyLow:
Procedures
Integrated
The in Procedures
Avoidance:
and
risk is Controlsand
Ranking
manageable Controls
the risk
Avoidance
through according
isplanning
often used to risks
andfor your and
action, thatthe
have the capacity for negative impact, but have little
Assessment Questions Do themeasurement
This activity is part of the security people usingprocess.
Depending on
the system
the complexity
know
Simply
of
how your
a. the
Does to Atreat
stated:
change, you
theDoes
data
significant
agency
a. may
under
change
have
your
choose to
their
could
a formally
agency care?
1)
a. Have A formal,
increase
have risk,
documented
the a. Isand/or
procedures
aand
measurement
and
there are solid
2) controls
complete,
disseminated
and
a. well-documented
Does
program
been
policy
your
means
implemented?
agency
on
in placehave
place
thatknown
to limit the
aroutinely
fully operational,
risk appropriately.
evaluates
categorization,
comprehensive
the adequacy
quantification,
and
securityand
program
tolerance
thatrisks
ofis anoften
integral parta of your not to let your
Comments
reduce risk, and/or 3) rendersigned
L.1 with each
agreement
existing security controls
L.2
employee
ineffective. working
thatThe on
security
security
L.3
sensitive data
evaluation
control?
procedures is b.
is for perhaps
necessary
theAre
L.4
tothe
policies
the detect these statements
following
defined potential
effectiveness
at level 1?
L.5
of security
agency’s
impacts
true? policies,
generally are
recourse.
minimal.
culture?procedures, and controls?
In security projects, a decision to avoid
each based on the likelihood, severity, and
means decision
do a full risk
All agencies assessment
or businesses on the
should system.
have a contingency plan for business continuity. If you agency put itself in the situation where it could incur the risk. Therefore, your decision would also be to
changes. best way to communicate
NIST SP the
don't have one, your agency should
proper
800-53 behavior.
b.CA-1
Does
developthe policy
such ab.plan.
Do
define
the procedures:
1) purpose
i. Are the
andowners
scope
b. Are
of
andthe
the
users
policy,
following
awareb.Possible:
2)
Feedback/ Are
of
elements
the The
thesecurity
following risk
in place? has aand
policies
statementschance of occurring,
procedures?
true? tolerance but it may
of the levels. Thisbe difficult
simple or thereallows
weighting are controls in
PolicyOMB Circular Procedures
A-130, III Implemented Measuring Medium: avoid
The riskthe
Description cause
will
ofbe mitigated
Identified risk.
through planning
Risk and action,
Likelihood Severity Risk Tolerance Action Priority
responsibilities i.required
List the control
Have
areas the
andpolicies
and
clearly
i. An
3) compliance
effective
and
stateprocedures i.place
the program
agency’s
Reassessment to
requirements
There
been
forishelp
position? avoid
formally
evaluating
an active the
adoptedrisk.
agencywide
the adequacy
and the
security
and
technical
foreffectiveness
program
the agency
controls
thatto
ofachieves
easily
security
rank
cost-effective
policies,
the priority security.
of
FIPS 102 although if it occurs, it will still have some impact on some of the
and penalty specification?
ii. Document their installed?
applicability—clearly
procedures, listand
when,
controls.
ii. ITwhere,
security how,is an
to integrated
whom, practiceaction
withinrequired
the asset to(IT
eliminate
system). the greatest risks
Authorize Processing (Certification and more importantAssume:
areas of The decision
concern. to assume a risk means accepting the risk as-is, and not implementing any
and about whatiii.the Is procedure
a securityii.measurement
applies?
A mechanismprogram forLikely:
iii. Security
identifying
in Due
place?
vulnerabilities
vulnerabilities
(ongoing are
to conditions security
revealed
andunderstood
compliance
first.
by security
capabilities, and managed.
the incidents
risk is likelyortosecurity
occur.
policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of
Accreditation) iii. List the assignment
measurement)
alerts. and iv.define
Threats explicit
are continually
behavior?reevaluated, and controls are adapted to a changing security environment.
iv. Identify points iv. Has
of contact
management
and
iii. Awhere
process
formally
supplementary
forauthorized
reporting
v. Additional High:
use of The
information
the
significant
and/or the
more
limited
risk
security
can
system?
be will impact
have
cost-effective
weaknesses
should
serious
Examples
security
it occurand
and impacts
ensuring
that
ofalternatives
possible
rapid
the cost
without
weighting:
and
of implementing a mechanism to minimize or reduce it would
extensive
are identified
effective as the need arises.
4.1. Critical Element: found? v. Have employee remedial
job descriptions
action. vi. Costs andplanning
been updated benefits and
to include
be far greater
action,
of security
security
are
than the agency’s
its responsibilities
consequences
measured would
as precisely
concern.
that beassevere.
practicable.
the implemented controls require? vii. Status metrics for the security program 2= Possible+Medium+Mitigate
are established and met.
Has the system been certified/recertified and vi. Have employees been trained on security procedures?Mitigate: This is the most common decision to make for identified risks: to implement policies,
authorized to process (accredited)? procedures, and other security controls to limit the risk to an acceptable level.
NIST SP 800-53 CA-4
Part of theNIST SP 800-18
security measurement
NIST SP 800-53 RA-4 process includes the monitoring of security control operations. The Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
processes
This question to monitor
isNIST
simply SP thewhether
800-18
asking controlsthe
should be security
system as automated
plan isand cost effective
authorized by theas possible.
proper accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
NIST SP 800-53 PL-4
4.1.1 Was a technical and/or security evaluation authority.
NIST SP
Was the security
NIST SPpolicy
800-18
development
800-53 CP-2, CP-4 process followed? Did management review the risks
completed or conducted when a significant change
Management should be aware of discovered during
all interconnections the
to
NIST SP 800-18 self-assessment
external systems.and approve
This the
notification security controls necessary to mitigate
occurred? NIST SP 800-53 PL-4
the risks
should be part of standard operating to levels acceptable to the agency?
procedures.
NIST SP 800-18
4.1.2 Was a risk assessment conducted when a NIST SP 800-53 CA-4

significant change occurred? NIST SP 800-18
Has management funded and staffed personnel to handle security issues? Is there a charter that
NIST
directs staff SP 800-53
to deal RA-3issues promptly?
with security
NIST SP 800-18
4.1.3 Have rules of behavior been established and NIST SP 800-53 CA-3
NIST SP 800-18
signed by users?
4.1.4 Has a contingency plan been developed and

tested?
4.1.5 Has a system security plan been developed,
updated, and reviewed?
4.1.6 Are in-place controls operating as intended?
4.1.7 Are the planned and in-place controls NIST SP 800-53 CA-5
consistent with the identified risks and the system NIST SP 800-18
and data sensitivity?
4.1.8 Has management authorized interconnections

to all systems (including systems owned and
operated by another program, agency, organization,
or contractor)?

Is the system operating on a temporary or
interim authorization in accordance with
specified agency procedures?
4.2.1 Has management initiated prompt action to

correct deficiencies?
NOTES:
A12: This activity is part of the security measurement process. Simply stated: A significant change could 1) increase risk, and/or 2) reduce risk, and/or 3) render existing security controls ineffective. The security evaluation is necessary to detect these potential changes.
A13: Depending on the complexity of the change, you may choose to do a full risk assessment on the system.
A14: Do the people using the system know how to treat the data under their care? A signed agreement with each employee working on sensitive data is perhaps the best way to communicate the proper behavior.
A15: All agencies or businesses should have a contingency plan for business continuity. If you don't have one, your agency should develop such a plan.
A16: This question is simply asking whether the system security plan is authorized by the proper authority.
A17: Part of the security measurement process includes the monitoring of security control operations. The processes to monitor the controls should be as automated and cost effective as possible.
A18: Was the security policy development process followed? Did management review the risks discovered during the self-assessment and approve the security controls necessary to mitigate the risks to levels acceptable to the agency?
A19: Management should be aware of all interconnections to external systems. This notification should be part of standard operating procedures.
A22: Has management funded and staffed personnel to handle security issues? Is there a charter that directs staff to deal with security issues promptly?
B9: NIST SP 800-53 CA-1

FIPS 102
B12: NIST SP 800-53 CA-4

NIST SP 800-18
B13: NIST SP 800-53 RA-4

NIST SP 800-18
B14: NIST SP 800-53 PL-4

NIST SP 800-18
B15: NIST SP 800-53 CP-2, CP-4

NIST SP 800-18
B16: NIST SP 800-53 PL-4

NIST SP 800-18
B17: NIST SP 800-53 CA-4

NIST SP 800-18
B18: NIST SP 800-53 RA-3

NIST SP 800-18
B19: NIST SP 800-53 CA-3

NIST SP 800-18
B22: NIST SP 800-53 CA-5

NIST SP 800-18





K8: Avoidance: Avoidance is often used for risks that have the capacity for negative impact, but have little known recourse. In security projects, a decision to avoid risks often means a decision not to let your agency put itself in the situation where it could incur the risk. Therefore, your decision would also be to avoid the cause of the
risk.
Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than the
agency’s concern.

The security plan should be a part of an Information Resources Management (IRM) plan, which is an overarching plan that:
5. System Security Plan 1) Supports enterprise and agency vision, mission, goals. and objectives.
2) Aligns the IT budget with the business plan.
3) Identifies and tests innovative ways to use technology to serve customers and expand opportunities for public access.
System security plans provide an overview of the4)security
Improvesrequirements ofbythe
agency efficiency systemmanaging
effectively and describe theand
information controls in place or planned for meeting those requirements. The plan delineates
technology.
responsibilities and expected behavior of all individuals whopartnerships
5) Promotes access the system.
with The following
other agencies, questions
local/regional are and
jurisdictions, organized according
the private to two
sector to create critical
mutually elements.
beneficial The levels for each of these critical
IRM communities.
elements should be determined based on the answers to the subordinate
6) Demonstrates questions.
compliance with city/county/state technical architecture and standards through IT asset inventory and the creation of
application portfolios.
7) Identifies IT and technical staff resources and training needs.
References
Risk Decisions
Assessment Questions Comments
L.1 L.2 L.3 L.4 L.5
Level 1. Documented
Level 2. Policy
Documented
Level 3. Procedures
Implemented
Level 4.Procedures
Tested and Level
and
Evaluated
Controls
5. FullyProcedures
Integratedand Procedures
Controlsand Controls
Remote:
Low: The risk
The is
risk probably Ranking
Avoidance:
manageable will
through
Avoidance the
not occur risk
planning according
isbecause
often and
used
the to risks
action,
for
risk your
and
would
that
thebehave
difficult
the capacity
to for negative impact, but have little
a. Does your agency
a. Does have
youra formally
agency
a. Have have
documented
theformal,
procedures Feedback/
a. Iscomplete,
a
and
measurement
and
disseminated
controls
anda.well-documented
Does
program
been
policy
your
implemented?
in
agency
place that
haveroutinely
a fully operational,
evaluatesrealize,
the
comprehensive
adequacy
thereand security program
categorization,
inInthat isto
anlimit
quantification,
integral part ofand
yourtolerance of often means a decision not to let your
Policy
All plans Procedures
should be reviewed periodically Implemented
and adjusted
on that security for changes
procedures
control?
Measuring
for b. inAre
the the environment.
policies
the following
defined
effectiveness
statements
at level 1? of security
true?
agency’s
Description
policies,
culture?
of Identified Risk impacts
procedures, and controls?
or
generally
Likelihoodknown
are
are
solid
minimal.
recourse.
means
Severity
eachin
place
security
based
projects,
Risk the risk
on the likelihood,
a decision
Tolerance appropriately.
toAction
severity,
avoid risks
and
Priority
Reassessment agency put itself the situation where it could incur the risk. Therefore, your decision would also be to
b. Does the policyb. Dodefine
the procedures:
1) purpose
i. Are the
andowners
scopeb. Are
of
and the
the
users
policy,
following
aware2)b.of elements
Are
thethe
security
following
in place?
policies
statements
and procedures?
true? tolerance levels. This simple weighting allows
System Security Plan Possible: The
Medium: avoid
The risk
risk will
hasthea cause
be chance ofofthe
mitigated risk. planning
occurring,
through but it may and beaction,
difficult or there are
responsibilitiesi.required
List the control
Have
areastheandpolicies
and
clearly
i. An
3) compliance
effective
and
stateprocedures
the program
agency’s
requirements
i. There
been
for
position?
is
formally
evaluating
an activeadopted
agencywide
the adequacy
and thesecurity
and
technical
effectiveness
program
controls
that
of security
achievespolicies,
cost-effective
for the security.
agency to easily rank the priority of
controls in
although if place
it occurs,
to help
it will
avoid
stillthe
have risk.
some impact on some of the
procedures, listand
when,
controls.
ii. where,
IT security
how,isto
anwhom,
integrated practice within the asset (IT system). action required to eliminate the greatest risks
more important areasAssume: The decision to assume a risk means accepting the risk as-is, and not implementing any
of concern.
5.1. Critical Element: and about whatiii.the Is procedure
applies?
A mechanismprogram for
iii.identifying
Security
in place?
vulnerabilities
vulnerabilities
(ongoing security
are
revealed
understood
compliance
by security
and managed.
incidents or security first.
behavior? reevaluated, and Likely:
policies or andprocedures to lessenriskit. This is often the decision in cases where the risk is so minimal and of
measurement)
alerts. andiv.
define
Threats
explicit
are continually controls Due to conditions
are adapted to a changing capabilities,
security the is likely
environment. to occur.
andHigh: Therapid limited
risk will have impact
serious should it occur that theextensive
cost of implementing a mechanism to minimize or reduce it would
Is a system security plan documented for the iv. Identify points iv. Has
of contact
management
and
iii. Awhere
process
formally
supplementary
for
authorized
reporting
v. Additional
information
the
significant
use
and/or
of the
security
can
more
system?
becost-effective
weaknesses securityensuring
alternatives andareeffective
identified asimpacts
Examples of and
the need without
possible
arises. weighting:
planning be far
and action, itsgreater than thewould
consequences agency’s concern.
be severe.
system and all interconnected systems if the Your agency management needs to be involved, asfound? v. Have employee
do external stakeholders. remedial
job descriptions
action. vi.been Costsupdated
and benefits
to include
of security
securityareresponsibilities
measured as precisely
that as practicable. 1= Likely+High+Assume
boundary controls are ineffective? the implemented controls require? vii. Status metrics for the security program are established and met. 2= Possible+Medium+Mitigate
vi. Have employees been trained on security procedures? Mitigate: This is the most common decision to make for identified risks: to implement policies,
NIST SP 800-53 PL-2
FISCAM SP-2.1
5.1.1 Has the system security plan been approved NIST SP 800-18
by the managers of the affected parties accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
(stakeholders) within and outside of the agency?
The NISTNIST
topicsSP
are800-53
guidelines only—good guide lines, but not mandated.
PL-2
NIST SP 800-18
5.1.2 Does the plan contain the topics prescribed in
NIST Special Publication 800-18? NIST SP 800-53 SA-2
OMB CIRCULAR A-130, III
NIST SP 800-18
5.1.3 Is a summary of a systems security plan
incorporated into the agency's strategic information
resources management plan?
NIST SP 800-53 PL-2
FISCAM SP-2.1
5.2. Critical Element: NIST SP 800-18
Is the plan kept current?
5.2.1 Is the plan reviewed periodically and adjusted

to reflect current conditions and risks?
NOTES:
A12: Your agency management needs to be involved, as do external stakeholders.
A13: The NIST topics are guidelines only—good guide lines, but not mandated.
A14: The security plan should be a part of an Information Resources Management (IRM) plan, which is an overarching plan that:
1) Supports enterprise and agency vision, mission, goals. and objectives.
2) Aligns the IT budget with the business plan.
3) Identifies and tests innovative ways to use technology to serve customers and expand opportunities for public access.
4) Improves agency efficiency by effectively managing information and technology.
5) Promotes partnerships with other agencies, local/regional jurisdictions, and the private sector to create mutually beneficial IRM communities.
6) Demonstrates compliance with city/county/state technical architecture and standards through IT asset inventory and the creation of application portfolios.
7) Identifies IT and technical staff resources and training needs.
A17: All plans should be reviewed periodically and adjusted for changes in the environment.
B12: NIST SP 800-53 PL-2

FISCAM SP-2.1
NIST SP 800-18
B13: NIST SP 800-53 PL-2

NIST SP 800-18
B14: NIST SP 800-53 SA-2

OMB CIRCULAR A-130, III
NIST SP 800-18
B17: NIST SP 800-53 PL-2

FISCAM SP-2.1
NIST SP 800-18





of the risk.

Operational
The operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or
group of systems). They often require technical or specialized expertise and often rely upon management activities, as well as technical controls.
6. Personnel Security The need to separate duties may be related to the sensitivity of the data or the need to separate duties.
For example, in an accounting environment, you do not want the person who requests a payment to also be able
to authorize the payment. Only if you have sensitive data would you need to write controls into the job
Many important issues in computer security involve human users, designers, implementers, and managers. A broad range of security issues relates to how these individuals interact with computers and the access and authorities they
descriptions.
need to do their jobs. The following questions are organized according to two critical elements. The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
References
Risk Decisions
L.1 L.2 L.3 L.4 L.5
Level 1. Documented Level
Policy
2. DocumentedLevel Procedures Level 4. Procedures
3. Implemented Tested and and Evaluated
Controls Procedures and Controls Ranking
Remote: Thethe
Low:risk
Avoidance:
risk according
probably
The riskwill to
notyour
Avoidance
is manageable
occuris often
because
through
used
theplanning
forrisk
risks
would
that
and be
have
action,
difficult
theand
capacity
to
the
realize,
for or
negative impact, but have little
a. Does your agencya.have Doesa your
formally
agencydocumented
have
a. Have formal,
theand complete,
disseminated
a. Is a measurement
procedures and controls
and policy
well-documented
onprogram
been in place that
Fully implemented? routinely evaluates the adequacy
therecategorization,
areand
solid known
impacts
means quantification,
in
recourse.
generally
place toIn and
limit
are tolerance
security
minimal.
the risk
projects,
appropriately.
a decision to avoid risks often means a decision not to let your
Policy Procedures Implemented Measuring Feedback/ Reassessment
Level 5. Integrated Description
Procedures of Controls
and Identified Risk Likelihood Severity Risk Tolerance Action Priority
that One
Sensitive functions should be divided. security
of thecontrol?procedures
questions forbe
that should the policies
asked defined
is: Should
b. Are the theeffectiveness
at
following level
person 1? enters
who
statements of
a. security policies,
or creates
true?
Does your agencyprocedures,
have a fullyand controls? comprehensiveofsecurity
operational, each based
agencyon the
program put likelihood,
itself
that is an theseverity,
inintegral part and
situation ofwhere
your it could incur the risk. Therefore, your decision would also be to
NIST SP 800-53 CA-1
b. Does
data also have the authority to remove the the policy
data? define
b. Doyou
Essentially, 1)
thepurpose
procedures:
want two and i.scope
or more of owners
persons the policy,
b. Areinthe
involved 2)thefollowing
lifecycle elements
ofof
sensitive in place? tolerance avoid
levels.the This simple weighting allows
Personnel Security Another way to look atOMB Circular
this issue is: HA-130,
have youIIIestablished checks and balances
responsibilities required
i. Listfor
the its
control
execution,
Are the
within the systemand users
support aware
agency’s
functions? the security
culture? policies and procedures? Possible: TheMedium:
risk has acause
chanceof the
The risk ofwillrisk.
occurring,
be mitigated
but itthrough
may be planning
difficult or
and
there
action,
are controls in
data.
All organizations should have clear
FISCAM SP-5and unambiguous personnel policies thatareas
cover and
and
ii. Have 3)
clearly
hiring, compliance
the i.state
transfer,
policiesAn
andeffective
the
andrequirements
agency’s
terminationprogram
procedures
b. ofposition?
Are
for evaluating
employees.
been
the
the adequacy
formallystatements
following adopted and theand
true?
effectiveness
technical controls of security
for the policies,
place to help avoid
although
the risk.
if it occurs, it will still have some impact on some of the
How are violations of rules or procedures handled
and penalty in your
ii.organization?
specification?
Document their As it applicability—clearly
relates to security,procedures,
can security
list when, issues
and be handled
where,
controls.how, to in whom, action required to eliminate the greatest risks
a similar fashion? NIST SP 800-18 installed? i. There is an active agencywide security program that achieves cost-effective Assume: security.
more important The decision
areas of to assume a risk means accepting the risk as-is, and not implementing any
concern.
and about what the iii. procedure applies?
Is a security ii.measurement
A mechanism for identifying
ii.program
IT securityin place?
is anvulnerabilities revealed
(ongoing security
integrated practice by security
compliance
within incidents
the asset first.
or security
(IT system).
6.1. Critical Element: iii. List the assignment of IT responsibilities
alerts. and define explicit behavior? are understood and managed. Likely: Due topolicies or procedures
conditions to lessen
and capabilities, theit. This
risk is often
is likely to the decision in cases where the risk is so minimal and of
occur.
measurement) iii. Security vulnerabilities High:
limited The
impact should it occur that the cost of without
implementing a mechanism to minimize or reduce it would
Are duties separated to ensure least privilege As employees join, transfer, or leave your department oriv. agency, are there written
Identify points ofiv. procedures
contact to
and where
Has management
follow that
iii. A process cover
supplementary
formally
the adding
forauthorized
reporting or
information
significant
usecan
thecontinuallybe
security
of the weaknesses and ensuring rapid
system? Examples of possible risk
and effective will have
weighting: serious impacts and extensive
removal of user accounts? iv. Threats are reevaluated, and controls are adapted to a changing
be far
planning security
greater
and than environment.
action, the
its agency’s concern.
consequences would be severe.
and individual accountability? found? v. Have employee remedial action.
job descriptions been updated
v. Additional and/or to include
more security responsibilities
cost-effective that 1=
security alternatives
Likely+High+Assume
are identified as the need arises.
the implemented controls require? 2= Possible+Medium+Mitigate
vi. Costs and benefits of security are measured as precisely as practicable. Mitigate: This is the most common decision to make for identified risks: to implement policies,
The question depends
NIST on
SPwhether
800-53yourCA-2 agency deals with data that are definedvi. asHave employees
“sensitive.” If youbeenhave trained on security
any vii. Status metrics procedures?
for the security program are established and met. procedures, and other security controls to limit the risk to an acceptable level.
6.1.1 Are all positions reviewed for sensitivity such data that areFISCAM
defined SP-5.1
as sensitive by either policy or legislation, this is a legitimate question to ask.
level?
accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
6.1.2 Are there documented job descriptions that

accurately reflect assigned duties and If personnel can access sensitive data before they are fully cleared by the screening process, is management fully aware of the
risks? Ultimately, management bears responsibility for this risk.
responsibilities and that segregate duties?
6.1.3 Are sensitive functions divided among

If this can happen, are the procedures to screen an employee documented, and has management signed off on this process?
different individuals? NIST SP 800-53 CM-5
FISCAM
NIST SD-1.1PS-2, PS-5
SP 800-53
6.1.4 Are distinct systems support functions These confidentiality or security agreements help clarify what is expected of employees who access sensitive data.
FISCAM SP-4.1
performed by different individuals? NIST SP 800-18
800-53 PS-6
6.1.5 Are mechanisms in place for holding users
FISCAM SD-2, 3.2
responsible for their actions? NIST SP 800-18
6.1.6 Are hiring, transfer, and termination NIST SP 800-53 PAC-2
procedures established for personnel who have FISCAM SP-4.1
access to sensitive agency IT data? NIST SP 800-18
6.1.7 Is there a process for requesting, establishing,

issuing, and closing user accounts?

