e/^d ô ì ì r ñ ï s - example cybersecurity...

19
NIST 800-53 V4 INFORMATION SECURITY ASSESSMENT TEMPLATE ACME Business Consulting, Inc.

Upload: dangtram

Post on 17-Jul-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 V4 INFORMATION SECURITY ASSESSMENT

TEMPLATE

ACME Business Consulting, Inc.

Page 2: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 2 of 103

Table of Contents

TECHNOLOGY AUDIT OVERVIEW 8 PURPOSE 8 SCOPE 8 AUDIT CONTROLS 8

COMPANY FUNDAMENTALS 10 BACKGROUND INFORMATION 10 BUSINESS DEMOGRAPHICS 10 CORE BUSINESS FUNCTIONS 10 STRATEGY & TECHNOLOGY VISION 10

COMMON CONTROLS 12 PROGRAM MANAGEMENT (PM) 12

PM-01: INFORMATION SECURITY PROGRAM PLAN 12 PM-02: ASSIGNED INFORMATION SECURITY RESPONSIBILITIES 12 PM-03: INFORMATION SECURITY RESOURCES 12 PM-04: VULNERABILITY REMEDIATION PROCESS 13 PM-05: INFORMATION SYSTEM INVENTORY 13 PM-06: INFORMATION SECURITY MEASURES OF PERFORMANCE 13 PM-07: ENTERPRISE ARCHITECTURE 14 PM-08: CRITICAL INFRASTRUCTURE PLAN 14 PM-09: RISK MANAGEMENT STRATEGY 14 PM-10: SECURITY AUTHORIZATION PROCESS 15 PM-11: BUSINESS PROCESS DEFINITION 15 PM-12: INSIDER THREAT PROGRAM 15 PM-13: INFORMATION SECURITY WORKFORCE 15 PM-14: TESTING, TRAINING & MONITORING 16 PM-15: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONS 16 PM-16: THREAT AWARENESS PROGRAM 16

MANAGEMENT CONTROLS 17 AWARENESS & TRAINING (AT) 17

AT-01: SECURITY AWARENESS & TRAINING POLICY & PROCEDURES 17 AT-02: SECURITY AWARENESS 17 AT-03: SECURITY TRAINING 17 AT-04: SECURITY TRAINING RECORDS 18 AT-05: SECURITY INDUSTRY ALTERS & NOTIFICATION PROCESS 18

PERSONNEL SECURITY (PS) 18 PS-01: PERSONNEL SECURITY POLICY & PROCEDURES 18 PS-02: POSITION CATEGORIZATION (ROLES & RESPONSIBILITIES) 19 PS-03: PERSONNEL SCREENING 19 PS-04: PERSONNEL TERMINATION 19 PS-05: PERSONNEL TRANSFER 20 PS-06: ACCESS AGREEMENTS 20 PS-07: THIRD-PARTY PERSONNEL SECURITY 20 PS-08: PERSONNEL SANCTIONS 21

PLANNING (PL) 21 PL-01: SECURITY PLANNING POLICY & PROCEDURES 21 PL-02: SYSTEM SECURITY PLAN (SSP) 21 PL-03: SYSTEM SECURITY PLAN (SSP) UPDATE 22 PL-04: RULES OF BEHAVIOR 22 PL-05: PRIVACY IMPACT ASSESSMENT (PIA) 22 PL-06: SECURITY-RELATED ACTIVITY PLANNING 23 PL-07: SECURITY CONCEPT OF OPERATIONS 23 PL-08: SECURITY ARCHITECTURE 23 PL-09: CENTRAL MANAGEMENT 23

Page 3: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 3 of 103

RISK ASSESSMENT (RA) 24 RA-01: RISK ASSESSMENT POLICY & PROCEDURES 24 RA-02: SECURITY CATEGORIZATION 24 RA-03: RISK ASSESSMENT 24 RA-04: RISK ASSESSMENT UPDATE 25 RA-05: VULNERABILITY SCANNING 25 RA-06: TECHNICAL SURVEILLANCE COUNTERMEASURES SECURITY 25

SYSTEM & SERVICE ACQUISITION (SA) 26 SA-01: SYSTEM & SERVICES ACQUISITION POLICY & PROCEDURES 26 SA-02: ALLOCATION OF RESOURCES 26 SA-03: SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) 26 SA-04: ACQUISITIONS 27 SA-05: INFORMATION SYSTEM DOCUMENTATION 27 SA-06: SOFTWARE USAGE RESTRICTIONS 27 SA-07: USER-INSTALLED SOFTWARE 27 SA-08: SECURITY ENGINEERING PRINCIPLES 28 SA-09: EXTERNAL INFORMATION SYSTEMS 28 SA-10: DEVELOPER CONFIGURATION MANAGEMENT 28 SA-11: DEVELOPER SECURITY TESTING 29 SA-12: SUPPLY CHAIN PROTECTION 29 SA-13: TRUSTWORTHINESS 29 SA-14: CRITICALITY ANALYSIS 30 SA-15: DEVELOPMENT PROCESS, STANDARDS & TOOLS 30 SA-16: DEVELOPER-PROVIDED TRAINING 30 SA-17: DEVELOPER SECURITY ARCHITECTURE & DESIGN 31 SA-18: TAMPER RESISTANCE & DETECTION 31 SA-19: COMPONENT AUTHENTICITY 31 SA-20: CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS 31 SA-21: DEVELOPER SCREENING 32 SA-22: UNSUPPORTED SYSTEM COMPONENTS 32