Is appropriate background screening for
assigned positions completed prior to granting
access?
System support
NIST SPpersonnel,
800-53network
PS-3 engineers, and others who have broad powers over your computing facility need to be held to
6.2.1 Are individuals who are authorized to bypass a higher standard
FISCAM
NIST SPdue
SP-4.1
to their
800-53 ability to bypass technical and operational controls within your IT system.
PS-6
significant technical and operational controls OMB
FISCAMCircular
SP-4.1A-130, III
screened prior to access?
6.2.2 Are confidentiality or security agreements NIST SP 800-53 PS-3

required for employees assigned to work with OMB Circular A-130, III
sensitive information?
6.2.3 When access controls cannot adequately NIST SP 800-53 PS-6
protect your information assets, are individuals FISCAM AC-2.2
accessing the data screened prior to access? NIST SP 800-18
6.2.4 Are there conditions for allowing system

access prior to completion of screening?
NOTES:
A16: The question depends on whether your agency deals with data that are defined as “sensitive.” If you have any such data that are defined as sensitive by either policy or legislation, this is a legitimate question to ask.
A17: The need to separate duties may be related to the sensitivity of the data or the need to separate duties.
For example, in an accounting environment, you do not want the person who requests a payment to also be able to authorize the payment. Only if you have sensitive data would you need to write controls into the job descriptions.
A18: Sensitive functions should be divided. One of the questions that should be asked is: Should the person who enters or creates data also have the authority to remove the data? Essentially, you want two or more persons involved in the lifecycle of sensitive data.
A19: Another way to look at this issue is: H have you established checks and balances within the system support functions?
A20: How are violations of rules or procedures handled in your organization? As it relates to security, can security issues be handled in a similar fashion?
A21: All organizations should have clear and unambiguous personnel policies that cover hiring, transfer, and termination of employees.
A22: As employees join, transfer, or leave your department or agency, are there written procedures to follow that cover the adding or removal of user accounts?
A25: System support personnel, network engineers, and others who have broad powers over your computing facility need to be held to a higher standard due to their ability to bypass technical and operational controls within your IT system.
A26: These confidentiality or security agreements help clarify what is expected of employees who access sensitive data.
A27: If this can happen, are the procedures to screen an employee documented, and has management signed off on this process?
A28: If personnel can access sensitive data before they are fully cleared by the screening process, is management fully aware of the risks? Ultimately, management bears responsibility for this risk.
B13: NIST SP 800-53 CA-1

FISCAM SP-5
NIST SP 800-18
B16: NIST SP 800-53 CA-2

FISCAM SP-5.1
B19: NIST SP 800-53 CM-5

FISCAM SD-1.1
B20: NIST SP 800-53 PS-6

FISCAM SD-2, 3.2
NIST SP 800-18
B21: NIST SP 800-53 PS-2, PS-5

FISCAM SP-4.1
NIST SP 800-18
B22: NIST SP 800-53 PAC-2

FISCAM SP-4.1
NIST SP 800-18
B25: NIST SP 800-53 PS-3

FISCAM SP-4.1
B26: NIST SP 800-53 PS-6

FISCAM SP-4.1
B27: NIST SP 800-53 PS-3

B28: NIST SP 800-53 PS-6

FISCAM AC-2.2
NIST SP 800-18





7. Physical and Environmental Protection
Physical security and environmental security are the measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. The
following questions are organized according to three critical elements. The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
Level 1. Documented
Level 2.
Policy
Documented
Level 3.
Procedures
Implemented
Level 4.Procedures
Tested and
Level
and
Evaluated
5.Controls
Fully Integrated
ProceduresProcedures
and Controls Remote: TheLow:
and Controls risk probablyAvoidance:
The riskwill Ranking
is manageable
not occur thethe
Avoidance
because
through risk
is according
planning
often
risk would
used to difficult
andfor
be yourand
action,
risks thatto
the
have
realize,
the or
capacity for negative impact, but have little
a. Does your agency a. Does haveyour a formally
agency
a. Have have
documented
theformal,
procedures
a. Iscomplete,
aand
measurement
and
disseminated
controls
and
a. Does
well-documented
program
been
policy
your implemented?
agency
in placehave
thataroutinely
fully operational,
evaluates comprehensive
the are
there adequacy and
security
solid impacts
means program
ingenerally
placeknown that
to limit
are iscategorization,
an
recourse.
minimal.
the integral
risk partquantification,
Inappropriately.
security of your a decision
projects, and tolerance
to avoid risks often means a decision not to let your
on that securityprocedures control? for b. the Are
policies
the following
defined
effectiveness
statements
at level 1? of agency’s
security
true? policies,
culture?procedures, and controls? of each
agency put itself based
in the on thewhere
situation likelihood, severity,
it could andrisk. Therefore, your decision would also be to
incur the
b. Does the policy b. Do define
the procedures:
1) purpose
scopeb. Are
of
and the
the
users
policy,
following
aware
2)
b. Are of
elements
the
the security
following
in place?
policies
statements
and procedures?
Possible: TheMedium: avoid
risk has a chance
The riskthe
of cause
will
occurring,of the
butrisk.
be mitigated itthrough
may be planning
difficult or and
there
action,
are controls in
References
List the control
for its ii.execution,
Have
and
clearly
i. An
3) compliance
effective
and
stateprocedures
theprogram
agency’s
i.requirements
There
beenfor
position?
is an
evaluating
formally
active adopted
agencywide
the adequacy
and security
theand
technical
effectiveness
program
controls
thatofachieves
securitycost-effective
policies, security.for the agency to easily rank the priority of
place to help avoid
although
the risk.
if it occurs, it will still have some impact on some of the
procedures, listand
when,
ii.
controls.
ITwhere,
security how,
is antointegrated
whom, practice within the asset (IT system). Risk
more important
Decisions
Assume:
areas of The
concern.
Assessment Questions and about whatiii. the
Is procedure
applies?
A mechanismprogram iii.
forSecurity
identifying
in place?
vulnerabilities
vulnerabilities
(ongoingare security
revealed
understood
compliance
by security
and managed.
incidents or security first. Comments
Likely:are Dueadapted
to conditions policies
and or procedures
capabilities, the risktoislessen
likely it.
to This is often the decision in cases where the risk is so
occur. minimal and of
L.1 L.2 iii. List L.3 the assignment
measurement) ofL.4
IT responsibilities
alerts. L.5
and
iv. define
Threats explicit
are continually
behavior?reevaluated, and controls
High:
to a changing
The risklimited
will
security environment.
impact
have should
serious it occurand
impacts that the cost of implementing a mechanism to minimize or reduce it would
of contact
management and
iii. Awhere
process
formally
supplementary
forauthorized
v.
reporting
significant
theand/or
use of more
the
security
cansystem?
be
cost-effective
weaknesses security
and ensuring
alternatives
rapid are
andidentified
effective as the needExamples
arises. of possiblewithout
weighting:extensive
1) Determine
1) Identify
If
Determine
any controlled
how if physical
any
access
which access
tapes
isdevices
person NIST
gained
orisNIST
NIST other
inpersons
or SP
place,
SP(keys,
toSP
800-53
storage
yourobtain
800-53fobs,
facilities.
have
800-53
NIST media
PE-2,
MP-4
etc.)
copies
PE-3
control
SPPE-3 are
are
PE-3
of created
required
authorization
found?
of
800-53 the keys
PE-16 intoor
the
enter
normal
policies
v.
access the
Havecomputer
course
and
devices. access
of room,
employee business.
lists.
remedial
jobtape The
library,
"tape
Feedback/
descriptions
action. vi. Costs
been and
updated
benefits
to include
of security
security
are measured
responsibilities
as precisely
that planning
as andbe
practicable.
far greater
action, than the agency’s
its consequences
1= would be
Likely+High+Assume
concern.
severe.
1) If the controlled entry NIST
Policy NIST
to theSP SP
sensitive
800-53
800-53 areas
PE-7
PE-3 require codes, determine how often they are changed.
2) other
library"
or
1) Collect
Determine
may
controlled
thebeifpolicies
management,
anything
area.andFISCAM
FISCAM
from aProcedures
procedures
at bottom
any
AC-3
AC-3.1
level,
associated
drawer
has at
inwith
any Implemented
someone's
Ifthis
time
so,access.
reviewed
desk atocopy.
these Measuring
a formally
lists for
organized
accuracy. tapedetermine
library. Description of Identified Risk Likelihood Severity 2= Possible+Medium+Mitigate
Risk Tolerance Action Priority
2) If
2) If there
there are
Determine areifemergency
a sign-out
policies exits
list
orFISCAM within
exists
FISCAM
FISCAM
procedures tothe
AC-3.1
for
AC-3.1
AC-3.1
computer
these
AC-3.1
FISCAM
change items.
AC-3.1
the room,
codes, tape
obtain
obtain library,
the
copies. orimplemented
other secured area,
controls require?
Reassessment
3)
2)
3) If
how
3)
Determine
you are
tapes
people
Determine
Determine
or using
if
other
regain
if
how
any commercial
storage
policies
entrance
extra
NIST
codeorSP NIST
backupmedia
or procedures
after
800-43
changes
SP
hardware
800-18
are created,
exiting.
items
are are
PE-1 and/or
exist determine
for
software
available.
propagated
this review
to isauthorized
to
if policies,
control
process physical
procedures,
vi.and,
personnel. Have ifaccess,
so, or
obtain
logs
obtain
employees copies.
exist.
the If
user
been so, and system
trained on security procedures? Mitigate: This is the most common decision to make for identified risks: to implement policies,
Physical and Environmental Protection The
1) Determine
Determine basic question that access
needs to be asked this: Are senior managers aware of the current risks inherent
manuals
obtain
2)
4)
4) Are copies
Watchthese ifhow
to document
of
outitems
for
visitors
them.
procedures
secured?
maintenance
gain
the processes.
exist
Ifaccess
so, toreentry
fordocument
the
codes.
secured
where
They
areas.
process.
they are
often If so,
are kept
veryobtain
and copies
simple the of
policies
and are the procedures.
and
seldom procedures
changed. You used procedures, and other security controls to limit the risk to an acceptable level.
2)control
4) with
Are there
Create your agency's
policies,
a list IT
procedures,
of persons systems,
responsible and
or sign-in are they willing
lists thatthis
for controlling control to accept this level of exposure?
visitor access to the facility? If so, obtain
process.
to
should them.
make sure to change these at regular intervals.
copies of the documents. Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
3) Determine if visitors simply sign in and enter the facility or if they must be escorted. accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
Physical Access Control
7.1. Critical Element: Have

adequate physical security controls been
implemented that are commensurate with the
risks of physical damage or access?
1) Determine if physical access is monitored and recorded, either manually or automatically, by the
access system. NIST SP 800-53 PE-6, PE-8
1)2) You may trails
If audit need exist,
to contactFISCAM
the city
determine if AC-4
or county
anyone building
reviews thesedepartment to determine
for violations. what appropriate
Obtain examples fire
of the audit
suppression
trails, if theyand prevention devices are required.
exist.
7.1.1 Is access to facilities controlled through the
2)3) Building codesoccur,
change over time.
If violations determine whatAccordingly, you should
remedial actions shouldverify the building code year that covers
be taken.
use of guards, identification badges, or entry your facility.
1) If
1) Determine how
there is awho personnel
people
or what
redundant are
NIST report
authorized
agency issuspicious
SP determine
system, 800-53 to RA-3
AC-13
PE-7
enter
responsibleaccess
PE-13
how the
for sensitive
activity.
it isthis areas.
activity.
activated and/or used when the main system
devices such as key cards or biometrics? Determine if there
agency are
training
policies
covers
or
AC-4.3
AC-3.1
procedures
2) If
fails. these items are reviewed,
FISCAM
NIST SP
how arethis
SC-2.1
800-18 thesubject.
thatcommunicated
results cover access by to visitors, contractors, or
your management?
3) Determinepersonnel.
maintenance what actions are to
NIST SPbe taken when unauthorized access is detected.
800-18
4) Determine who is required to investigate these issues.
7.1.2 Does management regularly review the list1)of Determine
Identify who
who
maintains
or whatNIST
the
agency
heating
SP 800-53
is responsible
andSPair
PE-14
conditioning
for your physical
systems.plant.
NIST 800-53 PE-9
persons with physical access to sensitive facilities?
2) Determine if there is any
aFISCAM
NIST
maintenance
riskSP
review
SC-2.2
800-18
contract.
on major building
If so, obtain
subsystems.
a copy for your records.
FISCAM SC-2.2
1) This
Contact
backup
yourpower
building
facility
manager NIST
mayNIST
or
not SPSP
other
be 800-18
800-53
required PE-15
responsible
for your
partyagency.
and determine where water, sewer, and gas
FISCAMhow SC-2.2
7.1.3 Are deposits and withdrawals of tapes and 2)
linesIf run
it has
in and
beenaround
provided,
yourdetermine
IT areas. often it is tested. The minimum test period should be annually.
NIST SPNIST SP 800-18
800-53 PE-11
other storage media from the library authorized and
logged? FISCAM SC-2.2
NIST SP 800-53 RA-3

7.1.4 Are keys or other access devices needed to 1) Determine what disaster planning has been done for your local jurisdiction.
FISCAM SC-2.2
enter the computer rooms and tape/media libraries?
2) Determine if the plans are tested.
3) Determine how the controls are expected to reduce the impact of these natural disasters.
NIST SP 800-53 PE-5
NIST SP 800-18
7.1.5 Are unused keys or other entry devices
secured?
7.1.6 Do emergency exit and reentry procedures1) From your list of systemsNIST
that
SPcontain
800-53sensitive
PE-4 data, identify monitors used to access this data.
2) Physically inspect eachNIST
monitor
SP location
800-18 to verify difficulty in viewing data by unauthorized persons
ensure that only authorized personnel are allowed to
reenter after fire drills, etc?
7.1.7 Are visitors to sensitive areas signed in and

escorted?
7.1.8 Is entry access to restricted IT assets regularly

reviewed and entry codes changed periodically? 1) In Youtoday's
may require
environment,
assistance
NIST
thisfrom
SP
is a800-53
very
system
critical
NIST
AC-19
and/or
SP
issue.
network
800-53 staff
AC-19to determine how network lines are run.
2) Determine physical access
NISTtoSP
areas
800-18
where
NISTthese
SP 800-18
lines run.
7.1.9 Are physical accesses monitored through audit

trails and apparent security violations investigated
and remedial action taken?
7.1.10 Is suspicious access activity investigated and

appropriate action taken?
7.1.11 Are visitors, contractors, and maintenance

personnel authenticated through the use of
preplanned appointments and identification checks?
Fire Safety Factors
7.1.12 Are appropriate fire suppression and

prevention devices installed and working?
7.1.13 Are fire ignition sources, such as failures of
electronic devices or wiring, improper storage
materials, and the possibility of arson, reviewed
periodically?
Supporting Utilities
7.1.14 Are heating and air conditioning systems

regularly maintained?
7.1.15 Is there a redundant air cooling system?
7.1.16 Are electric power distribution, heating

plants, water, sewage, and other utilities 1) In today's environment, this is a very critical issue.
periodically reviewed for risk of failure? 2) Have users of portable systems been trained in how to use and store them securely on the road and in
the office?
7.1.17 Are locations of building plumbing lines

known and do they not endanger the system?
7.1.18 Has an uninterruptible power supply or

backup generator been provided?
7.1.19 Have controls been implemented to mitigate

other disasters, such as floods, earthquakes, etc.?
Interception of Data
7.2. Critical Element: Is

data protected from interception?
7.2.1 Are computer monitors located to eliminate

viewing by unauthorized persons?
7.2.2 Is physical access to data transmission lines

controlled?
Mobile and Portable Systems
7.3. Critical Element: Are

mobile and portable systems protected?
7.3.1 Are sensitive data files encrypted on all

portable systems?
7.3.2 Are portable systems stored securely?
Wireless Use Within the System

wireless access controlled within the system?
7.4.1 Are all wireless access points attached to the

system known? 1) In today's environment, this is a very critical issue.
7.3.2 Are regular searches conducted for rogue

wireless access points? 1) In today's environment, this is a very critical issue.
PDA Use Within the System

the use of PDAs and other similar devices
controlled within the system?
7.5.1 Are PDAs and similar devices that are

allowed access to IT systems controlled?
7.5.2 Are PDAs and similar devices that are

allowed access to IT systems required to have
access control enabled on the devices and/or
encryption of sensitive data ?
NOTES:
A10: The basic question that needs to be asked is this: Are senior managers aware of the current risks inherent with your agency's IT systems, and are they willing to accept this level of exposure?
A11: 1) Identify how access is gained to your facilities.

2) Collect the policies and procedures associated with this access.
3) If you are using commercial hardware and/or software to control physical access, obtain the user and system manuals to document the processes.
4) Create a list of persons responsible for controlling this process.
A12: 1) If any controlled access is in place, obtain copies of authorization policies and access lists.
2) Determine if management, at any level, has at any time reviewed these lists for accuracy.
3) Determine if any policies or procedures exist for this review process and, if so, obtain copies.
A13: 1) Determine if any tapes or other storage media are created in the normal course of business. The "tape library" may be anything from a bottom drawer in someone's desk to a formally organized tape library.
2) If tapes or other storage media are created, determine if policies, procedures, or logs exist. If so, obtain copies of them.
A14: 1) Determine if physical devices (keys, fobs, etc.) are required to enter the computer room, tape library, or other controlled area.
A15: 1) Determine which person or persons have control of the keys or access devices.
2) Determine if a sign-out list exists for these items. If so, obtain a copy.
3) Determine if extra or backup items are available.
4) Are these items secured? If so, document where they are kept and the policies and procedures used to control them.
A16: 1) If there are emergency exits within the computer room, tape library, or other secured area, determine how people regain entrance after exiting.
2) Determine if procedures exist for the reentry process. If so, obtain copies of the procedures.
A17: 1) Determine how visitors gain access to secured areas.

2) Are there policies, procedures, or sign-in lists that control visitor access to the facility? If so, obtain copies of the documents.
3) Determine if visitors simply sign in and enter the facility or if they must be escorted.
A18: 1) If the controlled entry to the sensitive areas require codes, determine how often they are changed.
2) If there are policies or procedures to change the codes, obtain copies.
3) Determine how code changes are propagated to authorized personnel.
4) Watch out for maintenance access codes. They often are very simple and are seldom changed. You should make sure to change these at regular intervals.
A19: 1) Determine if physical access is monitored and recorded, either manually or automatically, by the access system.
2) If audit trails exist, determine if anyone reviews these for violations. Obtain examples of the audit trails, if they exist.
3) If violations occur, determine what remedial actions should be taken.
A20: 1) Determine how personnel report suspicious access activity.

2) Determine if agency training covers this subject.
3) Determine what actions are to be taken when unauthorized access is detected.
4) Determine who is required to investigate these issues.
A21: 1) Determine how people are authorized to enter the sensitive areas.
2) Determine if there are policies or procedures that cover access by visitors, contractors, or maintenance personnel.
A23: 1) You may need to contact the city or county building department to determine what appropriate fire suppression and prevention devices are required.
2) Building codes change over time. Accordingly, you should verify the building code year that covers your facility.
A24: 1) Determine who or what agency is responsible for this activity.

2) If these items are reviewed, how are the results communicated to your management?
A26: 1) Identify who maintains the heating and air conditioning systems.
2) Determine if there is a maintenance contract. If so, obtain a copy for your records.
A27: 1) If there is a redundant system, determine how it is activated and/or used when the main system fails.
A28: 1) Determine who or what agency is responsible for your physical plant.
2) Determine if there is any risk review on major building subsystems.
A29: 1) Contact your building manager or other responsible party and determine where water, sewer, and gas lines run in and around your IT areas.
A30: 1) This backup power facility may not be required for your agency.
2) If it has been provided, determine how often it is tested. The minimum test period should be annually.
A31: 1) Determine what disaster planning has been done for your local jurisdiction.
2) Determine if the plans are tested.
3) Determine how the controls are expected to reduce the impact of these natural disasters.
A34: 1) From your list of systems that contain sensitive data, identify monitors used to access this data.
2) Physically inspect each monitor location to verify difficulty in viewing data by unauthorized persons
A35: 1) You may require assistance from system and/or network staff to determine how network lines are run.
2) Determine physical access to areas where these lines run.
A38: 1) In today's environment, this is a very critical issue.

2) Have users of portable systems been trained in how to use and store them securely on the road and in the office?
B8: NIST SP 800-43 PE-1
B11: NIST SP 800-53 PE-2, PE-3

FISCAM AC-3
NIST SP 800-18
B12: NIST SP 800-53 PE-2, PE-3

FISCAM AC-3.1
B13: NIST SP 800-53 PE-16

FISCAM AC-3.1
B14: NIST SP 800-53 MP-4

FISCAM AC-3.1
B15: NIST SP 800-53 PE-3

FISCAM AC-3.1
B16: NIST SP 800-53 PE-3

FISCAM AC-3.1
B17: NIST SP 800-53 PE-7

FISCAM AC-3.1
B18: NIST SP 800-53 PE-3

FISCAM AC-3.1
B19: NIST SP 800-53 PE-6, PE-8

FISCAM AC-4
B20: NIST SP 800-53 AC-13

FISCAM AC-4.3
B21: NIST SP 800-53 PE-7

FISCAM AC-3.1
B23: NIST SP 800-53 PE-13

FISCAM SC-2.1
NIST SP 800-18
B24: NIST SP 800-53 RA-3

NIST SP 800-18
B26: NIST SP 800-53 PE-14

NIST SP 800-18
B27: NIST SP 800-53 PE-14

FISCAM SC-2.2
B28: NIST SP 800-53 PE-9

FISCAM SC-2.2
NIST SP 800-18
B29: NIST SP 800-53 PE-15

FISCAM SC-2.2
NIST SP 800-18
B30: NIST SP 800-53 PE-11

FISCAM SC-2.2
B31: NIST SP 800-53 RA-3

FISCAM SC-2.2
B34: NIST SP 800-53 PE-5

NIST SP 800-18
B35: NIST SP 800-53 PE-4

NIST SP 800-18
B38: NIST SP 800-53 AC-19

NIST SP 800-18
B39: NIST SP 800-53 AC-19

NIST SP 800-18




Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than the agency’s
concern.
M7: Ranking the risk according to your categorization, quantification, and tolerance of each based on the likelihood, severity, and tolerance levels. This simple weighting allows for the agency to easily rank the priority of action required to eliminate the greatest risks first.

8. Production, Input/Output Controls
There are many aspects to supporting IT operations. Topics range from a user help desk to procedures for storing, handling, and destroying media. The following questions are
organized according to two critical elements. The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
References
Risk Decisions
L.1 L.2 L.3 L.4 L.5
Level 1. Documented Level 2.Policy
Documented
Level 3. Procedures
Implemented
Level 4. Procedures
Tested and Leveland
Evaluated
5.Controls
Fully Procedures
Integrated Procedures
and
Ranking
Remote:
Low:
Controls
the
The andrisk
Avoidance:
risk
The Controls
according
is
riskmanageable
probably to your
Avoidance
will
through
not occur
isplanning
often
because
used
andfor
the
action,
risks
risk and
would
thatthehave
be difficult
the capacity
to realize,
for negative
or impact, but have little
a. Does your Implemented
agency
a. Does have
your a agency
formally
a. Have have
documented
theformal,
procedures
a. Iscomplete,
aand
Feedback/
measurement
and
disseminated
controls
anda. well-documented
Does
program
been
policy
your implemented?
agency
in placeDescription
have
that acategorization,
routinely
fully operational,
evaluates quantification,
comprehensive
the adequacy
Policy Procedures Measuring there
impactsof
areIdentified
generally
solidknown
means Risk
are placeand
recourse.
minimal.
in In and
security
tolerance
Likelihood
tosecurity
limit program
of appropriately.
theprojects,
risk that
aSeverityis an to
decision integral
Risk
avoid part of yourmeans a decision
Tolerance
risks often Action Priority
not to let your
NIST SP 800-53 MP-1 on that security procedures
control? for b. theArepolicies
the following
defined
effectiveness Reassessment
statements
at level 1?
of security
agency’s
true? policies,
culture?procedures, each
andbased
controls?
onagency
the likelihood,
put itselfseverity, and
in the situation where it could incur the risk. Therefore, your decision would also be to
Production, Input/Output Controls b. Does the policy
b. Do
define
the procedures:
1) purpose
i. Are the
and owners
scope
b. Are
of
and the
the
users
policy,
following
aware
This awareness of how unauthorized persons can obtain copies of data will derive from the self-assessment process. Be sure to 2)
b. Are
of
elements
the
the security
following
in place?
policies
statements
tolerance
and procedures?
true? levels. This simple weighting allows
Possible: The
Medium: avoid
The riskthe
risk will
hascause
be of theofrisk.
a chance
mitigated occurring,
through planning
but it may andbeaction,
difficult or there are controls in
review
How the your
does low-tech
agencymethods responsibilities
of stealing
authorize and data.the
control i.required
Methods Listsuch
transfer the control
fordumpster
as
of data? its
ii.execution,
Have
areas
Whatever the
and
yourpolicies
diving and
clearly
arei.often
An
3) effective
processescompliance
state
and
veryprocedures
theprogram
agency’s
i.
requirements
successful.
are, Therebeen
for
position?
is evaluating
formally
an activeadopted
agencywide
the adequacy
for
and
thethe
security
agency
and
technical
effectiveness
program
to easily
controlsthat
rankofachieves
the
security
priority
cost-effective
policies,
of security.
place to help
although if it avoid
occurs, theit will
risk.still have some impact on some of the
document themisclearly.
If your agency and penalty
transferring sensitive data, youspecification?
ii. Document
should consider their
installed?
creatingapplicability—clearly
audit trailsprocedures,
to providelistand
when,
controls.
ii. ITwhere,
confirmation security
of datahow, is an
to integrated
whom, action
transfers. practice
required within
to eliminate
the assetthe (IT greatest
system).risks
areas ofThe decision to assume a risk means accepting the risk as-is, and not implementing any
concern.
8.1. Critical Element: and about whatiii. the
Is procedure
a securityii.applies?
measurement
A mechanismprogramfor
iii. identifying
Security
in place?
vulnerabilities
vulnerabilities
(ongoingfirst.
are
security
revealed
understood
compliance
by security
and managed. incidents or security
measurement) of IT responsibilities
alerts. andiv. define
Threats explicit
are continually
behavior? Likely: Dueand
reevaluated,
policies or procedures
to conditions
controls and
are adapted
to lessenthe
capabilities,
to a
it. This
changing
is likely
risk is often theoccur.
security to
decision in cases where the risk is so minimal and of
environment.
Is there user support? If your agency rarely has the need to transport or mail media or output, then you might not have a formal system to track these High: The limited impact should it occurand that the cost of implementing a mechanism to minimize or reduce it would
transactions. However, if thisway
is done regularly, iv.should
Identify points
iv.have
Has
of contact
amanagement
writtenand
iii.
log Ato
where
process
formally
supplementary
forthese
authorized
reporting
v. Additional information
significant
theand/or
use of themore
security
cansystem?
beExamples of risk
cost-effective
weaknesses willensuring
possible
security
and have serious
weighting: rapidimpacts
alternatives and
are effective
identified without
as theextensive
need arises.
Good
Often labeling is an
media will haveeffective
both an to identify
internal and you
label and track
an found?
external
probably
sensitive physical
label. v. Have
Does items.
the employee remedial
visible external
document
job label
descriptions
action.
transactions.
vi.aCosts
contain been updated
and benefits
brief explanation toofinclude planning
of security
1= are and
security
be
Likely+High+Assume
far greater
action,
responsibilities
measured as
than the agency’s
itsprecisely
consequences
that would concern.
as practicable. be severe.
8.1.1 Is there a help desk or group that offers how the data should be handled? the implemented controls require? vii. Status metrics for the security 2= Possible+Medium+Mitigate
program are established and met.
vi. Have employees been trained on security procedures? 3= Remote+Low+Transfer Mitigate: This is the most common decision to make for identified risks: to implement policies,
advice? The second question
NIST that
SPsimplify
should
800-53 be IR-7
asked is:management
What help isofthe userinsupport group permitted to offer? The range of users that procedures, and other security controls to limit the risk to an acceptable level.
Keeping audit trails could inventory media your agency.
the help desk is designed
NIST SPto800-18help must be clearly defined.
8.2. Critical Element: accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
Are there media controls? Your

If youagency
don't have
should
thishave
service,
a policy
yourthatagency
covers
should
damaged
consider
media.
using one of the many shredding services. These services are readily
If you NIST
available andSP
sanitize 800-53
are veryfor
media MP-2,as
effective
reuse MP-4
in adestroying data.
cost-cutting measure, have you verified whether the process is effective in removing all data
NIST
from the SP 800-18
media?
8.2.1 Are there processes to ensure that
unauthorized individuals cannot read, copy, alter, or NIST SP 800-53 MP-2, MP-4, MP-5
steal printed or electronic information? NIST SP 800-18
NIST
NIST SP
SP 800-53
800-53 MP-2
AC-15, MP-5
NIST
NIST SP
SP 800-18
800-18
8.2.2 Are there processes for ensuring that only

authorized users pick up, receive, or deliver input
and output information and media?
NIST SP 800-53 MP-3

NIST SP 800-18
8.2.3 Are audit trails used for receipt of sensitive NIST SP 800-18
inputs/outputs?
NIST SP 800-53 MP-2
8.2.4 Are controls in place for transporting or NIST SP 800-18
NIST SP 800-53 MP-6
mailing media or printed output? NIST SP AC-3.4
FISCAM 800-53 MP-4, MP-6
NIST
NIST SP
SP 800-18
800-18
8.2.5 Is there internal/external labeling for
sensitivity?
8.2.6 Is there external labeling with special

handling instructions?
NIST SP 800-53 MP-7
8.2.7 Are audit trails kept for inventory NIST SP 800-18
management?
8.2.8 Are media sanitized for reuse?
8.2.9 Are damaged media stored and/or destroyed?
8.2.10 Are hard-copy media shredded or destroyed

when no longer needed?
NOTES:
A12: The second question that should be asked is: What help is the user support group permitted to offer? The range of users that the help desk is designed to help must be clearly defined.
A15: This awareness of how unauthorized persons can obtain copies of data will derive from the self-assessment process. Be sure to review the low-tech methods of stealing data. Methods such as dumpster diving are often very successful.
A16: How does your agency authorize and control the transfer of data? Whatever your processes are, document them clearly.
A17: If your agency is transferring sensitive data, you should consider creating audit trails to provide confirmation of data transfers.
A18: If your agency rarely has the need to transport or mail media or output, then you might not have a formal system to track these transactions. However, if this is done regularly, you should probably have a written log to document these transactions.
A19: Good labeling is an effective way to identify and track sensitive physical items.
A20: Often media will have both an internal label and an external label. Does the visible external label contain a brief explanation of how the data should be handled?
A21: Keeping audit trails could simplify inventory management of media in your agency.
A22: If you sanitize media for reuse as a cost-cutting measure, have you verified whether the process is effective in removing all data from the media?
A23: Your agency should have a policy that covers damaged media.
A24: If you don't have this service, your agency should consider using one of the many shredding services. These services are readily available and are very effective in destroying data.
B9: NIST SP 800-53 MP-1
B12: NIST SP 800-53 IR-7

NIST SP 800-18
B15: NIST SP 800-53 MP-2, MP-4

NIST SP 800-18
B16: NIST SP 800-53 MP-2, MP-4, MP-5

NIST SP 800-18
B17: NIST SP 800-53 MP-2

NIST SP 800-18
B18: NIST SP 800-53 AC-15, MP-5

NIST SP 800-18
B19: NIST SP 800-53 MP-3

NIST SP 800-18
B20: NIST SP 800-18
B21: NIST SP 800-53 MP-2

NIST SP 800-18
B22: NIST SP 800-53 MP-6

FISCAM AC-3.4
NIST SP 800-18
B23: NIST SP 800-53 MP-4, MP-6

NIST SP 800-18
B24: NIST SP 800-53 MP-7

NIST SP 800-18





9. Contingency Planning This is NIST

your primary
SP 800-53
insurance
CP-2,onCP-9
recovering your operations. During the self-assessment, it
is very FISCAM
importantSC-SC-1.1,
to identify all
3.1the linkages between systems. These linkages will help you
NIST
identifyNIST
relatedSP
SP 800-53
data
800-18 MA-6
in other systems. Having only part of a backup is not a good thing.
FISCAM SC-SC-1.2
Contingency planning involves more than planning for a move offsite after a disaster destroys a facility. It also addresses how to keep an organization’s critical functions operating in
the event of disruptions, large and small. The following questions are organized according to three critical elements. The levels for each of these critical elements should be
determined based on the answers to the subordinate questions.
References
Risk Decisions
L.1 be NIST
Priorities should derived L.2the CP-7
SPduring
800-53 self-assessment L.3phase of the security policy L.4development process. The L.5priorities are set
when management FISCAM Level
reviews the1. Documented
results of Level 2.
Policy
Documented
Level
the self-assessment 3.Procedures
and Implemented
Level
determines the4. Procedures
Tested
risk and
level for Level
theand
Evaluated
5.
Controls
FullyProcedures
agency. Integratedand Procedures
Remote:
Low:
Controls
Theand Avoidance:
risk
The Controls
is
risk Ranking
manageable
probably the risk
Avoidance
will notaccording
through occur
isplanning
often toand
because
used your
for
the
action,
risks
risk and
would
thatthe
have
be difficult
the capacity
to realize,
for negative
SC-SC-1.3 Feedback/
Policy a.Procedures
Does your agency a. Does have
your
a formally
agency
a. Have
Implemented have
documented
the formal,
procedures
a. Iscomplete,
aand
Measuring measurement
and
disseminated
controls
Does
program
been
policy
your
implemented?
in
agency
place have
that routinely
a impacts
fully operational,
evaluates
Description
there are of
generally
solidknown the
comprehensive
categorization,
adequacy
Identified
meansare
recourse.
minimal.
in place Risk
In and
limitsecurity
quantification,
security program
Likelihood
the risk
projects, and
athat
appropriately. tolerance
is an
decision integral
to of
Severity
avoid part
risksof yourTolerance
Risk
often Action
means a decision not Priority
to let your
on that securityprocedures
control? for b. the Are
policies
the following
defined
effectiveness
statements
true? Reassessment
agency’s policies,
culture? procedures, and controls? agencyeach basedinon
put itself thethe likelihood,
situation where severity,
it could and
NIST SP 800-53 CP-1
b. Does the policy b. Dodefine
the procedures:
1) purpose
i. Are theand owners
scope
b. Are
and
of the
the
users
policy,
following
aware
2)b. ofelements
Are
thethesecurity
following
in place?
policies
statements
and procedures?
true? avoid the tolerance levels. This simple weighting allows
Contingency Planning OMB Circular A-130, III Possible:
Medium: The
The risk
risk will
has cause
be of
a chance theofrisk.
through planning
List the control
for its
ii.execution,
Have
areastheandpolicies
and
clearly
i. An
3) compliance
effective
and
stateprocedures
theprogram
agency’s
requirements
i. There
been
for
position?
isformally
evaluating
an active adopted
agencywide
the adequacy
and the security
and
technical
effectiveness
program
controls
for that
the ofagency
achieves
security topolicies,
cost-effective
easily rank thesecurity.
priority of
place to help
occurs, theit will
procedures, listand
when,
controls.
ii. IT
where,
securityhow, is to
anwhom,
integrated practice within the action
asset required
(IT system).
to eliminate the greatest risks
concern.
9.1. Critical Element: and about what iii.the
Is procedure
applies?
iii.identifying
Security
in place?
vulnerabilities
vulnerabilities
(ongoing security
arerevealed
understood
compliance
by security
and first.
managed.
incidents or security
measurement)of IT responsibilities
alerts. andiv.define
Threatsexplicit
are continually Likely: Dueand
behavior? reevaluated,
to conditions
controls are andadapted
to lessenthe
capabilities, it. This
to a changing
is often to
risk security
is likely theoccur.
environment.
Have the most critical and sensitive operations iv. Identify pointsiv. Has
of contact
management
and
iii. Awhere
process
formally
supplementary
forauthorized
reporting
v. Additional
information
the
significant
use
and/or
of the
security
can
more High:
system? The risk
becost-effective
weaknesses
limited
will
security
and
impact
have
ensuring
Examples
should
serious
alternatives
rapid
it occurand
impacts
of possible
and
that
areeffective
identified
the cost
without
weighting:
as theextensive
need arises.
and their supporting computer resources been planning and be far greater
itsLikely+High+Assume
consequences would concern.
be severe.
found? v. Have employee remedial
job descriptions
action. vi.been Costsupdated
and benefits
to include
of security
security areresponsibilities
measured 1=
as precisely
that as practicable.
identified? the implemented controls require? vii. Status metrics for the security program are2= established
and met.
vi. Have employees been trained on security procedures? Mitigate : This is the most common decision to make for identified risks: to implement policies,
9.1.1 Are critical data files and operations
identified and the frequency of file backups Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
documented? accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
9.1.2 Are resources supporting critical operations
identified?
9.1.3 Has management established and approved
processing priorities? Partbusiness
All of any contingency
and civil agencies
recovery
should
planhave
should
a contingency
call for duplication
recovery
of plan
the recovery
in place for
instructions
their IT systems.
and their storage in multiple places.
During a disaster, your agency should have several options for where to obtain this information.
Has a comprehensive contingency plan been
developed and documented?
NISTNIST SP 800-53
SP 800-53 CP-2CP-2
FISCAM
FISCAM SC 3.1
SC- 3.1
9.2.1 Is the plan approved by key affected parties?
The choice
This is often
not
NIST
aofone
silly
SP
an question.
of
alternate
800-53
the weak
CP-2
processing
The
links
keyintothe
site
disaster
contingency
is critical.
planning
Ifrecovery
the
is "don't
disaster
process.
assume
is local
After
anything"!
to athe
single
backup
Your
building, then
9.2.2 Are responsibilities for recovery assigned? there is FISCAM
recovery
program normally
has
instructions
beenSC-3.1
noinproblem
must
place contain
formoving
a while,
thetolocation
people
the recovery
get
of backups,
lazysite.
and However,
forget
as welltoasmove
ifcodes
there
the
and/or
is backup
a generaltapes
disaster, and
many
passwords
off sitecompanies
as soon
to gainasneed
possession
theyservices,
should.of then
This
the media.
is
having
an area
an that
iron-clad
should contract
have anto automated
deliver services
checkistonecessary.
verify
movement NIST of SP
the800-53
tapes orCP-6,
mediaCP-7off site.
9.2.3 Are there detailed instructions for restoring FISCAM SC-SC-1.1, 3.1
All documentation
Test, Test, Test. The to recover
only wayyour
to catch
operations
theseshould
types of beproblems
stored offissite.
to conduct
A goodfull
contingency
contingency recovery
operations? Contingency planning
NIST should involve all parties that use a system. All parties need to understand their role in
recovery
tests. planSP 800-18
forces a formal documentation process that will ensure that up-to-date
an emergency. With respect to your question, users need to understand what changes occur when the
9.2.4 Is there an alternate processing site? If so, system
is ismanuals
recoveredareinprinted and moved
a contingency off site.
situation.
there a contract or interagency agreement in place?
9.2.5 Is the location of stored backups identified? In any

This question
contingency
NIST isSPformulated
800-53
recovery
CP-6,
CP-9
for
plan,
CP-10a general
CP-7
communication
or regionalis the
disaster.
key. The
The contingency
more remoterecovery
the
recovery
plan should
NIST
site,
include
FISCAM SP
theSC-3.1
800-18
better
the creation
SC-2.1 the chance
of "What
that itdo
willI do
be now"
available
packages
for use.
for each member of the
contingency recovery team. The packages outline the steps each person is expected to
9.2.6 Are backup files created on a prescribed basis perform during a recovery operation.
and rotated off site often enough to avoid disruption
if current files are damaged?
9.2.7 Is system and application documentation
maintained at the off-site location?
9.2.8 Are all system defaults reset after being
restored from a backup? MultipleNIST
copiesSP
of 800-53
the plansCP-6,
should
CP-7,
be SECURED
CP-9 off site in multiple locations and
documented
FISCAM
for each
SC-SC-1.1,
contingency
3.1 recovery team member.
9.2.9 Are the backup storage site and alternative
site geographically removed from the primary site NIST SP 800-53
Test contingency recoveryCP-2
plans annually because of regular changes that occur in most
and physically protected? FISCAM SC-3.1
IT systems.
9.2.10 Has the contingency plan been distributed to
all appropriate personnel? Testing the contingency recovery plan verifies that the plan will work, and also
trains the members of the contingency recovery team.
Are tested contingency/disaster recovery plans in NIST SP 800-53 CP-5, CP-9
place? FISCAM SC-3.1
9.3.1 Is an up-to-date copy of the plan stored NIST SP 800-53 CP-3
securely off site? FISCAM
NIST SC-2.3
SP 800-53 CP-4, CP-5
NISTSC-3.1
FISCAM SP 800-18
9.3.2 Are employees trained in their roles and NIST SP 800-18
responsibilities?
9.3.3 Is the plan periodically tested and readjusted,
as appropriate?
NOTES:
A12: This is your primary insurance on recovering your operations. During the self-assessment, it is very important to identify all the linkages between systems. These linkages will help you identify related data in other systems. Having only part of a backup is not a good thing.
A14: Priorities should be derived during the self-assessment phase of the security policy development process. The priorities are set when management reviews the results of the self-assessment and determines the risk level for the agency.
A16: All business and civil agencies should have a contingency recovery plan in place for their IT systems.
A17: Contingency planning should involve all parties that use a system. All parties need to understand their role in an emergency. With respect to your question, users need to understand what changes occur when the system is recovered in a contingency situation.
A19: Part of any contingency recovery plan should call for duplication of the recovery instructions and their storage in multiple places. During a disaster, your agency should have several options for where to obtain this information.
A20: The choice of an alternate processing site is critical. If the disaster is local to a single building, then there is normally no problem moving to the recovery site. However, if there is a general disaster, and many companies need services, then having an iron-clad contract to deliver services is necessary.
A21: This is not a silly question. The key to disaster planning is "don't assume anything"! Your recovery instructions must contain the location of backups, as well as codes and/or passwords to gain possession of the media.
A22: This is often one of the weak links in the contingency recovery process. After the backup program has been in place for a while, people get lazy and forget to move the backup tapes off site as soon as they should. This is an area that should have an automated check to verify movement of the tapes or media off site.
A23: All documentation to recover your operations should be stored off site. A good contingency recovery plan forces a formal documentation process that will ensure that up-to-date manuals are printed and moved off site.
A24: Test, Test, Test. The only way to catch these types of problems is to conduct full contingency recovery tests.
A25: This question is formulated for a general or regional disaster. The more remote the recovery site, the better the chance that it will be available for use.
A26: In any contingency recovery plan, communication is the key. The contingency recovery plan should include the creation of "What do I do now" packages for each member of the contingency recovery team. The packages outline the steps each person is expected to perform during a recovery operation.
A29: Multiple copies of the plans should be SECURED off site in multiple locations and documented for each contingency recovery team member.
A30: Testing the contingency recovery plan verifies that the plan will work, and also trains the members of the contingency recovery team.
A31: Test contingency recovery plans annually because of regular changes that occur in most IT systems.
B9: NIST SP 800-53 CP-1

B12: NIST SP 800-53 CP-2, CP-9

FISCAM SC-SC-1.1, 3.1
NIST SP 800-18
B13: NIST SP 800-53 MA-6

FISCAM SC-SC-1.2
B14: NIST SP 800-53 CP-7

FISCAM SC-SC-1.3
B17: NIST SP 800-53 CP-2

FISCAM SC- 3.1
B18: NIST SP 800-53 CP-2

FISCAM SC 3.1
B19: NIST SP 800-53 CP-2

FISCAM SC-3.1
B20: NIST SP 800-53 CP-6, CP-7

NIST SP 800-18
B21: NIST SP 800-53 CP-6, CP-7

NIST SP 800-18
B22: NIST SP 800-53 CP-9

FISCAM SC-2.1
B23: NIST SP 800-53 CP-6, CP-7

FISCAM SC-2.1
B24: NIST SP 800-53 CP-10

FISCAM SC-3.1
B25: NIST SP 800-53 CP-6, CP-7, CP-9

B26: NIST SP 800-53 CP-2

FISCAM SC-3.1
B29: NIST SP 800-53 CP-5, CP-9

FISCAM SC-3.1
B30: NIST SP 800-53 CP-3

FISCAM SC-2.3
NIST SP 800-18
B31: NIST SP 800-53 CP-4, CP-5

FISCAM SC-3.1
NIST SP 800-18




I8: Remote: The risk probably will not occur because the risk would be difficult to realize, or there are solid means in place limit the risk appropriately.

10. Hardware and System Software Maintenance
These are controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record
is maintained of changes. Some of these controls are also covered in the Life Cycle section. The following questions are organized according to three critical elements.
The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
Controlling access to program libraries simply avoids problems. You want your users not to have to worry about inadvertently
References
doing something that adversely impacts the system.
Risk Decisions
L.1 L.2 L.3 L.4 L.5
While there should always be some procedures
Level forLevel
on-site2.Policy
1. Documented and off-site
Documented maintenance,
Level 3.Procedures the nature
Implemented
Level of your
4.Procedures
Tested data
and
Leveland is the
Evaluated determining
5.Controls
Fully Integrated
ProceduresProcedures
and Controls Remote:
and The risk probably will not
theoccur because the risk would be difficult to realize, or
Low:Controls Avoidance:
The risk is manageable Ranking
Avoidance
through risk according
isplanning
often used to risks
andfor your
action, and
thatthe
have the capacity for negative impact, but have little
factor. Policy Procedures a. DoesImplemented
your agency
a. Does have
your aMeasuring
agency
formally
a. Have have
documenteda. Feedback/
theformal,
procedures
Iscomplete,
aand
measurement
and
disseminated
controls
and
a. Does
well-documented
program
been
policy
your implemented?
agency
in place
Description have
of thataroutinely there are
fully operational,
Identified evaluates
Risk solid means inand
impactscomprehensive
the adequacy
Likelihood
generally
known are
place
securityto limit thequantification,
categorization,
In program
Severity
recourse.
minimal.
risk is
that
Risk
security projects,
appropriately.
anaintegral
Tolerance andpart
decision tolerance
of your
toAction
avoid Priority
risks often means a decision not to let your
This is part of the security assessment andsecurity
control
control? development
for b.
theAreprocess.
policies TheReassessment
the following
defined security
effectiveness controls
statements
at level 1? should not
of agency’s
security
true? be easily
policies,
culture? procedures, and controls? agency put itself of each based
in the on thewhere
situation likelihood, severity,
it could andrisk. Therefore, your decision would also be to
incur the
circumvented by simpleNIST SP 800-53
changes to the MA-1
operating system or application. true? Possible: The risk has atolerance
chance
Hardware and System Software Maintenance b. Does the policy
OMB Circular A-130
b. Do define
the procedures:
1) purpose
i. Are theand owners
scopeb. Are
and
of thethe
users
policy,
following
aware
b.
2)Areof
elements
the security
following
in place?
policies
statements
and procedures?
Medium: avoid
The riskthe cause
will of theoflevels.
be mitigated
occurring,
risk. but it may
This simple be difficult
weighting
through planning and action,
allowsor there are controls in
place to help avoid the risk.
System utilities often can be used responsibilities
to access data and i.required
List the security
bypass control
Have
areasthe
controls.and policies
and
clearly
You i. An
3) compliance
should effective
and
state procedures
theprogram
evaluate agency’s
i.requirements
the There
need beenfor
position?
issystem
for an
formally
evaluating
active adopted
agencywide
the adequacy
utilities and security
theand
technical
effectiveness
program
controls
that of
achieves
securityfor
cost-effective
policies,
the agency to security.
easily rank the priority of
although if it occurs, it will still have some impact on some of the
procedures, listand
when,
ii.
controls.
ITwhere,
security how,
is antointegrated
whom, practice within the asset (IT system). action required to eliminate the greatest risks
access in the production environment. more importantAssume:
areas of The decision to assume a risk means accepting the risk as-is, and not implementing any
concern.
10.1. Critical Element: and about whatiii.the Is procedure
applies?
forSecurity
identifying
in place?
vulnerabilities
vulnerabilities
revealed Likely:
understood
compliance
by security
and Due
managed.
incidents
policies
or first.
to conditions security
and capabilities,
or procedures to lessenthe risk is
it. This is likely to occur.
often the decision in cases where the risk is so minimal and of
alerts. and
iv. define
Threatsexplicit
are continually
behavior?reevaluated, and controls are adapted to a changing security environment.
Is access limited to system software and If an agency had unlimited funds, this would be a nonissue. However, hardware and software would not normally be tested in High: The limited
risk will impact
have should
serious it occurand
impacts that the cost
extensive
of contact
management
and
iii. Awhere
process
formally
supplementary
forauthorized
v.
reporting
the
significant
and/or
use of more
the
security
can
system?
be
cost-effective
weaknesses security
and ensuring
alternatives
rapid are
and
Examples
identified
effectiveof possible
as the need weighting:
arises.
hardware? this fashion except for the more complex or sensitive IT systems. planning andbe far greater
action, its than the agency’s
be severe.
found? v. Have employee remedial
job descriptions
action.vi. Costsbeen and updated
benefits
to include
of security
security
are measured
responsibilities
as precisely
that as practicable.
the implemented controls require? vii. Status metrics for the security program are established and2= met.
The basic issue is risk. Management simply needs to understand and accept the risk associated by not conducting this testing. Mitigate: This is the most common decision to make for identified risks: to implement policies,
NIST SP 800-53 CM-5, MA-2, MA-4, MA-5 vi. Have employees been trained on security procedures? 3= Remote+Low+Transfer
Whatever
System youroften
personnel answer,
havethe only authority
broad thing thatand
matters
accessis to
that management
systems. is aware
You should know ofthe
andbackground
accepts theofrisks
the associated
people whowith have the procedures, and other security controls to limit the risk to an acceptable level.
10.1.1 Are restrictions in place on who performs OMB Circular A-130, III
decision.
these rights. You should also consider controls to track what they do as they perform maintenance and repair activities.
maintenance and repair activities? FISCAM SS-3.1
NIST SP 800-18 Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
NIST SP 800-53 AC-3, MA-4
10.1.2 Is access to all program libraries restricted FISCAM CC-3.2, 3.3
and controlled? All changes,
This especially
should NIST
be part to security
SPof800-53
your controls,
MA-2,
agency's MA-3,need
standard MA-5to beimplementation
system thought throughprocedures.
before they are implemented.
Communication
System specifications
NIST
NIST is SP
SP
the800-18
800-53
should
key. Requests
be
CM-5
as explicit
for changes
as possible
should
andbeapproved
documented
by management
and acceptedbefore the system before
by management is purchased
they are
or built.
Creating good
implemented. test data
FISCAM is very difficult. Processing a copy of production data is good, but usually will not exercise the application
SS-1.2
SS-3.1
10.1.3 Are there on-site and off-site maintenance completely.
procedures (e.g., escort of maintenance personnel,
sanitization of devices removed from the site)?
10.1.4 Is the operating system configured to

prevent circumvention of the security software and If the security controls can be set to different levels of control, then management must make the decision as to what settings are
application controls? to be used. The most restrictive mode is not necessarily the one management will select.
Version
This
Regardless
Emergency
This question
usually
is control
one of
NIST
change
relates
applies
whether
NIST
of
NIST is also
the SPprocedures,
to800-53
800-53
NIST
SP
SP
majorto
original
sometimes
you
situations
800-53
SP are
costs CM-3
CM-4
source
using
while
800-53 awhere
CM-3
of
CA-7,
CM-6
CM-2 difficult
electronic
media
necessary,
SA-11
maintaining
CM-4, there
issue.
andis
MA-2ordocumentation.
need
more
manual
In the
to
a contingencythan
be
best
software
one
designed
situation,
production
recovery distribution,
carefully
(CR) you location.
should
plan. so
management
ITthe
have
The
change
systemsstrong
goalshould
can
are ischanged
controls
to
bekeep
document
backed
to
the
all limit
out,
organization
the and
the
if necessary.
time.approve
ability
These in
ofthese
sync
10.1.5 Are up-to-date procedures in place for using with each
users
activities.
changesto use
other
FISCAM
older
bewhen
FISCAM
must
NIST
PSN
FISCAM or SS-3.1
SS-3.1,
SS-3.1
newer
NIST the
SPnew
CC-1.2
Security
reflected
SP 800-18 versions
3.2,
system
in800-18
Assessment
your CC-2.1
CRofplans
isa Guidelines
moved
specificinto
software
as quickly production.
product.
as possible. This
Thequestion also for
procedures applies to distribution
making of utilities,
software changes such as
or applying
and monitoring the use of system utilities? Microsoft
maintenance Word.
NIST
NIST Essentially,
shouldSP 800-18
SPinclude
800-18 you wantthe
updating all CR
employees
plans asusing thethe
part of same level of software at the same time.
process.
Businesses and agencies should use only lawfully licensed software. If you permit your employees to use personally owned
NIST
software, what SP 800-53
happens when CM-3
that employee leaves? Would you have to purchase a copy of the software to access the work
10.2. Critical Element: NISTwith
product created SP 800-18
NIST SP that 800-53software?
CM-2, MP-3
Are all new and revised hardware and software FISCAM SS-3.1
authorized, tested, and approved before
implementation?
10.2.1 Is an impact analysis conducted to

determine the effect of proposed changes on
existing security controls, including the required
training needed to implement the control?
10.2.2 Are system components tested, documented,

and approved (operating system, utility,
applications) before promoted to production?
NIST SP 800-53 CM-3, SA-6, SA-7
FISCAM SS-3.1
10.2.3 Are software change request forms used to
document requests and related approvals?
NIST SP 800-53 CM-6CM-3 SA-6
CP-5
AC-20,
FISCAM
NIST SP SC-2.1
SS-3.1
800-18
Networks needNISTto SP 800-18
be protected
800-53 CM-7,
because
RA-5
they often connect to the Internet. Unnecessary services should be disabled in the
10.2.4 Are detailed system specifications prepared
firewall or routers
NIST SPto protect
800-18the interior environment. In the mainframe arena, minimizing supervisor calls helps stabilize the
and reviewed by management? application and reduces overhead.
The application owner

NIST should ensure that
SP 800-53 SI-2available maintenance is tested and then applied on a regular basis. Researching for
systems vulnerabilities
NIST does
SP take time, but when these vulnerabilities are identified they can help specify what changes are
800-18
10.2.5 Is the type of test data to be used specified, needed in the system to avoid the problem.
i.e., live or made up?
10.2.6 Are settings of security features set to the

most restrictive mode?
10.2.7 Are software distribution implementation

orders, including the effective date, provided to all
locations?
10.2.8 Is there version control?

systems vulnerabilities
NIST does
SP take time, but when these vulnerabilities are identified they can help specify what changes are
800-18
needed in the system to avoid the problem.
10.2.9 Are programs labeled and inventoried?
10.2.10 Are the distribution and implementation of

new or revised software documented and reviewed?
10.2.11 Are emergency change procedures

documented and approved by management, either
prior to the change or after the fact?
10.2.12 Are contingency plans and other associated

documentation updated to reflect system changes?
10.2.13 Is the use of copyrighted software or

shareware and personally owned
software/equipment documented?
10.3. Are systems managed to reduce

vulnerabilities?
10.3.1 Are systems periodically reviewed to

identify and, when possible, eliminate unnecessary
services (e.g., FTP, HTTP, mainframe supervisor
calls)?
10.3.2 Are systems periodically reviewed for

known vulnerabilities and are software patches
promptly installed?
NOTES:
A12: System personnel often have broad authority and access to systems. You should know the background of the people who have these rights. You should also consider controls to track what they do as they perform maintenance and repair activities.
A13: Controlling access to program libraries simply avoids problems. You want your users not to have to worry about inadvertently doing something that adversely impacts the system.
A14: While there should always be some procedures for on-site and off-site maintenance, the nature of your data is the determining factor.
A15: This is part of the security assessment and security control development process. The security controls should not be easily circumvented by simple changes to the operating system or application.
A16: System utilities often can be used to access data and bypass security controls. You should evaluate the need for system utilities access in the production environment.
A18: If an agency had unlimited funds, this would be a nonissue. However, hardware and software would not normally be tested in this fashion except for the more complex or sensitive IT systems.
The basic issue is risk. Management simply needs to understand and accept the risk associated by not conducting this testing. Whatever your answer, the only thing that matters is that management is aware of and accepts the risks associated with the decision.
A19: All changes, especially to security controls, need to be thought through before they are implemented.
A20: This should be part of your agency's standard system implementation procedures.
A21: Communication is the key. Requests for changes should be documented and accepted by management before they are implemented.
A22: System specifications should be as explicit as possible and approved by management before the system is purchased or built.
A23: Creating good test data is very difficult. Processing a copy of production data is good, but usually will not exercise the application completely.
A24: If the security controls can be set to different levels of control, then management must make the decision as to what settings are to be used. The most restrictive mode is not necessarily the one management will select.
A25: This question applies to situations where there is more than one production location. The goal is to keep the organization in sync with each other when the new system is moved into production. This question also applies to distribution of utilities, such as Microsoft Word. Essentially, you want all employees using the same level of software at the same time.
A26: Version control is also sometimes a difficult issue. In the best situation, you should have strong controls to limit the ability of users to use older or newer versions of a specific software product.
A27: This usually relates to original source media and documentation.
A28: Regardless of whether you are using electronic or manual software distribution, management should document and approve these activities.
A29: Emergency change procedures, while necessary, need to be designed carefully so the change can be backed out, if necessary.
A30: This is one of the major costs of maintaining a contingency recovery (CR) plan. IT systems are changed all the time. These changes must be reflected in your CR plans as quickly as possible. The procedures for making software changes or applying maintenance should include updating the CR plans as part of the process.
A31: Businesses and agencies should use only lawfully licensed software. If you permit your employees to use personally owned software, what happens when that employee leaves? Would you have to purchase a copy of the software to access the work product created with that software?
A33: Networks need to be protected because they often connect to the Internet. Unnecessary services should be disabled in the firewall or routers to protect the interior environment. In the mainframe arena, minimizing supervisor calls helps stabilize the application and reduces overhead.
A34: The application owner should ensure that available maintenance is tested and then applied on a regular basis. Researching for systems vulnerabilities does take time, but when these vulnerabilities are identified they can help specify what changes are needed in the system to avoid the problem.
B9: NIST SP 800-53 MA-1

OMB Circular A-130
B12: NIST SP 800-53 CM-5, MA-2, MA-4, MA-5

FISCAM SS-3.1
NIST SP 800-18
B13: NIST SP 800-53 AC-3, MA-4

FISCAM CC-3.2, 3.3
B14: NIST SP 800-53 MA-2, MA-3, MA-5

NIST SP 800-18
B15: NIST SP 800-53 CM-5

FISCAM SS-1.2
B16: NIST SP 800-53 CM-5

FISCAM SS-3.1
B19: NIST SP 800-53 CA-7, CM-4, MA-2

NIST SP 800-18
B20: NIST SP 800-53 CM-3

FISCAM SS-3.1, 3.2, CC-2.1
NIST SP 800-18
B21: NIST SP 800-53 CM-3

FISCAM CC-1.2
NIST SP 800-18
B22: NIST SP 800-53 CM-4

FISCAM SS-3.1
B23: NIST SP 800-53 SA-11

NIST SP 800-18
B24: NIST SP 800-53 CM-6

PSN Security Assessment Guidelines
B25: NIST SP 800-53 CM-2

FISCAM SS-3.1
B26: NIST SP 800-53 CM-3

NIST SP 800-18
B27: NIST SP 800-53 CM-2, MP-3
FISCAM SS-3.1
B28: NIST SP 800-53 CM-3, SA-6, SA-7

FISCAM SS-3.1
B29: NIST SP 800-53 CM-3

FISCAM SS-3.1
B30: NIST SP 800-53 CP-5

FISCAM SC-2.1
NIST SP 800-18
B31: NIST SP 800-53 AC-20, SA-6

NIST SP 800-18
B32: NIST SP 800-53 CM-6
B33: NIST SP 800-53 CM-7, RA-5

NIST SP 800-18
B34: NIST SP 800-53 SI-2

NIST SP 800-18





K8: Avoidance: Avoidance is often used for risks that have the capacity for negative impact, but have little known recourse. In security projects, a decision to avoid risks often means a decision not to let your agency put itself in the situation where it could incur the risk. Therefore, your decision would also be to avoid the cause of the
risk.
Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than the
agency’s concern.

11. Data Integrity
Data integrity controls are used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user the information meets expectations
about its quality and integrity. The following questions are organized according to two critical elements. The levels for each of these critical elements should be determined based
on the answers to the subordinate questions.
References
Risk Decisions
L.1 L.2 L.3 L.4 L.5
Level 1. Documented Level Policy
2. Documented Level Procedures
3. ImplementedLevel 4. Procedures
Tested and andEvaluated
Level
Controls 5. Fully
Procedures
Integrated
and Controls
ProceduresRemote:
Low:andThe
Controls
Avoidance:
risk
The is
risk Ranking
manageable
probably the risk
Avoidance
will notaccording
through occur
isplanning
often toand
because
used your
for
the
action,
risks
risk and
would
thatthehave
be difficult
the capacity
to realize,
for negative
The difficulty is detecting the inappropriate or unusual
a. Does your activity.
agencya. DoesAssuming
have your the activity
a formally
agency canformal,
documented
have
a. Have
Feedback/
bethe
detected
and a.inIs
procedures
complete, your
disseminated system,
a and
measurement
and personnel
well-documented
controls
policy been
program
a. Does
implemented?
your
in Identified
place
agency
thathave
routinely
Policy Procedures Implemented Measuring Description of Riska fullyevaluates
operational,
the
Likelihood
there
impactsare adequacy
comprehensive
generally
solidknown
means categorization,
are and security
inSeverity
recourse.
minimal.
place In quantification,
program
to security
limit the riskthat
Risk and
is
a an
Tolerance
projects, tolerance
integral
appropriately.
decision to part
of ofrisks
Action
avoid your
Priority
often means a decision not to let your
need to be authorized to look into the on problem and resolve
that security it.
control?
procedures for the policies Reassessment
b. Aredefined
the following
at effectiveness
level statements
1? oftrue?
securityagency’s
policies,culture?
procedures, and controls? agencyeach basedinon
put itself the
the likelihood,
situation whereseverity,
it couldandincur the risk. Therefore, your decision would also be to
Data Integrity This is more a data integrity design issue. There
b. Does theare a number
policy b. Doofthe
define mechanisms
1) procedures:
purpose and thati. can
Arebe
scope theused
of thetopolicy,
owners check
b.andArefor
2) datafollowing
users
the integrity.
aware They
ofelements
the
b. Are
security
thein following
place?
policies and
statements
procedures?
Password policy concerning the structure of the password should be automatically enforced when a password is first entered or
should be deployed, as required, to meet management'srequired
goal for data integrity.
Possible: The
Medium: avoid
The riskthe
risk will
has cause
be of
a chance theofrisk.
through planning
but it may and beaction,
responsibilities i. List the
for control
its execution,
areasii. and
Have
andclearly
3)
thecompliance
policies
state
i. An the
and
effective
requirements
agency’s
procedures
program
position?
beeni. for
There
formally
evaluating
is anadopted
active
the agencywide
adequacy
and the technical
andsecurity
effectiveness
controls
program ofthat
security
forachieves
the policies,
agencycost-effective
to easily ranksecurity.
the priority of
changed. place to help
occurs, the it will
ii. Document their applicability—clearly
installed? procedures,
list when, where,
and controls.
how,
ii. ITtosecurity
whom, is an integrated practice within the asset action
(IT system).
required to eliminate the greatest risks
concern.
11.1. Critical Element: and about what the procedure iii. Is a security
applies?measurement
ii. A mechanism program
for identifying
iii.
inSecurity
place?vulnerabilities
(ongoing
vulnerabilities
security
revealed
are
compliance
understood
by security
and incidents
managed.first.
or security
Likely:andDue
to conditions to lessenthe
and capabilities, it. This is likely
risk is often to
theoccur.
Is virus detection and elimination software This is a risk issue that management needs to approve. If iii. List the assignment
management agrees, thenmeasurement)
programs and/or alerts. and define
procedures need toexplicit
be iv. Threats
behavior? are continually reevaluated,
High: The
controls
limited
risk will
are adapted
impact
have
to a changing
should
serious it occurand
impacts that
security
the cost
without
environment.
extensive
Intrusion detection is a complex topic. If intrusion-detection system (IDS) toolsof
arecontact
installed at your agency, they should be asv. Additional
installed and activated? developed to look for and find evidence of data tampering,iv. Identify
errors, points
and omissions. iv. Has management
and where iii.supplementary
A formally
process for
authorized
reporting
informationthe
significant
usecanofbe
and/or
thesecurity
system?
more weaknesses
cost-effective
andsecurity
planning
ensuring
be
andthat
alternatives
rapid
Examples
far greater
action,
and effective
are
of possible
identified
than the agency’s
weighting:
as the need arises.
would concern.
automated as possible. An alternative would be to outsource the IDS function to a v.
found? third
Haveparty. Theseremedial
employee companies are muchbeen
job descriptions
action. more
vi.updated
Costs and to benefits
include security
of security
responsibilities
are measured 1=itsLikely+High+Assume
as precisely consequences
efficient in monitoring and detecting intrusions into your network. the implemented controls require? vii. Status metrics for the security program are established 2= Possible+Medium+Mitigate
and met.
vi. Have employees Mitigate : This is the most common decision to make for identified risks: to implement policies,
When this self-assessment
NIST SP 800-53
list was first
SI-1,created,
SI-3 spyware and adware were not issues. But they have nowbeen trained on security procedures? 3= Remote+Low+Transfer
11.1.1 Are virus signature files routinely updated? become serious issues
NIST and
SP 800-16
you should understand the risks and be prepared to deal with them.
Every agency should have some form of antivirus, antispyware, and antiadware installed on all workstations.
11.2. Critical Element: The
The IDS function
control shouldbe
files should beupdated
done byregularly.
professionals and they should supply the reports. Few agencies have the technical depth to accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
NIST SP
provide the monitoring 800-53
level SI-3
required to be effective in this arena. The reports should be reviewed and handled quickly.
Are data integrity and validation controls used
to provide assurance that the information has The decision to monitor system logs in real time is related to the criticality of the application. Real-time monitoring takes
not been altered and that the system functions as resources and should be a cost-effective use of agency funds.
intended? NIST SP 800-53 AC-13, SI-2, SI-6
NIST
FISCAMSP 800-53 IA-1
NIST SP SS-2.2
800-53 SC-8, SI-7, MA-3
NIST SP 800-18
11.2.1 Are reconciliation routines used by NIST SP 800-18
NIST SP 800-53 SC-8, SI-6, SI-7
applications, i.e., checksums, hash totals, record NIST SP 800-18
counts?
NIST SP 800-53 SI-4
NIST SP 800-53 SI-2
SI-4
NIST SP 800-18
11.2.2 Is inappropriate or unusual activity reported, NIST SP 800-18
investigated, and appropriate actions taken? NIST SP 800-53 CA-4
NIST SP 800-18
11.2.3 Are procedures in place to determine

compliance with password policies?
11.2.4 Are integrity verification programs used by

applications to look for evidence of data tampering,
errors, and omissions?
11.2.5 Are intrusion-detection tools installed on the

system?
11.2.6 Are the intrusion-detection reports routinely

reviewed and suspected incidents handled
accordingly?
11.2.7 Is system performance monitoring used to

analyze system performance logs in real time to
look for availability problems, including active
attacks?
11.2.8 Is penetration testing performed on the

system?
NOTES:
The issue involved here is the level of risk that management is willing to accept. Penetration testing takes
time and money. If management is willing to forego the information that could be obtained by a pen-test,
then that is its decision.
The issue involved here is the level of risk that management is willing to accept. Penetration testing takes
time and money. If management is willing to forego the information that could be obtained by a pen-test,
then that is its decision.
A12: When this self-assessment list was first created, spyware and adware were not issues. But they have now become serious issues and you should understand the risks and be prepared to deal with them.
Every agency should have some form of antivirus, antispyware, and antiadware installed on all workstations. The control files should be updated regularly.
A15: This is more a data integrity design issue. There are a number of mechanisms that can be used to check for data integrity. They should be deployed, as required, to meet management's goal for data integrity.
A16: The difficulty is detecting the inappropriate or unusual activity. Assuming the activity can be detected in your system, personnel need to be authorized to look into the problem and resolve it.
A17: Password policy concerning the structure of the password should be automatically enforced when a password is first entered or changed.
A18: This is a risk issue that management needs to approve. If management agrees, then programs and/or procedures need to be developed to look for and find evidence of data tampering, errors, and omissions.
A19: Intrusion detection is a complex topic. If intrusion-detection system (IDS) tools are installed at your agency, they should be as automated as possible. An alternative would be to outsource the IDS function to a third party. These companies are much more efficient in monitoring and detecting intrusions into your network.
A20: The IDS function should be done by professionals and they should supply the reports. Few agencies have the technical depth to provide the monitoring level required to be effective in this arena. The reports should be reviewed and handled quickly.
A21: The decision to monitor system logs in real time is related to the criticality of the application. Real-time monitoring takes resources and should be a cost-effective use of agency funds.
A22: The issue involved here is the level of risk that management is willing to accept. Penetration testing takes time and money. If management is willing to forego the information that could be obtained by a pen-test, then that is its decision.
B12: NIST SP 800-53 SI-1, SI-3

NIST SP 800-16
B13: NIST SP 800-53 SI-3
B15: NIST SP 800-53 SC-8, SI-6, SI-7

NIST SP 800-18
B16: NIST SP 800-53 AC-13, SI-2, SI-6

FISCAM SS-2.2
B17: NIST SP 800-53 IA-1

NIST SP 800-18
B18: NIST SP 800-53 SC-8, SI-7, MA-3

NIST SP 800-18
B19: NIST SP 800-53 SI-4

NIST SP 800-18
B20: NIST SP 800-53 SI-4

NIST SP 800-18
B21: NIST SP 800-53 SI-2

NIST SP 800-18
B22: NIST SP 800-53 CA-4

NIST SP 800-18





of the risk.

12. Documentation
The documentation contains descriptions of the hardware, software, policies, standards, procedures, and approvals related to the system and formalizes the system’s security
controls. When answering whether there are procedures for each control objective, the question should be phrased as follows: “Are there procedures for ensuring the
documentation is obtained and maintained?” The following questions are organized according to two critical elements. The levels for each of these critical elements should be
determined based on the answers to the subordinate questions.
References
Hardware documentation is generally available via PDF downloads from the Internet. Each agency should consider a common Risk Decisions
library for systems documentation.
L.1 L.2 L.3 L.4 L.5
The documentation for in-houseLevel 1. applications
DocumentedLevelshould
2.
Policy
Documented
be created
Level and
3.Procedures
updated
Implemented
Level
not only4.Procedures
Tested
for the users
and
Level and
Evaluated
of5.
the
Controls
Fully
system,Integrated
Procedures
but also for
Procedures
and Controls and Controls Low:
Remote:The riskAvoidance:
The is
risk Ranking
manageable
probably the risk
Avoidance
will notaccording
through occur
isplanning
often toand
because
used your
for
the
action,
risks
risk and
would
thatthehave
be difficult
the capacity
to realize,
for negative
contingency recovery planning.
a. Does your agency a.Implemented
Doeshave
youra formally
agency
a. Have have
documented
theformal,
procedures
a. Iscomplete,
a
and Feedback/
measurement
and
disseminated
controls
and
a. Does
well-documented
program
been
policy
your implemented?
agency
in place have
thataroutinely
fully operational,
Policy
Your agency should develop
Procedures Measuring Description of evaluates
comprehensive
Identifiedthe adequacy
Risk and
security
there aregenerally
impacts solid
known
Likelihood program
means categorization,
are
recourse.
minimal.
in placethat
In issecurity
limit an
quantification,
Severity integral
the risk part
projects, and
of
appropriately.
Risk your
tolerance
a decision
Tolerance of
to avoid risks oftenPriority
Action means a decision not to let your
on testing plans for
that security large hardware
procedures
control? for b.
theacquisitions.
Arepolicies A effectiveness
the following majorstatements
defined problem
at to agency’s
1?
of be
levelReassessmentaware policies,
security
true? of is something
culture? called and controls?
procedures, agencyeach basedinon
put itself thethe likelihood,
situation where severity,
it couldandincur the risk. Therefore, your decision would also be to
OMB Circular
"level creep." Level creep A-130,
b.occurs
Does III
in chip
the manufacturing.
policy
b. Do define Changes
the procedures:
1) purpose
i. Are the or
and minor
owners
scoperevisions
b. Are
of
andthe are
the
users often
policy,
following
aware
2)
b.introduced
Are
of
elements
the in the
the securityin chip
following production
place?
policies
statements
and procedures?
Documentation line with minimal notification to end users.i.required
If you obtain aii.
test unit the
for Possible: The
Medium: avoid
The risk the
risk willcause
has be of
a chance the
mitigated risk.
of occurring,
through planning
responsibilities List the control
for its execution,
Have
areas andevaluation,
policies
and
clearly
i. An be procedures
sure
3) compliance
effective
and
state thethat trulybeen
program
agency’s identical
i.requirements
There for
position?
is an units can
formally
evaluating
active be adequacy
adopted
agencywide
the and security
theand
technical
effectiveness
program
controls
thatofachieves
securitycost-effective
policies,for the agency
security. to easily rank the priority of
purchased when you haveand successfully place to help
occurs, theit will
penalty completed
specification? your testing
ii. Document their program.
installed?
procedures, listand
when,
ii.
controls.
ITwhere,
security how,
is antointegrated
whom, practice within the asset (IT system). action required to eliminate the greatest risks
concern.
and about whatiii.the Is procedure
applies?
forSecurity
identifying
in place?
vulnerabilities
vulnerabilities
revealed
understood
compliance
by security
and managed.
12.1. Critical Element: User manuals
This question should
can be a ismajor be available
problem and cover
for software all aspects of each job function. Likely: Due policies
to or
conditions procedures
and to lessen
capabilities, it.
the This
risk is
is often
likely the
to decision in cases where the risk is so minimal and of
occur.
The reasonably simple. Could distribution.
aiii.person,
List the Thethe
using software
assignment
measurement)
availabledrivers
of for one level
IT responsibilities
alerts.
documentation, of chips
accessand
iv. mayrun
define
Threats
and/or not workcontinually
explicit
are
the with later revised
behavior? reevaluated, and controls are adapted to a changing security environment.
Is there sufficient documentation that explains chips. This
system? problem
While would force you
the development to maintain
of documentation two
iv. Identify orpoints
more
iv. versions
specificationsHas
ofoccurred
contact of your
management iii. software
and
prior Awhere
toprocess
this distribution
formally
supplementary
forauthorized
question,v. prototype.
reporting
Additional
this information
the
significant
question and/or
use of more
the
security
cansystem?
be
cost-effective
weaknesses security High:
and ensuring Theare
alternatives
rapid and
limited
risk impact
willExamples
have
identified
effective
should
asserious
theofneed
it occurand
impacts
possiblearises.
that the cost
without
weighting:
extensive
planning be far greater than the agency’s would concern.
how software/hardware is to be used? is simply asking if the documentation effortfound? was successful.v. Have employee remedial
job descriptions
action.vi. Costs been andupdatedbenefits
to include
of security
security
are measured
responsibilities that asand
as precisely action,
practicable. 1=itsLikely+High+Assume
consequences be severe.
the implemented controls require? vii. Status metrics for the security program are established and met. 2= Possible+Medium+Mitigate
12.1.1 Is there vendor-supplied documentation of vi. Have employees been trained on security procedures? Mitigate : This is the most common decision to make for identified risks: to implement policies,
NISThave
Most vendors SP 800-53 SA-5 of their documentation available. The issue is generally maintaining copies of older versions of
PDF versions procedures, and other security controls to limit the risk to an acceptable level.
purchased software? NIST SP 800-18
the documentation. Not all vendors keep older documentation available online.
Do written backup procedures exist? They are normally developed and refined as part of the contingency recovery process.
The previous contingency section dealt with the creation of the emergency procedures. This question is Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
12.1.2 Is there vendor-supplied documentation of accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
asking if the procedures are stand-alone and can be effectively used by themselves. Again, this is addressing
purchased hardware? NIST SP
the quality 800-53
of the result,SA-5
not necessarily its existence.
NISTifSP
You should determine this800-18
NIST SP 800-53
documentation SA-5 This information may indicate that your system is exposed
exists.
12.1.3 Is there application documentation for in-to outside risk. This question NIST SP important
is also 800-18 for contingency planning activities or determining if there is
house applications? outside access to NIST
a systemSP 800-53
or server.AC-8, CM-2
Contingency
NISTplanning800-18
is part of business resumption planning. Each agency should have a business continuity plan in place.
NIST SP SP 800-53
800-53 SA-5SA-11
12.1.4 Are there network diagrams and NIST SP
NIST SP 800-18
800-18
documentation on setups of routers and switches?
12.1.5 Are there software and hardware testing

procedures and results?
12.1.6 Are there user manuals for all software and

hardware in use on the systems? NIST SP 800-53 CP-2
NIST SP 800-18
12.1.7 Are there emergency procedures?
Risk-assessment reports should have been generated through the self-assessment process. These reports are important because
12.1.8 Are there backup procedures? NIST
they form theSP 800-53 for
foundation CP-9
all risk analysis and subsequent security controls.
NIST
Data thatSPare800-18
either received from or sent to other systems need to be documented. In addition, if the ownership of these other
systems lies outside of your agency, then you should have written agreements with the system owners concerning the data
12.2. Critical Element: sharing.
Are there formal, documented security and NIST SP 800-53 RA-3 PL-2 SA-9
CP-2
CA-3,
operational procedures? OMB Circular
NIST SP 800-18 A-130, III
FISCAM
NIST SP SP-2.1
800-18
NIST SP 800-18
This question deals with the effectiveness of the documentation. Is the documentation complete, is it
12.2.1 Is there a system security plan? readable, and has it been effectively distributed?
12.2.2 Is there a contingency plan?
12.2.3 Are there written agreements regarding how

data are shared between interconnected systems?
12.2.4 Are there risk-assessment reports?

Are there formal service-level agreements?
12.3.1 Are formal service-level agreements in place

for all outside agency's users?
NOTES:
A11: The question is reasonably simple. Could a person, using the available documentation, access and/or run the system? While the development of documentation specifications occurred prior to this question, this question is simply asking if the documentation effort was successful.
A12: Most vendors have PDF versions of their documentation available. The issue is generally maintaining copies of older versions of the documentation. Not all vendors keep older documentation available online.
A13: Hardware documentation is generally available via PDF downloads from the Internet. Each agency should consider a common library for systems documentation.
A14: The documentation for in-house applications should be created and updated not only for the users of the system, but also for contingency recovery planning.
A15: You should determine if this documentation exists. This information may indicate that your system is exposed to outside risk. This question is also important for contingency planning activities or determining if there is outside access to a system or server.
A16: Your agency should develop testing plans for large hardware acquisitions. A major problem to be aware of is something called "level creep." Level creep occurs in chip manufacturing. Changes or minor revisions are often introduced in the chip production line with minimal notification to end users. If you obtain a test unit for evaluation, be sure that truly identical units
can be purchased when you have successfully completed your testing program.
This can be a major problem for software distribution. The software drivers for one level of chips may not work with later revised chips. This problem would force you to maintain two or more versions of your software distribution prototype.
A17: User manuals should be available and cover all aspects of each job function.
A18: The previous contingency section dealt with the creation of the emergency procedures. This question is asking if the procedures are stand-alone and can be effectively used by themselves. Again, this is addressing the quality of the result, not necessarily its existence.
A19: Do written backup procedures exist? They are normally developed and refined as part of the contingency recovery process.
A22: This question deals with the effectiveness of the documentation. Is the documentation complete, is it readable, and has it been effectively distributed?
A23: Contingency planning is part of business resumption planning. Each agency should have a business continuity plan in place.
A24: Data that are either received from or sent to other systems need to be documented. In addition, if the ownership of these other systems lies outside of your agency, then you should have written agreements with the system owners concerning the data sharing.
A25: Risk-assessment reports should have been generated through the self-assessment process. These reports are important because they form the foundation for all risk analysis and subsequent security controls.
B9: OMB Circular A-130, III
B12: NIST SP 800-53 SA-5

NIST SP 800-18
B13: NIST SP 800-53 SA-5

NIST SP 800-18
B14: NIST SP 800-53 SA-5

NIST SP 800-18
B15: NIST SP 800-53 AC-8, CM-2

NIST SP 800-18
B16: NIST SP 800-53 SA-11

NIST SP 800-18
B17: NIST SP 800-53 SA-5

NIST SP 800-18
B18: NIST SP 800-53 CP-2

NIST SP 800-18
B19: NIST SP 800-53 CP-9

NIST SP 800-18
B22: NIST SP 800-53 PL-2

FISCAM SP-2.1
NIST SP 800-18
B23: NIST SP 800-53 CP-2

NIST SP 800-18
B24: NIST SP 800-53 CA-3, SA-9

NIST SP 800-18
B25: NIST SP 800-53 RA-3

NIST SP 800-18




I8: Remote: The risk probably will not occur because the risk would be difficult to realize, or there are solid means in place limit the risk appropriately.
of the risk.

13. Security Awareness, Training, and Education
People are a crucial factor in ensuring the security of computer systems and valuable information resources. Security awareness, training, and education enhance security by
improving awareness of the need to protect system resources. Additionally, training develops skills and knowledge so computer users can perform their jobs more securely and
build in-depth knowledge. The following questions are organized according to one critical element. The levels for each of these critical elements should be determined based on
the answers to the subordinate questions.
References
Risk Decisions
L.1 L.2 L.3 L.4 L.5
Level 1. DocumentedLevel 2. Policy
DocumentedLevel 3.Procedures
Implemented
Level 4.Procedures
Tested andLevel and
Evaluated
Controls
5. Fully Procedures
Integrated and
Procedures
Controls and Controls Remote:
Low: The risk
TheAvoidance:
is
risk Ranking
manageable
probably the risk
notaccording
Avoidance
will
through occur
is
planning
often to
because
usedyour
and for
the
action,
risks
risk and
would
thatthe
have
be difficult
the capacity
to realize,
for negative
The issue is employee efficiency.
a. Does Tracking
your a. employee
agencyDoes have
your training
a formally
agency and
a. Have professional
have
documenteda. Isdevelopment
the formal,
procedures complete,
aand
measurement
and permits
disseminated
controls
and a. Feedback/
supervisors
well-documented
program
Does
been
policy
your to keep
implemented?
inagency
place their
that
have routinely
evaluates the
comprehensive
adequacy andsecurity program
categorization,
Policy Procedures Implemented Measuring Description of Identified Riskthere
impacts
are Likelihood
generally
solidknown
meansare in that
placeisSeverity
recourse.
minimal. Inan
to quantification,
integral
security
limit partappropriately.
theprojects,
risk ofand
your
Risk tolerance
Tolerance
a decision Action
to avoid risks oftenPriority
means a decision not to let your
teams up-to-date in newon technologies.
that securityprocedures
control? forb. the Are
policies
the following
defined
effectiveness
statements
at level 1? Reassessment
of security
true?
agency’s policies,
culture?
procedures, and controls? ofput
each based on the likelihood,
NIST SP 800-53 AT-1 agency itself in the situation whereseverity,
it could and
b. Does the policy
b. Do
define
the procedures:
1) purpose
i. Are the
andowners
scopeb. Are
and
of the
the
users
policy,
following
aware2) b.ofelements
Are
the the
security
following
in place?
policies
statements
and procedures?
Security Awareness, Training, and Education AnnualOMB
Securityrefresher
awareness training
Circular programs
usually
A-130, are
IIIdeals
usefulwith
in keeping
critical skills
employees
that need
focused
to beonexercised
security.perfectly on the job. Possible: The
Medium: avoid
The riskthe
risk cause
will
has be of theofrisk.
a chance
through planning
but it may and beaction,
List the control
Have
areasthe
andpolicies
and
clearly
i. An
3) compliance
effective
and
stateprocedures
theprogram
agency’s
requirements
i. There
been
for
position?
formally
evaluating
is an active
adopted
the
agencywide
adequacy
and thesecurity
and
technical
effectiveness
program
controlsthat
of security
achievespolicies,
cost-effective
for thesecurity.
Unless there is a reasonand not to, security policies, procedures, and plans should be available tocontrols.
allii.employees. place to help
occurs, the
it will
penalty specification?
ii. Document their
installed?
procedures, list
and
when, where,
IT security
how,istoan whom,
integrated practice within the asset (IT system). action required to eliminate the greatest risks
concern.
13.1. Critical Element: and about what iii.the
Is a
procedure
securityii.measurement
applies?
A mechanismprogram foriii.
identifying
Security
in place?vulnerabilities
vulnerabilities
(ongoing security
are
revealed
understood
compliance
by security
and managed.
Training is critical to creating a secure computing environment.
alerts. and iv. define
Threats
explicit
are behavior?
continually reevaluated, and controls are Likely:
adapted Due policies
to toa changing
or
conditions procedures
security
to lessen
and capabilities,
environment.
it. This is often the
the risk is likely to occur.decision in cases where the risk is so minimal and of
Have employees received adequate training to iv. Identify points iv. Has
of contact
management
and
iii. Awhere
process
formally
supplementary
forauthorized
reporting
v. Additional
information
the
significant
useand/or
of the
security
can
more
system?
be cost-effective
weaknesses and security
ensuring High:
alternatives
rapid andThe
are
limited
risk
effective
identified
impact
willExamples
have
as the
should
serious
need
it occurand
impacts
of possible
that
arises. weighting:
the cost
extensive
fulfill their security responsibilities? found? v. Have employee remedial
job descriptions
action. vi. been
Costs
updated
and benefits
to include
of security
securityareresponsibilities
measured as that planning
precisely andbe far greater
action,
as practicable. 1=its
than the agency’s
consequences
Likely+High+Assume would be concern.
severe.
the implemented controls require?vii. Status metrics for the security program are established and met. 2= Possible+Medium+Mitigate
Mitigate : This is the most common decision to make for identified risks: to implement policies,
The rules
NISTof behavior
SP 800-53 essentially an application of the vi.
are PL-4 Have employees
organization's securitybeen trained on security procedures?
policies. 3= Remote+Low+Transfer
13.1.1 Have employees received a copy of the rules NIST SP 800-18
of behavior?
13.1.2 Are employee training and professional NIST SP 800-53 AT-4
development documented and monitored? FISCAM
NIST SP SP-42
800-53 AT-3
13.1.3 Is there periodic or annual refresher OMB Circular
NIST A-130,
SP 800-53 AT-2III
training? NIST
NIST SP
SP 800-18
800-53 AT-2 and AT-3
NIST SP 800-18
13.1.4 Are methods used to make employees aware
of security, i.e., posters, booklets?
13.1.5 Have employees received a copy of, or do

they have easy access to, agency security
procedures and policies?
NOTES:
A11: Training is critical to creating a secure computing environment.
A12: The rules of behavior are essentially an application of the organization's security policies.
A13: The issue is employee efficiency. Tracking employee training and professional development permits supervisors to keep their teams up-to-date in new technologies.
A14: Annual refresher training usually deals with critical skills that need to be exercised perfectly on the job.
A15: Security awareness programs are useful in keeping employees focused on security.
A16: Unless there is a reason not to, security policies, procedures, and plans should be available to all employees.
B9: NIST SP 800-53 AT-1

B12: NIST SP 800-53 PL-4

NIST SP 800-18
B13: NIST SP 800-53 AT-4

FISCAM SP-42
B14: NIST SP 800-53 AT-3

B15: NIST SP 800-53 AT-2

NIST SP 800-18
B16: NIST SP 800-53 AT-2 and AT-3

NIST SP 800-18





of the risk.

14. Incident-Response Capability
Computer security incidents are an adverse event in a computer system or network. Such incidents are becoming more common and their impact far-reaching. The following questions are organized
according to two critical elements. The levels for each of these critical elements should be determined based on the answers to the subordinate questions.
References
Ranking the riskRisk Decisions
according to your
Assessment Questions Remote: The risk probably categorization,
will not occurquantification,
because the risk and tolerance
would of
be difficult to realize, or Comments
L.1 L.2 L.3 L.4 L.5 there are solid means in place eachtobased on the
limit the risklikelihood, severity, and
appropriately.
This section is driven by OMB Circular LevelA-130.
1. Documented
It requires
Level 2. federal
Policy
Documented
agencies
Level 3. to
Procedures
Implemented
developLevelthe capability
4.Procedures
Tested to and
deal
Level
and
Evaluated
proactively
5.
Controls
FullywithProcedures
Integrated and Procedures
Controlsand ControlsLow: The risk Avoidance: tolerance levels.
Avoidance oftenThis simple weighting allows
is manageable throughisplanning used
andfor risks
action, that
and thehave the capacity for negative impact, but have little
viruses, hackers, or software bugs.a. Does your agency
a. Does have
youra agency
formally
a. Have have
documented
the formal,
procedures
a. Is complete,
a
and
measurement
and
disseminated
controls
and a. well-documented
Does
program
been
policy
your Feedback/
implemented?
in
agency
place have
that routinely
the adequacy andsecurity
known program
recourse. for the
that agency
is an
In security to easily
integral
projects,partrank
of the
your priority of
Policy Procedures Implemented Measuring DescriptionPossible:
of Identified
impacts generally Risk
The riskare minimal.
has a chance Likelihood
of occurring, butaitdecision
may to
Severity
thebe
avoid risks
difficult often
or there aremeans
Risk a decision
Tolerance
controls in notAction
to let your
Priority
If your state, county, or city has mandated a security
on that security incident-response
procedures
control? for b.the program,
Are
policies then
the following
defined youstatements
should
effectiveness
at levelhave
1? funding for
of security
true?
agency’s policies, Reassessment
an incident-
culture? procedures, and controls? action required to where
eliminate greatest
incur therisks
response group. These persons will
NIST SP 800-53 CA-1
probably place to helpagency put risk.
avoid the itself in the
first.
situation it could risk. Therefore, your decision would also be to
b. Does thebelongb. to
policy Do other
define groups
the procedures:
1) purpose for their
i. Are the
andfull-time
owners
scope jobs.
b. Are
and
of the The
the
users group
policy,
following
aware2) is activated
b. of
Are
elements
the when
thesecurity anpolicies
following
in place? statements
and procedures?
true? avoid the cause of the risk.
Incident-Response Capability OMB Circular A-130, III
incident occurs and has the skills to handle the problems.
List the control
Have
and
clearly
i. An
3) effective
compliance
and
stateprocedures
theprogram
agency’s
requirements
i. There
been
for
position?
isevaluating
formally
an active adopted
agencywide
the adequacy
and thesecurity
and
technical Medium:
effectiveness
program
controls
that The
of achieves
security risk will
policies, be mitigated
cost-effective security.through planning and action,
FISCAM
As part of an incident-response program, SP-5your agency should havetheir
ainstalled?
procedure for reporting incidents to Likely:
ii. Document applicability—clearly
procedures, listandwhen,ii.the
controls.
IT incident-response
where,
security how, is an integrated practice within the although
to whom, asset if
(IT Dueit occurs,
system). it will Examples
to conditions still
and have some
capabilities, impact
the risk
of possible onissome
likelyoftothe
weighting" occur.
team. This may be either directly NISTtoSP 800-18
one of the team Assume:
andmembers or through
about what iii.the ayour
Is procedurehelpii.
security desk.
measurement
applies?
iii.identifying
Security
in place?
vulnerabilities
vulnerabilities
(ongoing security
arerevealed
understood
compliance
by security more important
and managed.
incidents or security concern.
14.1. Critical Element: iii. List the assignment
alerts. andiv.define
Threatsexplicit
are continually
behavior? reevaluated, and controls are adapted to a changing 2= security to lessen it. This is often the decision in cases where the risk is so minimal and of
environment.
The incident-response team should be responsible iv. for Identify
tracking and resolving incidents. High: The limited
risk will impact
have should
serious
3= it occurand
impacts thatwithout
Remote+Low+Transfer the costextensive
points
iv. Hasof contact
managementand
iii. Awhere
process
formally
supplementary
forauthorized
reporting
significant
the use and/or
of the
security
more
cansystem?
be cost-effective
weaknesses security
and ensuring
alternatives
rapid and
areeffective
identified as the need arises.
Is there a capability to provide help to users NIST SP 800-53 IR-4, IR-6, SI-5 be far greater than the agency’swould concern.
The incident-response team needs to receive special found? v. Have
or technical training employee
to be able remedialjobefficiently
to deal descriptions
action.and vi.effectively
been
Costsupdated
and benefits
with to include
securityof security
security measured asplanning
areresponsibilities that and
precisely action, its consequences
when a security incident occurs in the system? FISCAM SP-3.4
the implemented controls should
require? vii. aware
Statusofmetrics for the security program are established and met.
incidents.
Part of the
Feedback isincident-response
NIST
NIST SP
very 800-18
SPimportant
800-53 in team's
IR-5, charter should cover
the incident-response
IR-6 reports
process. Yourtoincident-response
management.
vi. Have employees
Management
teambeenshould have abe
trained onprocess
security
the incidents
in place to
procedures? Mitigate: This is the most common decision to make for identified risks: to implement policies,
and how NIST
they
review anNIST SP
were
incident 800-53
resolved.
SP after
800-18 IR-4, IR-7, SI-5
it is resolved so lessons learned can be used to make the incident-response team more effective. procedures, and other security controls to limit the risk to an acceptable level.
FISCAM SP-3.4
NIST SP 800-53 IR-2
14.1.1 Is a formal incident-response capability The ability
NIST
to share
NIST
FISCAM SP 800-53
incident SI-5
SP SP-3.4
800-18 information within your larger government structure is a way to drive down overall program costs.
NIST SP 800-53 IR-4 Transfer: Transfer the responsibility for a system or the risk itself to another party that can better accept
available? Depending NIST SP
on the
NIST 800-18
SP written
800-18agreements you have with the owners of interconnected systems, you should seek to share this
NIST SP 800-18 and deal with the risk and/or has the resources necessary to properly mitigate the risk.
information with them. Your hope is that these owners will take action to reduce their vulnerability and, subsequently, your level
of exposed risk.
14.1.2 Is there a process for reporting incidents
within the agency?
14.1.3 Are incidents monitored and tracked until NIST SP 800-53 IR-6
IR-6, RA-5
resolved? OMB Circular
A-130, III
A-130, III
NIST SP 800-18
GISRA
14.1.4 Are personnel trained to recognize and
handle incidents?
14.1.5 Are alerts/advisories received and responded

to?
14.1.6 Is there a process to modify incident-

handling procedures and control techniques after an
incident occurs?

Is incident-related information shared with
appropriate organizations?
14.2.1 Is incident information and common

vulnerabilities or threats shared with owners of
interconnected systems?
14.2.2 Is incident information shared with US-

CERT concerning incidents and common
vulnerabilities and threats?
14.2.3 Is incident information reported to the

appropriate investigating law enforcement agency
when necessary?
NOTES:
A11: This section is driven by OMB Circular A-130. It requires federal agencies to develop the capability to deal proactively with viruses, hackers, or software bugs.
A12: If your state, county, or city has mandated a security incident-response program, then you should have funding for an incident-response group. These persons will probably belong to other groups for their full-time jobs. The group is activated when an incident occurs and has the skills to handle the problems.
A13: As part of an incident-response program, your agency should have a procedure for reporting incidents to the incident-response team. This may be either directly to one of the team members or through your help desk.
A14: The incident-response team should be responsible for tracking and resolving incidents.
A15: The incident-response team needs to receive special or technical training to be able to deal efficiently and effectively with security incidents.
A16: Part of the incident-response team's charter should cover reports to management. Management should be aware of the incidents and how they were resolved.
A17: Feedback is very important in the incident-response process. Your incident-response team should have a process in place to review an incident after it is resolved so lessons learned can be used to make the incident-response team more effective.
A19: The ability to share incident information within your larger government structure is a way to drive down overall program costs.
A20: Depending on the written agreements you have with the owners of interconnected systems, you should seek to share this information with them. Your hope is that these owners will take action to reduce their vulnerability and, subsequently, your level of exposed risk.
B9: NIST SP 800-53 CA-1

FISCAM SP-5
NIST SP 800-18
B12: NIST SP 800-53 IR-4, IR-7, SI-5

FISCAM SP-3.4
NIST SP 800-18
B13: NIST SP 800-53 IR-4, IR-6, SI-5

FISCAM SP-3.4
NIST SP 800-18
B14: NIST SP 800-53 IR-5, IR-6

NIST SP 800-18
B15: NIST SP 800-53 IR-2

FISCAM SP-3.4
NIST SP 800-18
B16: NIST SP 800-53 SI-5

NIST SP 800-18
B17: NIST SP 800-53 IR-4

NIST SP 800-18
B20: NIST SP 800-53 IR-6, RA-5

OMB A-130, III
NIST SP 800-18
B21: NIST SP 800-53 IR-6

GISRA
B22: NIST SP 800-53 IR-6

GISRA




Examples of possible weighting"

Technical
Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access or misuse, facilitate detection of
security violations, and support security requirements for applications and data.
15. Identification and Authentication
Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that
the system be able to identify and differentiate among users. The following questions are organized according to two critical elements. The levels for each of these critical elements
should be determined based on the answers to the Thesubordinate
basic questionsquestions.
are: Do you know who your users are, and how do you know?
References
Most agencies do not require digital signatures. This is primarily a federal requirement. However, if you do use digital
signatures, you should investigate if your systems conform to the FIPS 186-2 standard. Risk Decisions
How does your agency authorize users into its systems? Does it maintain a list of these persons?
L.1 L.2 L.3 L.4 L.5
Documented
Level 3.Procedures
Implemented
Level 4.Procedures
Tested and Level
and
Evaluated
5.Controls
Fully Procedures
Feedback/ Integrated Procedures
and Controls and Controls Remote:
Low: The risk Avoidance:
The is
riskRanking
manageable
probably the risk
will
through
not
Avoidance according
occur
isplanningto your
because
often and
used the
action,
for risk and
risks would
thatthe be difficult
have to realize,
the capacity or
for negative impact, but have little
You should
Your agency'salways
Policy personnel
developdepartment
a procedure
Procedures should
foragency
emergency
have ahave
procedure
access.
Implemented a.toHave
The
notify
emergency
system a.administrators
procedure
Measuring should
that a.still
the have
status asimplemented?
ofmany
an employee
controls as
has Description of Identified Risk Likelihood Severity Risk
a. Does your a. Does youra formally
agency have
documented
the formal,
procedures
Iscomplete,
aandmeasurement
and
disseminated
controls
and well-documented
Doesprogram
been
policy
your
Reassessment
agency
on
in place have
that aroutinely
fully operational,
the adequacy
there
impacts and
aresecurity
generally
solid program
means
known are thatIn
categorization,
minimal.
in place
recourse. is security
to an
limitintegral
the part
quantification,
risk ofayour
and
appropriately.
projects, decision to Tolerance
avoid risks often meansAction Priority
a decision not to let your
possible toThis
changed. minimize
is a very
security
important
exposure.
that process
security Thecontrol?
toprocess
have inneeds
procedures place.tob.
for beAre
the properly
policies authorized
the following
defined bylevel
effectiveness management
statements
at 1?
of security
agency’s
true? and logged
policies,
culture?forprocedures,
tracking and controls? tolerance
agency put itselfofineach based on where
the situation the likelihood,
it could incur the risk. Therefore, your decision would also be to
Identification and Authentication access. b. Does the policy b. Do define
the procedures:
1) purpose
i. Are the and owners
scopeb. Are
and
of the the
users
policy,
following
aware 2)
b. Are
of
elements
the
thesecurity
following
in place?
policies
statements
and procedures?
true? severity, and tolerance levels. This simple
Possible: The
Medium: avoid
The riskthe
risk will
hascause
be of the
a chance
mitigatedofrisk.
occurring,
through planning
List the control
Have
and
clearly
i. An
3) compliance
effective
and
state procedures
theprogram
agency’s
requirements
i. Therebeen
for
position?
is formally
evaluating
an activeadopted
agencywide
the adequacy
and the
security
and
technical
effectiveness
program
controls
thatofachieves
security cost-effective
policies,weighting security.
allows for the agency to easily
place to help
occurs, theit will
Password complexity is a two-edged
and penaltysword. If Document
they are made
specification?
ii. theirtooapplicability—clearly
complex, passwords
installed? procedures, getlist
written
and
when, ii.down
controls.
ITwhere,and usually
security how,is an are
to integrated
whom, practice within the asset (IT system). rank the priority of action required to
accessible
areas of The concern.
15.1. Critical Element: The actual at a person's
frequency of workstation.
password changesIf theyneeds
are too
and simple,
about
to be what
set then
byiii. Isthe
the
management.risk of passwords
procedure
a security ii.measurement
Theapplies?
A90-day being
mechanismlimitcracked
isprogram
for oraguessed
iii. identifying
simplySecurityin place? increases.
vulnerabilities
vulnerabilities
recommendation (ongoing are security
revealed
understood
compliance
by security
and managed.
incidents or security eliminate the greatest risks first.
Threats explicit
are continually
behavior?reevaluated, and controls are Likely: Dueto
adapted policies or procedures
toa conditions
changing security to lessenthe
and capabilities,
environment. it. This often the
risk is likely decision in cases where the risk is so minimal and of
to occur.
developed within the security industry.
Are users individually authenticated via iv. Identify points iv. Has
of contact
managementand
iii. Awhere
process
formally
supplementary
forauthorized
reporting
the
significant
and/or
use of the more
security
can
system?
be
cost-effective
weaknessessecurity
and ensuring High:
alternatives The
rapid and limited
risk will
are identified
effective impact
haveas the
Examples
should
serious
need
of
it occurand
impacts
arises.
possible
that the cost
without
weighting:
extensive
planning and be far greater
action, its than the agency’s
be severe.
passwords, tokens, or other devices? found? v. Have employee remedial
job descriptions
action. vi. Costsbeen updated
and benefits to include
of security
security
are responsibilities
measured as precisely
that as practicable. 1= Likely+High+Assume
Almost all systems
This is one todaythat
specification mask the password
should be part ofwhen entered.
the system Some systems
specifications.
the implemented allowcontrols
Security the password
is more easily to
require? beStatus
exposed,
administered
vii. ifbut
some
metrics generallythethis
actions
for can
security program are established and met. 2= Possible+Medium+Mitigate
feature
be set oncannot be set For
automatic. automatically.
example, management may specifyvi. that if a user
Have does notbeen
employees log onto a system
trained for 3 weeks,
on security his or her
procedures? Mitigate : This is the most common decision to make for identified risks: to implement policies,
account would be disabled. The time is set at 3 weeks to allow for a 2-week vacation period plus some holidays. procedures, and other security controls to limit the risk to an acceptable level.
NIST SP 800-53 AC-2, AC-3, IA-4
15.1.1 Is a current list maintained and approved of
FISCAM AC-2
authorized users and their access?
Your agency NIST SP identify
should 800-18a limited number of people who are given the authority to reset lost or compromised passwords. Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
The system should be designed to log password changes only by these persons. accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
NIST SP 800-53 AU-10
15.1.2 Are digital signatures used?
NIST SP 800-18
The secure distribution of passwords is often difficult. Generally, the system should be configured to require that a new password
NIST
be established SP 800-53
when AC-2 password is used the first time.
the distributed
15.1.3 Is emergency and temporary access FISCAM AC-2.2
authorized? Systems should be configured to only allow so many attempts before locking the account. Other approaches simply extend the
time to makeNISTtheSP 800-53
change fromAC-2
milliseconds to 60 seconds or longer.
FISCAM AC-3.2
15.1.4 Are personnel files matched with user This is more of a systems question. The answer needs to be provided by the product vendor.
accounts to ensure that terminated or transferred NIST SP 800-53 IA-5
individuals do not retain system access? FISCAM AC-3.2
The short answer
NIST SP 800-18
is: 800-53
They should
AC-2,be.IA-4
Generally, however, they are not. This is one of the biggest exposures that most systems
experience.FISCAM
HackersAC-3.2
have lists of these IDs and passwords on the Internet.
NIST SP 800-18
15.1.5 Are passwords changed periodically?
NIST SP 800-53 IA-5
FISCAM AC-3.2
NIST SP 800-18
15.1.6 Are passwords unique and difficult to guess
(e.g., do passwords require alphanumeric,
upper/lower case, and special characters)?
NIST SP 800-53 IA-5
FISCAM AC-3.2
NIST SP 800-18
15.1.7 Are inactive user identifications disabled
after a specified period?
NIST SP 800-53 IA-5
15.1.8 Are passwords not displayed when entered? FISCAM AC-3.2
The simpleNIST SP 800-18
question is: Does the system associate specific activities with specific users?
NIST SP 800-53 IA-5
15.1.9 Are procedures in place for handling lost NIST SP 800-18
and compromised passwords?
15.1.10 Are passwords distributed securely and NIST SP 800-53 IA-5

The data owner isAC-3.2
FISCAM that agency and/or persons who have the ultimate responsibility for the protection and preservation of the
users told not to reveal their passwords to anyone data. ANIST
simpleSP question
NIST SP 800-18you
800-53 should ask is: "Who would be upset if certain data were irretrievably lost?” This would generally
IA-5
(social engineering)? help to identify
FISCAMthe data owner. The data owner may also be set by legislation and/or policy within the agency. Whoever this
AC-3.2
person is, it is his or
NIST SP 800-18 her responsibility to verify that only authorized persons gain access to “their” data.
15.1.11 Are passwords transmitted and stored
using secure protocols/algorithms? NIST SP 800-53 AC-7
FISCAM AC-3.2
15.1.12 Are vendor-supplied passwords replaced NIST SP 800-18
immediately?
15.1.13 Is there a limit to the number of invalid

access attempts that may occur for a given user? NIST SP 800-53 AC-2
FISCAM AC-2.1

Are access controls enforcing segregation of NIST SP 800-53 AC-5
duties? OMB Circular A-130, III
FISCAM SD-2.1
NIST SP 800-53 AC-2
FISCAM AC-2.1
NIST SP 800-53 AC-5

FISCAM SD-2.1
15.2.1 Does the system correlate actions to users?
15.2.2 Do data owners periodically review access

authorizations to determine whether they remain
appropriate?
NOTES:
A15: The basic questions are: Do you know who your users are, and how do you know?
A16: How does your agency authorize users into its systems? Does it maintain a list of these persons?
A17: Most agencies do not require digital signatures. This is primarily a federal requirement. However, if you do use digital signatures, you should investigate if your systems conform to the FIPS 186-2 standard.
A18: You should always develop a procedure for emergency access. The emergency procedure should still have as many controls as possible to minimize security exposure. The process needs to be properly authorized by management and logged for tracking access.
A19: Your agency's personnel department should have a procedure to notify system administrators that the status of an employee has changed. This is a very important process to have in place.
A20: The actual frequency of password changes needs to be set by management. The 90-day limit is simply a recommendation developed within the security industry.
A21: Password complexity is a two-edged sword. If they are made too complex, passwords get written down and usually are accessible at a person's workstation. If they are too simple, then the risk of passwords being cracked or guessed increases.
A22: This is one specification that should be part of the system specifications. Security is more easily administered if some actions can be set on automatic. For example, management may specify that if a user does not log onto a system for 3 weeks, his or her account would be disabled. The time is set at 3 weeks to allow for a 2-week vacation period plus some holidays.
A23: Almost all systems today mask the password when entered. Some systems allow the password to be exposed, but generally this feature cannot be set automatically.
A24: Your agency should identify a limited number of people who are given the authority to reset lost or compromised passwords. The system should be designed to log password changes only by these persons.
A25: The secure distribution of passwords is often difficult. Generally, the system should be configured to require that a new password be established when the distributed password is used the first time.
A26: This is more of a systems question. The answer needs to be provided by the product vendor.
A27: The short answer is: They should be. Generally, however, they are not. This is one of the biggest exposures that most systems experience. Hackers have lists of these IDs and passwords on the Internet.
A28: Systems should be configured to only allow so many attempts before locking the account. Other approaches simply extend the time to make the change from milliseconds to 60 seconds or longer.
A31: The simple question is: Does the system associate specific activities with specific users?
A32: The data owner is that agency and/or persons who have the ultimate responsibility for the protection and preservation of the data. A simple question you should ask is: "Who would be upset if certain data were irretrievably lost?” This would generally help to identify the data owner. The data owner may also be set by legislation and/or policy within the agency. Whoever this person is, it is
his or her responsibility to verify that only authorized persons gain access to “their” data.
B16: NIST SP 800-53 AC-2, AC-3, IA-4

FISCAM AC-2
NIST SP 800-18
B17: NIST SP 800-53 AU-10

NIST SP 800-18
B18: NIST SP 800-53 AC-2

FISCAM AC-2.2
B19: NIST SP 800-53 AC-2

FISCAM AC-3.2
B20: NIST SP 800-53 IA-5

FISCAM AC-3.2
NIST SP 800-18
B21: NIST SP 800-53 IA-5

FISCAM AC-3.2
NIST SP 800-18
B22: NIST SP 800-53 AC-2, IA-4

FISCAM AC-3.2
NIST SP 800-18
B23: NIST SP 800-53 IA-5

FISCAM AC-3.2
NIST SP 800-18
B24: NIST SP 800-53 IA-5

FISCAM AC-3.2
NIST SP 800-18
B25: NIST SP 800-53 IA-5

NIST SP 800-18
B26: NIST SP 800-53 IA-5

FISCAM AC-3.2
NIST SP 800-18
B27: NIST SP 800-53 IA-5

FISCAM AC-3.2
NIST SP 800-18
B28: NIST SP 800-53 AC-7

FISCAM AC-3.2
NIST SP 800-18
B31: NIST SP 800-53 AC-5

FISCAM SD-2.1
B32: NIST SP 800-53 AC-2

FISCAM AC-2.1




Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than the agency’s
concern.

16. Logical Access Controls
Logical access controls are the system-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and
functions that are permitted. The following questions are organized according to three critical elements. The levels for each of these critical elements should be determined
based on the answers to the subordinate questions.
This is one area that should be researched thoroughly when acquiring a new system.
References
Risk Decisions
L.1to be researchedL.2
This needs before the softwareL.3 is acquired. L.4 L.5
Personnel
Generally, need
if youtouse Levelto1.set
beencryption,
trained Documented
thetheir Level
software 2.Policy
screensavers
will Documented
havetobeenLevel
this 3.
Procedures
mode.
designedImplemented
Ifby Level
thethe 4.Procedures
Tested
workstations
vendor are and
to meet Level
theand
part Evaluated
of a5.
Controls
Fully
domain,
federal Procedures
Integrated
this can be Procedures
standards. and Controlsand
done Remote:
Low:Controls
The riskAvoidance:
The is
risk
manageable
probably Avoidance
will
through
not occur
isplanning
oftenbecause
used
andforthe
action,
risks
risk and
would
thatthe
have
be difficult
the capacity
to realize,
for negative
or Ranking
impact, the
but risk
haveaccording
little to your
The access-control software should
a. Does have
your this
agency
a. reporting
Does haveyoura capability.
formally
agency
a. Have have
documented
theformal,
procedures
a. Iscomplete,
a
and Feedback/
measurement
and
disseminated
controls
and a.well-documented
Does
program
been
policy
your implemented?
on
agency
in place have
that aroutinely
fully
automatically.
Policy Procedures Implemented Measuring Description ofoperational,
evaluates
Identified
there are
impacts comprehensive
the
Risk adequacy
generally
solid
known
means and
security
Likelihood
are
recourse.
minimal.
in placeIntoprogram thethat
limitSeverity
security riskisappropriately.
projects,an aintegral
Risk part
Tolerance
decision of your
to avoid Action
risks oftenPriority categorization,
means a decision quantification, and tolerance
not to let your
that security control?procedures for b. theArepolicies
the following
defined
effectiveness Reassessment
statements
agency’s
true? policies,culture?procedures, and controls? agency put itself in the situation where it could incur the risk. Therefore, your decision of each based
would alsoonbe
thetolikelihood, severity, and
NIST SP 800-53 AC-1
b. Does the policy b. Do define
the procedures:
1) purpose
scope b. Are
of
andthe
the
users
policy,
following
aware2)
b. Are
of
elements
the
thesecurity
following
in place?policies
statements
and procedures?
Logical Access Controls LoggingOMB Circular
security A-130,
violations is anIII
important aspect ofcontrol
security. As part ofpolicies
your security program, you need to assign people toand the Possible: The
Medium: avoid
The riskthe
risk will
hascause
be of theofrisk.
a chance
through planning
List the for itsii.execution,
Have
areas the
and and
clearly
i. An
3) compliance
effective
and
stateprocedures
the program
agency’s
requirements
i. There
been
for
position?
isformally
evaluating
an activeadopted
agencywide
the adequacy security
and
technical
effectiveness
program
controlsthat
ofachieves
security cost-effective
policies, security. for the agency to easily rank the priority of
A logical FISCAM
reviewview
thesecan beAC-3.2
thought
violations andoftake
and as aaction,
penaltyspecialifii.window
required.
specification?
Document into the
theirdata built just for
installed? you. Thelist
procedures, logical
and
when,view will
controls.
ii. ITwhere, let you
security how,islook
to at
an only the practicealthough
integrated
whom,
place to help
if it avoid
occurs, theit will
within the asset (IT system).
NIST
data that the SP 800-18
security administrators want you to see. If the security is built at the field level, it may be possible for you to access more important Assume:
concern.
16.1. Critical Element: Key management is therelated
most important andyet
and about whatiii.
thedata
most the
Is procedure
a security
difficult aspect ofii.measurement
applies?
A mechanism
using encryption. program
for
iii.
Youidentifying
Security
need inwell-thought-out
place?
vulnerabilities
vulnerabilities
(ongoing are security
revealed
understood
compliance
by security
and managed.
data that are not logically to your request and that you are not supposed to view. Likely: Due policies
to or procedures
conditions and to lessenthe
risk is likely
is often the
to decision in cases where the risk is so minimal and of
occur.
Do the logical access controls restrict users to procedures to handle encryption keys. iii. List the assignment measurement) of IT responsibilities
Threats explicit
are continually
behavior? reevaluated, and controls are adapted to a changing security environment.
High: limited impact should it occur that the cost of implementing a mechanism to minimize or reduce it would
of contact
managementand
iii. Awhere
process
formally
supplementary
forauthorized
reporting
the
significant
and/or
use of the security
more
can system?
becost-effective
weaknesses andThe
security risk will
ensuring
alternativeshave
rapid andserious
are impacts
effective
identified as theandneed
without
arises.extensive Examples of possible weighting:
Does your system have the ability to change the default security be far greater than the agency’s concern.
authorized transactions and functions? found? v. Havesettings?
employee If this
jobfeature
remedial is available
descriptions
action. vi. Costs
been andupdated
implemented,
and benefits it helps
to include
of security
security planning and
areresponsibilities
measured action,
that its
as precisely asconsequences
practicable. would be severe. 1= Likely+High+Assume
avoid the problem of someone inadvertently resetting his the or her security parameters
implemented controls and losing
require? hisStatus
vii. or her metrics
secure status.
for the security program are established and met. 2= Possible+Medium+Mitigate
All unnecessary network protocols should be disabled in avi. sensitive data environment.
Have employees been trained on security procedures? Mitigate: This is the most common decision to make for identified risks: to implement policies,
SecurityNIST
controls
SP 800-53
should beAC-3 designed to detect and report unauthorized access attempts. procedures, and other security controls to limit the risk to an acceptable level.
16.1.1 Can the security controls detect FISCAM AC-3.2
unauthorized access attempts? NIST NIST
SP 800-18
SP 800-53
NIST SP 800-53 AC-2,AC-3,
AC-3,IA-7,AC-6,SC-12,
IA-5 SC-13 Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
The ability toNIST
FISCAM SPaccess
restrict
AC-3.2800-18 to data based on the location of a physical terminal is a good security feature. accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
NIST SP 800-53 AC-3, AC-5, AC-6
16.1.2 Are access control software or other Unless
The default
absolutely
network
FISCAM AC-3.2required
behavior
by your
needs charter,
to be understood.
remote access
Remote
to a system
access should
should not
automatically
be permitted.tear down a session either on
measures in place to prevent a user from having all timeoutNIST
or logout.
NIST SPSP800-18
800-53 AC-11, AC-12
necessary authority or information access to allow FISCAM
As with all loggingAC-3.2
activities, the maintenance and scanning of the logs need to be as automated as possible. Once detected,
fraudulent activity without collusion? problemsNIST
should SPbe800-18
researched and resolved.
16.1.3 Is access to security software restricted to

security administrators?
A trust relationship is established when one system permits a foreign system access to its secured data. Usually, this is
16.1.4 Do workstations disconnect or screen savers All remote access
NIST
independent theto
ofSP your systems
800-53
actual whoshould
SC-12,
user SC-13 be the
is using logged andsystem
foreign monitored.
to gain access to the data. Trust relationships between systems
lock the system after a specific period of inactivity? NIST
can increase 800-53risk
SP security
your 800-18 AC-2exposure.
FISCAM
NIST SP AC-3.2
800-53 CM-6, IA-5
NISTSecurity
PSN SP 800-18 Assessment Guidelines
16.1.5 Are inactive users’ accounts monitored and
removed when not needed?
16.1.6 If encryption is used, what encryption NIST SP 800-53 CM-6, SC-7

standard is used (is the federal standard PSN Security Assessment Guidelines
considered)? Physical access to telecommunications equipment is a security exposure. If possible, this access should be logged and monitored.
16.1.7 If encryption is used, are there procedures NIST SP 800-53 AC-3

for key generation, distribution, storage, use, FISCAM
All connections to AC-3.2
the Internet should be through firewalls or secure gateways.
destruction, and archiving?
NIST SP 800-53 AC-12, SC-10
16.1.8 Is access restricted to files at the logical FISCAM
NIST SP AC-3.2
800-53 AC-13
view or field? FISCAM AC-3.2
NIST SP 800-53 AC-13, AU-6
16.1.9 Is access monitored to identify apparent FISCAM AC-3.2
security violations and are such events investigated?
16.2. Critical Element: NIST SP 800-53 AC-3, IA-3, SC-7, SC-11

Are there logical controls over network access? Network PSN
documentation,
NIST Security while necessary,
Assessment
SP 800-53 AC-3 should be considered confidential and limited to people on a need-to-know basis.
Guidelines
They should be. AC-3.2
FISCAM
This should be standard operating procedure within your agency.
16.2.1 Has communication software been
implemented to restrict access through specific
Unless required by your charter, all guest and anonymous accounts should be disabled.
terminals?
16.2.2 Are insecure protocols (e.g., UDP, FTP)

Effective and secure
This is a federal public
policy. access tothat
It required a system is difficult.
all federal Generally,
departments the best post
and agencies design separates
clear privacy the public
policies onaccess from the
their World rest
Wide Webof
disabled?
the system.
sites It is simply
by September easierEach
1, 1999. to control security
policy must when
clearly you
and totally control
concisely inform what information
visitors to the siteiswhat
sent information
to the publicthe
server.
agency
16.2.3 Have all vendor-supplied default security collects about
NIST individuals,
SP 800-53why the agency collects it, and how the agency will use it. Privacy policies must be clearly labeled and
AC-17
parameters been reinitialized to more secure NIST
NIST SP
easily accessed 800-53
when
SP AC-2,
someone
800-18 AC-14
visits a web site.
settings? PSN Security Assessment Guidelines
This question assumes
NIST that
SP 800-53
security AC-3,
policiesCM-6,
have been
SC-7developed concerning how firewall policies and rules
are created.
16.2.4 Are there controls that restrict remote access FISCAM AC-3.2
to the system? NIST SP 800-53 SC-7, SC-8
For example: On NIST
Check Point©
SP Software
800-53
FISCAM AC-3,Technologies
AC-3.2 SC-7 firewalls, before you can create a rule, you must define
16.2.5 Are network activity logs maintained andthe objects (networks,
NISTnodes, etc.) that will be protected. A security policy could be created that tells the
SP 800-18
reviewed? network analyst how
NISTtheSP
Check PointPE-4,
800-53 objects should be named. While this may not seem like much, this is
SC-7
important so thereFISCAM
is consistency
AC-3.2in how objects are named. Overall, this helps reduce the chance for errors
when the network analyst creates a firewall rule set.
16.2.6 Does the network connection automatically
disconnect at the end of a session?
16.2.7 Are trust relationships among hosts and NIST SP 800-53 AC-17
external entities appropriately restricted? FISCAM AC-3.2
This question assumes
NIST that
SP 800-53
security AC-3,
policiesCM-6,
have been
SC-7developed concerning how firewall policies and rules
are created. FISCAM AC-3.2
NIST SP 800-53 SC-7, SC-8
For example: On NIST
Check Point©
SP Software
800-53
FISCAM AC-3,Technologies
AC-3.2 SC-7 firewalls, before you can create a rule, you must define
the objects (networks,
NISTnodes, etc.) that will be protected. A security policy could be created that tells the
SP 800-18
network analyst how
NISTtheSP
Check PointPE-4,
800-53 objects should be named. While this may not seem like much, this is
SC-7
important so thereFISCAM
is consistency
AC-3.2 in how objects are named. Overall, this helps reduce the chance for errors
when the network analyst creates a firewall rule set.
NIST SP 800-53 AC-17

FISCAM AC-3.2
16.2.8 Is dial-in access monitored?
16.2.9 Is access to telecommunications hardware or

facilities restricted and monitored?
16.2.10 Are firewalls or secure gateways installed?
16.2.11 If firewalls are installed, do they comply

with firewall policy and rules?
NIST SP 800-53 AC-8
16.2.12 Are guest and anonymous accounts FISCAM AC-3.2
authorized and monitored? NIST SP 800-18
16.2.13 Is an approved standardized logon banner

displayed on the system warning unauthorized users
that they have accessed a U.S. Government system
and can be punished? NIST SP 800-53 AC-3
FISCAM AC-3.2
16.2.14 Are sensitive data transmissions encrypted?
16.2.15 Is access to tables defining network options,

resources, and operator profiles restricted?
16.3. Critical Element: NIST SP 800-53 AC-8

If the public accesses the system, are there OMB Circular 99-18
controls implemented to protect the integrity of
the application and the confidence of the public?
16.3.1 Is the agency's privacy policy posted on the

agency web site?
NOTES:
A12: Security controls should be designed to detect and report unauthorized access attempts.
A13: This is one area that should be researched thoroughly when acquiring a new system.
A14: This needs to be researched before the software is acquired.
A15: Personnel need to be trained to set their screensavers to this mode. If the workstations are part of a domain, this can be done automatically.
A16: The access-control software should have this reporting capability.
A17: Generally, if you use encryption, the software will have been designed by the vendor to meet the federal standards.
A18: Key management is the most important and yet the most difficult aspect of using encryption. You need well-thought-out procedures to handle encryption keys.
A19: A logical view can be thought of as a special window into the data built just for you. The logical view will let you look at only the data that the security administrators want you to see. If the security is built at the field level, it may be possible for you to access data that are not logically related to your request and data that you are not supposed to view.
A20: Logging security violations is an important aspect of security. As part of your security program, you need to assign people to review these violations and take action, if required.
A23: The ability to restrict access to data based on the location of a physical terminal is a good security feature.
A24: All unnecessary network protocols should be disabled in a sensitive data environment.
A25: Does your system have the ability to change the default security settings? If this feature is available and implemented, it helps avoid the problem of someone inadvertently resetting his or her security parameters and losing his or her secure status.
A26: Unless absolutely required by your charter, remote access to a system should not be permitted.
A27: As with all logging activities, the maintenance and scanning of the logs need to be as automated as possible. Once detected, problems should be researched and resolved.
A28: The default network behavior needs to be understood. Remote access should automatically tear down a session either on timeout or logout.
A29: A trust relationship is established when one system permits a foreign system access to its secured data. Usually, this is independent of the actual user who is using the foreign system to gain access to the data. Trust relationships between systems can increase your security risk exposure.
A30: All remote access to your systems should be logged and monitored.
A31: Physical access to telecommunications equipment is a security exposure. If possible, this access should be logged and monitored.
A32: All connections to the Internet should be through firewalls or secure gateways.
A33: This question assumes that security policies have been developed concerning how firewall policies and rules are created.
For example: On Check Point© Software Technologies firewalls, before you can create a rule, you must define the objects (networks, nodes, etc.) that will be protected. A security policy could be created that tells the network analyst how the Check Point objects should be named. While this may not seem like much, this is important so there is consistency in how objects
are named. Overall, this helps reduce the chance for errors when the network analyst creates a firewall rule set.
A34: Unless required by your charter, all guest and anonymous accounts should be disabled.
A35: This should be standard operating procedure within your agency.
A36: They should be.
A37: Network documentation, while necessary, should be considered confidential and limited to people on a need-to-know basis.
A39: Effective and secure public access to a system is difficult. Generally, the best design separates the public access from the rest of the system. It is simply easier to control security when you totally control what information is sent to the public server.
A40: This is a federal policy. It required that all federal departments and agencies post clear privacy policies on their World Wide Web sites by September 1, 1999. Each policy must clearly and concisely inform visitors to the site what information the agency collects about individuals, why the agency collects it, and how the agency will use it. Privacy policies must be clearly
labeled and easily accessed when someone visits a web site.
B9: NIST SP 800-53 AC-1

FISCAM AC-3.2
NIST SP 800-18
B12: NIST SP 800-53 AC-3

FISCAM AC-3.2
NIST SP 800-18
B13: NIST SP 800-53 AC-3, AC-5, AC-6

FISCAM AC-3.2
NIST SP 800-18
B14: NIST SP 800-53 AC-2, AC-3, AC-6, IA-5

FISCAM AC-3.2
B15: NIST SP 800-53 AC-11, AC-12

FISCAM AC-3.2
NIST SP 800-18
B16: NIST SP 800-53 AC-2

FISCAM AC-3.2
NIST SP 800-18
B17: NIST SP 800-53 AC-3, IA-7, SC-12, SC-13

NIST SP 800-18
B18: NIST SP 800-53 SC-12, SC-13

NIST SP 800-18
B19: NIST SP 800-53 AC-3

FISCAM AC-3.2
B20: NIST SP 800-53 AC-13
FISCAM AC-3.2
B23: NIST SP 800-53 AC-3

FISCAM AC-3.2
B24: NIST SP 800-53 CM-6, SC-7

B25: NIST SP 800-53 CM-6, IA-5

B26: NIST SP 800-53 AC-17

NIST SP 800-18
B27: NIST SP 800-53 AC-13, AU-6

FISCAM AC-3.2
B28: NIST SP 800-53 AC-12, SC-10

FISCAM AC-3.2
B29: NIST SP 800-53 AC-3, IA-3, SC-7, SC-11

B30: NIST SP 800-53 AC-17

FISCAM AC-3.2
B31: NIST SP 800-53 PE-4, SC-7

FISCAM AC-3.2
B32: NIST SP 800-53 AC-3, SC-7

NIST SP 800-18
B33: NIST SP 800-53 AC-3, CM-6, SC-7

FISCAM AC-3.2
B34: NIST SP 800-53 AC-2, AC-14

B35: NIST SP 800-53 AC-8

FISCAM AC-3.2
NIST SP 800-18
B36: NIST SP 800-53 SC-7, SC-8

FISCAM AC-3.2
B37: NIST SP 800-53 AC-3

FISCAM AC-3.2
B40: NIST SP 800-53 AC-8

OMB Circular 99-18




of the risk.

17. Audit Trails
Audit trails maintain a record of system activity by system or application processes and by user activity. In conjunction with appropriate tools and procedures, audit trails can
provide individual accountability, a means to reconstruct events, detect intrusions, and identify problems. The following questions are organized under one critical element. The
levels for the critical element should be determined based on the answers to the subordinate questions.
References
Risk Decisions
L.1 L.2 L.3 L.4Level 4. Tested and
L.5
Evaluated Procedures and Controls
DocumentedLevel 3.Procedures
Implemented Procedures Level
and 5. Controls
Fully Integrated ProceduresRemote:
Low: Theand
risk
The Controls
Avoidance:
is
risk Ranking
manageable
probably the
Avoidance
will
through
notrisk according
occur
isplanning
often
because
usedtofor
and your
the
action,
risks
risk and
would
thatthe
have
be difficult
the capacity
to realize,
for negative
The design of audit trails a.
should
Doesbe partagency
your ofa.the system
Doeshave
youradevelopment
formally
agency
a. Have process.
have
documented
the a. They
formal, Iscomplete,
procedures a measurement
andshould
and be designed
Feedback/
disseminated
controls
and program
to
a.well-documented
Does
been
policy
your in place
provide
implemented?
agency thatdata
sufficient
have routinely
a evaluates comprehensive
fully operational, the adequacy and
categorization, security
quantification,
program
there
impacts are
ofgenerally
solidknown
meansare
recourse.
minimal.
in placeInto security
limit theprojects,
risk athatand
appropriately. istolerance
decision an to
integral
of part
avoid risks of your
often means a decision not toPriority
let your
so bothPolicy Procedures
normal or abnormal activities
on that
Implemented
can procedures
security becontrol?
detected. for b. the Are
Measuring
policies effectiveness
the following
defined of security
agency’spolicies,
at levelReassessment
statements 1? true?
Description
culture?procedures, and controls?
Identified Risk
each based
Likelihood
onsituation
the likelihood,
Severity Risk Tolerance Action
b. Are the following elements in place? agency put itself in the where severity, and the risk. Therefore, your decision would also be to
it could incur
NIST SP 800-53 b.AU-1
Does the policy b. Dodefine
the procedures:
1) purpose
i. Are theandowners
scope and
of the
users
policy,
aware 2)
b. of
Are the
thesecurity
followingpolicies
statements
and procedures?
true? avoid the tolerance levels. This simple weighting allows
Audit Trails Access toOMBauditCircular A-130,
logs should be III
very controlled. If possible, they should be i. An
capturedeffective
on a program
separate for
system evaluating
from the one the
being Possible:
Medium:
adequacy and The
The risk
risk will
effectivenesshascause
be
aof of theofrisk.
chance
mitigated
security occurring,
through planning
policies, but it may and beaction,
List the control
Have
areasthe
andpolicies
and
clearly
3) compliance
and
state procedures
the agency’s
requirements
i. There
beenposition?
isformally
an active adopted
agencywideand thesecurity
technical
program
controlsfor
thattheachieves
agencycost-effective
to easily ranksecurity.
the priority of
FISCAM AC-4.1
monitored. procedures, and controls. place to help
occurs, theit will
Audit trail logs need to beand penaltyYou
managed. specification?
ii.
mayDocument
not detecttheir
ainstalled?
problem for days or weeks,list so itwhen,ii. ITwhere,
security
is important tohow,
beis an
to to
able whom,
integrated
go backmore practice within the asset action(ITrequired
system). to eliminate the greatest risks
17.1. Critical Element: NIST SP 800-18 and about what iii.the a securityii.
Is procedure A mechanismprogram
measurement
applies? for
iii. identifying
Security
in place? vulnerabilities
vulnerabilities
(ongoing security
arerevealed
understoodbyAssume:
important security
compliance
of The
areas incidents
and managed.
first.
decision
concern. to assume a risk means accepting the risk as-is, and not implementing any
or security
and access the appropriate audit log.
Is activity involving access to, and modification Separation of function is a good thing to have within
iii. List thethe security
assignment area.
measurement) alerts.
of IT responsibilities and iv.define
Threats explicit
are continually Likely: Dueand
behavior? reevaluated,
to conditions
controls are and
adapted
to lessenthe
to a changing
is likely
often to
risk security
is theoccur.
environment.
iv. Identify iii. Awhere
process for reporting significant security High:
weaknesses limited
The risk and impact
willensuring
have should
rapidof
serious it occur
and
impacts that
effective
and the cost
as theextensive
of, sensitive or critical files logged and Security administration needs to be cost-effective. Thepoints iv. Has
review of
of contact
management
audit and
trails shouldformally
remedial
supplementary
beaction.
as authorized
v. Additional
automated information
the use
and/or
as possible. of the
more
cansystem?
be
cost-effective
planning and
security
be
alternatives
Examples
far greater
action, its
are
possible
identified
than the agency’s
consequences
weighting:
would concern.
be severe.
need arises.
monitored, and are possible security violations found? v. Have employee job descriptions vi. been
Costsupdated
and benefits
to include
of security
security
areresponsibilities
measured as 1=
precisely
that
Likely+High+Assume
as practicable.
investigated? the implemented controls require? vii. Status metrics for the security program are established 2= Possible+Medium+Mitigate
and met.
Audit trails are good security tools that should be part of every system.
vi. Have employees been trained on security procedures? Mitigate3= : This is the most common decision to make for identified risks: to implement policies,
Remote+Low+Transfer
NIST SP 800-53 AU-2, AU-3, AU-10 procedures, and other security controls to limit the risk to an acceptable level.
This is aNIST SP 800-18
management decision. There are direct costs associated with real-time review and this has to be part of management's
17.1.1 Does the audit trail provide a trace of user overall risk-mitigation strategy. Transfer: Transfer the responsibility for a system or the risk itself to another party that can better
actions? NIST SP 800-53 AU-2, AU-7 accept and deal with the risk and/or has the resources necessary to properly mitigate the risk.
NIST SP 800-18
17.1.2 Can the audit trail support after-the-fact

investigations of how, when, and why normal
NIST SP 800-53 AU-9
operations ceased? NIST SP 800-18
Your
How are peopleNIST
employees shouldSPbe
trained in800-53
your AU-2to
told ifagency , AU-9,
keystrokereport AU-11
monitoring is taking
suspicious place.Whatever
activity? This canmethod
be a serious morale
is used, issue and
the process needs
should to bein the
result
NIST SP NIST800-53 AU-5, AU-6
SP recorded
800-18
handled properly.
suspicious activity being and reported to management.
17.1.3 Is access to online audit logs strictly NIST SP 800-18
controlled?
17.1.4 Are offline storage of audit logs retained for

a period of time, and if so, is access to audit logs
strictly controlled?
17.1.5 Is there separation of duties between

security personnel who administer the access
control function and those who administer the audit NIST
NIST SP 800-53 SP 800-53 AU-13, AU-6, AU-7
AU-13
trail? NIST SP 800-18
NIST SP 800-18
17.1.6 Are audit trails reviewed frequently?

NIST SP 800-53 AU-6
17.1.7 Are automated tools used to review audit FISCAM AC-4.3
records in real time or near real time?
NIST SP 800-53 AU-8
17.1.8 Is suspicious activity investigated and ; NIST SP 800-18
appropriate action taken?
17.1.9 Is keystroke monitoring used? If so, are

users notified?
NOTES:
A12: Audit trails are good security tools that should be part of every system.
A13: The design of audit trails should be part of the system development process. They should be designed to provide sufficient data so both normal or abnormal activities can be detected.
A14: Access to audit logs should be very controlled. If possible, they should be captured on a separate system from the one being monitored.
A15: Audit trail logs need to be managed. You may not detect a problem for days or weeks, so it is important to be able to go back and access the appropriate audit log.
A16: Separation of function is a good thing to have within the security area.
A17: Security administration needs to be cost-effective. The review of audit trails should be as automated as possible.
A18: This is a management decision. There are direct costs associated with real-time review and this has to be part of management's overall risk-mitigation strategy.
A19: How are people trained in your agency to report suspicious activity? Whatever method is used, the process should result in the suspicious activity being recorded and reported to management.
A20: Your employees should be told if keystroke monitoring is taking place. This can be a serious morale issue and needs to be handled properly.
B9: NIST SP 800-53 AU-1

FISCAM AC-4.1
NIST SP 800-18
B12: NIST SP 800-53 AU-2, AU-3, AU-10

NIST SP 800-18
B13: NIST SP 800-53 AU-2, AU-7

NIST SP 800-18
B14: NIST SP 800-53 AU-9

NIST SP 800-18
B15: NIST SP 800-53 AU-2 , AU-9, AU-11

NIST SP 800-18
B16: NIST SP 800-53 AU-5, AU-6

NIST SP 800-18
B17: NIST SP 800-53 AU-13

NIST SP 800-18
B18: NIST SP 800-53 AU-13, AU-6, AU-7

NIST SP 800-18
B19: NIST SP 800-53 AU-6

FISCAM AC-4.3
B20: NIST SP 800-53 AU-8

NIST SP 800-18





of the risk.

State and Local Law Enforcement-specific IT Security Controls
18. FBI CJIS Compliance
References
Risk Decision Pr
Assessment Questions
L.1 L.2 L.3
Level 1. Documented
Level 2.Policy
Documented
Level L.4
3.Procedures
Implemented
Level 4. Procedures
Tested and L.5
Level
andEvaluated
Controls
5. Fully Procedures
Integrated ProceduresRemote:
and Controls The Low:
and Controls
risk probably
The risk Avoidance:
Ranking
will
is manageable
not occur theAvoidance
risk according
because
through the towould
isplanning
often
risk your
used
andcat
fo
bea
a. Does your agency
a. Does have
your
a agency
formally
a. Have have
documented
theformal,
procedures
a. Iscomplete,
and
a measurement
and
disseminated
controls
Does
been
program
policy
your
implemented?
agency
in placehavethat aroutinely
fully operational,
there evaluates comprehensive
the adequacy
are solid means
impacts ingenerally
place and
quantification,
security
known
to limit
are program
recourse.
minimal.
the riskInandthat
tolerance
is an
appropriately.
security integral
of each
projects, a pa
db
control? for b. the Are
policies
the following
defined
effectiveness
statements
at level 1? of true?
security
agency’spolicies,
culture?procedures, and controls? likelihood,
agency put severity,
itself in the and tolerance
situation whereleveit
Policy Procedures Implemented Measuring Feedback/ Reassessment Description of Identified Risk
b. Does the policy
b. Do define
the procedures:
1) purpose
i. Are theandowners
scopeb.and
of
Are
the
users
the
policy,
following
aware
2)b.of Are
elements
thethe
security
following
in place?
policies
statements
and procedures?
true? weighting allows the agency to easily
Possible: TheMedium: avoid
risk has a chance
The riskthe
ofwillcause
occurring,of the
butrisk.
be mitigated it through
may be difficult
plannin
List the control
for its
ii.execution,
Have
areasthe
andpolicies
and
clearly
i.3)
Ancompliance
and
state
effective
procedures
the agency’s
program
requirements
i. There
beenposition?
for
is
formally
evaluating
an active adopted
agencywide
the adequacy
and the security
technical
and effectiveness
program
controlsthatofachieves
securityof action
cost-effective
policies,requiredsecurity.
to eliminate the gre
FBI CJIS Compliance place to help avoid
although
the risk
if it occurs, it will still have some impact on s
procedures, list and
when,controls.
ii. where,
IT securityhow,istoanwhom,
integrated practice within the asset (IT system).
areas of The decision to assume a risk
concern.
CJIS Security Policy, and about what iii.
the
Is procedure
a security measurement
ii.
applies?
A mechanism program
for
iii. identifying
Security
in place?
vulnerabilities
vulnerabilities
(ongoing security
arerevealed
understood
compliance
by security
and managed.
incidents orExamples
security alerts.
of possible weighting:
iii. A process for andreporting
iv.
define
Threatsexplicit
significant
are continually
behavior?
security Likely: Due
reevaluated,
weaknesses and to
and conditions
controls
ensuring
policies
and
arerapid
adapted
1
and
or procedures
capabilities, the risk
= Likely+High+Assume
to
effective
a changing
toislessen
security likely it.
to This
occur.
environmen
is
18.1. Critical Element: Version 4 High: limited
The risk will impact
have should
serious it occurand
impacts that the co
without
iv. Identify pointsiv. Has
of contact
management
and
remedial
where
formally
supplementary
action.
authorized
v. Additional
information
the useand/or
of thecan
more
system?
becost-effective security alternatives 2are
= Possible+Medium+Mitigate
planning be far greater than the agency’s would concern.
Has the agency implemented the minimum found? v. Have employee job descriptions vi.been
Costs updated
and benefits
to include
of security
security are
responsibilities
measured thatand action,
as precisely its consequences
as3 practicable.
= Remote+Low+Transfer be sever
level of technical security controls, as outlined the implemented controls require?
in the CJIS Security Policy? vi. Have employees been trained on security procedures? Mitigate: This is the most common deci
procedures, and other security controls to
CJIS Security Policy, Transfer: Transfer the responsibility fo

18.1.1 Is CJIS awareness training conducted for Version 4, Section 4.3 accept and deal with the risk and/or has
new employees within 6 months of appointment
or assignment?
CJIS Security Policy,
18.1.2 Has adequate physical security been Version 4, Sections 4.4.1
provided at all times to protect against and 7.2
unauthorized access to or routine viewing of
computer devices, access devices, and printed
and stored data?

18.1.3 Are all visitors to computer centers and/or Version 4, Section 4.4.3
terminal areas escorted by authorized personnel
at all times?
18.1.4 Is personnel background screening Version 4, Section 4.5.1
conducted for all personnel who have systems
access and computer terminal/records storage
areas access?

18.1.5 Are all media disposed of or reused in Version 4, Sections 4.6 and
accordance with CJIS policy? 4.7
Version 4, Sections 5.3 and
18.1.6 Are security incidents identified, 5.4
investigated, and properly forwarded to the FBI
CJIS Information Security Officer (ISO) or to the
Computer Security Incident Response Center CJIS Security Policy, Version 4, Sections
(CSIRC)? 6.3, 6.4, and 6.6
CJIS Security Policy, Version 4, Sections
6.3, 6.4, and 6.6
18.1.7 Are all criminal/noncriminal justice

agency and contractor user agreements in place?

Version 4, Section 7.1
18.1.8 Is the network configuration
documented?
Version 4, Section 7.3
18.1.9 Is the identity of users authenticated
according to the methods identified in the CJIS
Security Policy (Virtual Private Networks [VPN],
biometrics, public key infrastructure [PKI], smart CJIS Security Policy, Version 4, Section
cards, and tokens), as applicable? 7.3.2
18.1.10 Are all nonsecure locations that access

CJIS from any Internet, wireless, or dial-in
connection using the proper level of CJIS Security Policy,
authentication, as defined in this policy? Version 4, Sec. 7.3.3
18.1.11 Are all secure locations that access CJIS

from any Internet, wireless, or dial-in connection
from a remote location using the proper level of
authentication, as defined in this policy? CJIS Security Policy,
Version 4, Section
7.3.2(b)
18.1.12 Are all mobile devices that have been

removed from a police vehicle incorporating, at a
minimum, the use of a unique password or other
personal identifier (PIN), and do they meet the
advanced authentication requirement, as well? CJIS Security Policy,
Version 4, Section 7.4.1
18.1.13 Is each person who is authorized to CJIS Security Policy,

store, process, and/or transmit information on an Version 4, Section 7.4.2
FBI CJIS system issued a unique identifier?

18.1.14 Do all passwords for access and Version 4, Section 7.5
authentication on criminal justice information
systems comply with CJIS policy? CJIS Security Policy,
Version 4, Sections 7.6 and
7.7
18.1.15 Is access control documented and
controlled according to the guidance in Appendix
C-8 of the CJIS policy?
CJIS Security Policy, Version 4, Section 7.8; and FIPS Publication
140-2, “Security Requirements for Cryptographic Modules”
18.1.16 Is Internet and dial-up access to the
system controlled according to CJIS policy?
CJIS Security Policy, Version 4, Section 7.8; and FIPS Publication
140-2, “Security Requirements for Cryptographic Modules”
18.1.17 Are data encryption standards, as CJIS Security Policy, Version 4, Section 7.8.1; and
outlined in the CJIS policy, being met? Appendix C, "Guidelines and Recommendations for Effective
Encryption Key Management"
CJIS Security Policy, Version 4, Section 7.9; and Appendix C,
18.1.18 Are encryption keys that are used "Wireless Implementation Guidelines"
documented and managed by the agency?
18.1.19 Do all wirelessly attached devices

follow the guidelines, as set forth in the CJIS
CJIS Security Policy, Version 4, Section 7.10; Appendix B, "Firewall
policy? Security and Profile Web Sites"; and Appendix C, "Firewall
Definitions"
18.1.20 Do firewalls used to protect the criminal
justice information system meet the guidelines, as
CJIS Security Policy, Version 4, Section 7.12
outlined in the policy?
CJIS Security Policy, Version 4, Section 8.0

18.1.21 Is virus protection used on the system?
18.1.22 Is criminal history information

controlled according to CJIS policy?
NOTES:
Risk Decision Process
Comments
lyAvoidance:
isk Ranking
will
is manageable
not occur theAvoidance
risk according
because
through the towould
isplanning
often
risk your
andcategorization,
used for
beaction,
difficult
risks and
thattothe
have
realize,
theorcapacity for negative impact, but have little
acy
sive and
nerally
aceknownquantification,
security
to limit
are program
recourse.
minimal.
the riskInandthat
tolerance
is an
appropriately.
security integral
of each
projects, a part
basedof your
decision ontothe
avoid risks often means a decision not to let your
likelihood,
agency severity,
put itself in the and tolerance
situation wherelevels.
it This
could simple
incur the risk.
Likelihood Severity RiskTherefore,
Toleranceyour decision
Actionwould also be to
Priority
avoidweighting allows the agency to easily rank the priority
chance
The riskthe
ofwillcause
occurring,of the
butrisk.
be mitigated it through
may be difficult
planningorand there
action,
are controls in
ecurity
hieves of action
cost-effective
policies,requiredsecurity.
to eliminate the greatest risks first.
it occurs, it will still have some impact on some of the
T system).
Assume:
tant areas of The decision to assume a risk means accepting the risk as-is, and not implementing any
concern.
ts orExamples
security alerts.
of possible weighting:
policies
and or procedures
capabilities, the risk toislessen
likely it.
to This
occur.is often the decision in cases where the risk is so minimal and of
apid
adapted 1
and= Likely+High+Assume
to
effective
a changing security environment.
limited
risk will impact
have should
serious it occurand
impacts that the cost
extensive
ives2 are
= Possible+Medium+Mitigate
dbe
ely
far greater
its consequences
as3 practicable.
= Remote+Low+Transfer would concern.
be severe.
ed and met.
Mitigate: This is the most common decision to make for identified risks: to implement policies,
B12: CJIS Security Policy, Version 4
B14: CJIS Security Policy, Version 4, Section 4.3
B15: CJIS Security Policy, Version 4, Sections 4.4.1 and 7.2
B16: CJIS Security Policy, Version 4, Section 4.4.3
B18: CJIS Security Policy, Version 4, Sections 4.6 and 4.7
B20: CJIS Security Policy, Version 4, Sections 6.3, 6.4, and 6.6
B24: CJIS Security Policy, Version 4, Sec. 7.3.3
B25: CJIS Security Policy, Version 4, Section 7.3.2(b)
B30: CJIS Security Policy, Version 4, Section 7.8; and FIPS Publication 140-2, “Security Requirements for Cryptographic Modules”
B31: CJIS Security Policy, Version 4, Section 7.8.1; and

Appendix C, "Guidelines and Recommendations for Effective Encryption Key Management"
B32: CJIS Security Policy, Version 4, Section 7.9; and Appendix C, "Wireless Implementation Guidelines"
B33: CJIS Security Policy, Version 4, Section 7.10; Appendix B, "Firewall Security and Profile Web Sites"; and Appendix C, "Firewall Definitions"




Possible: The risk has a chance of occurring, but it may be difficult or there are controls in place to help avoid the risk
K10: Avoidance: Avoidance is often used for risks that have the capacity for negative impact, but have little known recourse. In security projects, a decision to avoid risks often means a decision not to let your agency
put itself in the situation where it could incur the risk. Therefore, your decision would also be to avoid the cause of the risk.
Assume: The decision to assume a risk means accepting the risk as-is, and not implementing any policies or procedures to lessen it. This is often the decision in cases where the risk is so minimal and of limited
impact should it occur that the cost of implementing a mechanism to minimize or reduce it would be far greater than the agency’s concern.
L10: Ranking the risk according to your categorization, quantification, and tolerance of each based on the likelihood, severity, and tolerance levels. This simple weighting allows the agency to easily rank the priority of
action required to eliminate the greatest risks first.

1 = Likely+High+Assume
2 = Possible+Medium+Mitigate
3 = Remote+Low+Transfer
WARNING WARNING WARNING
DO NOT DELETE THIS WORKSHEET. CHANGES OR DELETIONS TO THIS WORKSHEET WILL AFFECT THE ENTIRE TOOL
WARNING WARNING WARNING

SEARCHITSecurity Assessment Tool

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SEARCHITSecurity Assessment Tool

Uploaded by

Copyright:

Available Formats

SEARCH IT Security Self- and Risk-Assessment Tool

Gathering Preliminary Information for a Security Self- and Risk-Assessment Project

Gathering Preliminary Information for a

Return to Table of Contents

Kickoff: Gathering the Preliminary Organization Data

Return to Table of Contents

Return to Table of Contents

b. Create a data flow diagram

Return to Table of Contents

Return to Table of Contents

System Questionnaire Cover Sheet

System Name, Title, and Unique Identifier: _______________________________________________________

Major Application ____________________ or General Support System __________________

Date of Evaluation: _________________________

List of Connected Systems:

Purpose and Objective of Assessment:

1.1.3 As changes are made to the system, are risk

1.1.4 Have data sensitivity and integrity of the data

1.1.5 Have threat sources, both natural and man-

1.1.6 Have you identified, documented, and

1.1.7 Has an analysis been conducted that

1.2.2 Has a mission/business impact analysis been

Return to Table of Contents

Some natural threat sources are earthquake, tsunamis,

Your agency should

Your agency will need to conduct research to determine

Some natural threat sources are earthquake, tsunamis,

Your agency should

Your agency will need to conduct research to determine

From the above information, you need to determine the

NIST SP 800-53 RA-3

Management must be involved in all levels of risk-management

Written records are one of the keys to an effective risk-management

The risk-management process first identifies risks associated with your

NIST SP 800-53 CA-5, RA-3

NIST SP 800-53 CA-5, RA-3

A20: This question assumes the following:

B11: NIST SP 800-53 RA-2

B17: NIST SP 800-53 RA-2

B18: NIST SP 800-53 RA-3

B19: NIST SP 800-53 CA-5, RA-3

B20: NIST SP 800-53 RA-3

B23: NIST SP 800-53 RA-3

B24: NIST SP 800-53 RA-3

B25: NIST SP 800-53 CA-5, RA-3

C10: Level 1. Documented Policy

D10: Level 2. Documented Procedures

E10: Level 3. Implemented Procedures and Controls

G10: Level 5. Fully Integrated Procedures and Controls

Likely: Due to conditions and capabilities, the risk is likely to occur.

Examples of possible weighting:

2. Review of Security Controls

2.1.2 Has an independent review been performed

Return to Table of Contents

Management has the responsibility to request a review of these security interrelationships.

B9: NIST SP 800-53 CA-1

B12: NIST SP 800-53 CA-2

B13: NIST SP 800-53 CA-4

B14: NIST SP 800-53 CA-2

B15: NIST SP 800-53 CA-2

B16: NIST SP 800-53 IR-4

B19: NIST SP 800-53 CA-4

C8: Level 1. Documented Policy

Major Application __ or General Support System