OPERATIONAL CONTROLS 33 CERTIFICATION, ACCREDITATION & SECURITY ASSESSMENT (CA) 33

CA-01: SECURITY ASSESSMENT POLICY & PROCEDURES 33 CA-02: SECURITY ASSESSMENTS 33 CA-03: INFORMATION SYSTEM CONNECTIONS 34 CA-04: SECURITY CERTIFICATION 34 CA-05: PLAN OF ACTION & MILESTONES (POA&M) 35 CA-06: SECURITY AUTHORIZATION 35 CA-07: CONTROL MONITORING 35 CA-08: PENETRATION TESTING 36 CA-09: INTERNAL SYSTEM CONNECTIONS 36

CONTINGENCY PLANNING (CP) 36 CP-01: CONTINGENCY PLANNING POLICY & PROCEDURES 36 CP-02: CONTINGENCY PLAN 37 CP-03: CONTINGENCY TRAINING 37 CP-04: CONTINGENCY TESTING & EXERCISES 37 CP-05: CONTINGENCY PLAN UPDATE 38 CP-06: ALTERNATE STORAGE SITE 38 CP-07: ALTERNATE PROCESSING SITE 39 CP-08: TELECOMMUNICATIONS SERVICES 39 CP-09: INFORMATION SYSTEM BACKUP 39 CP-10: INFORMATION SYSTEM RECOVERY & RECONSTITUTION 40 CP-11: ALTERNATE COMMUNICATIONS PROTOCOLS 40 CP-12: SAFE MODE 40 CP-13: ALTERNATIVE SECURITY MEASURES 41

INCIDENT RESPONSE (IR) 41 IR-01: INCIDENCE RESPONSE POLICY & PROCEDURES 41

Page 4: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 4 of 103

IR-02: INCIDENT RESPONSE TRAINING 41 IR-03: INCIDENT RESPONSE TESTING & EXERCISES 42 IR-04: INCIDENT HANDLING 42 IR-05: INCIDENT MONITORING 42 IR-06: INCIDENT REPORTING 42 IR-07: INCIDENT REPORTING ASSISTANCE 43 IR-08: INCIDENT RESPONSE PLAN (IRP) 43 IR-09: INFORMATION SPILLAGE RESPONSE 44 IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 44

MAINTENANCE (MA) 44 MA-01: MAINTENANCE POLICY & PROCEDURES 44 MA-02: CONTROLLED MAINTENANCE 44 MA-03: MAINTENANCE TOOLS 45 MA-04: NON-LOCAL MAINTENANCE 45 MA-05: MAINTENANCE PERSONNEL 46 MA-06: TIMELY MAINTENANCE 46

MEDIA PROTECTION (MP) 46 MP-01: MEDIA PROTECTION POLICY & PROCEDURES 46 MP-02: MEDIA ACCESS 47 MP-03: MEDIA MARKING 47 MP-04: MEDIA STORAGE 47 MP-05: MEDIA TRANSPORTATION 48 MP-06: MEDIA SANITIZATION 48 MP-07: MEDIA & ASSET USE 49 MP-08: MEDIA DOWNGRADING 49

PHYSICAL & ENVIRONMENTAL PROTECTION (PE) 49 PE-01: PHYSICAL & ENVIRONMENTAL PROTECTION POLICY & PROCEDURES 49 PE-02: PHYSICAL ACCESS AUTHORIZATION 50 PE-03: PHYSICAL ACCESS CONTROL 50 PE-04: ACCESS CONTROL FOR TRANSMISSION MEDIUM 50 PE-05: ACCESS CONTROL FOR OUTPUT DEVICES 51 PE-06: MONITORING PHYSICAL ACCESS 51 PE-07: VISITOR CONTROL 51 PE-08: ACCESS RECORDS 51 PE-09: POWER EQUIPMENT & POWER CABLING 52 PE-10: EMERGENCY SHUTOFF 52 PE-11: EMERGENCY POWER 52 PE-12: EMERGENCY LIGHTING 53 PE-13: FIRE PROTECTION 53 PE-14: TEMPERATURE & HUMIDITY CONTROLS 53 PE-15: WATER DAMAGE PROTECTION 53 PE-16: DELIVERY & REMOVAL 54 PE-17: ALTERNATE WORK SITE 54 PE-18: LOCATION OF INFORMATION SYSTEM COMPONENTS 54 PE-19: INFORMATION LEAKAGE 55 PE-20: ASSET MONITORING & TRACKING 55

TECHNICAL CONTROLS 56 ACCESS CONTROL (AC) 56

AC-01: ACCESS CONTROL POLICY & PROCEDURES 56 AC-02: ACCOUNT MANAGEMENT 56 AC-03: ACCESS ENFORCEMENT 57 AC-04: INFORMATION FLOW ENFORCEMENT – ACCESS CONTROL LISTS (ACLS) 57 AC-05: SEPARATION OF DUTIES 57 AC-06: LEAST PRIVILEGE 58 AC-07: UNSUCCESSFUL LOGIN ATTEMPTS 58 AC-08: SYSTEM USE NOTIFICATION 58 AC-09: PREVIOUS LOGON NOTIFICATION 59

Page 5: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 5 of 103

AC-10: CONCURRENT SESSION CONTROL 59 AC-11: SCREEN LOCK 59 AC-12: REMOTE SESSION TERMINATION 60 AC-13: ACCOUNT RESTRICTION PARAMETERS 60 AC-14: PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHORIZATION 60 AC-15: AUTOMATED MARKING 61 AC-16: SECURITY ATTRIBUTES 61 AC-17: REMOTE ACCESS 61 AC-18: WIRELESS ACCESS 62 AC-19: MOBILE DEVICES 62 AC-20: INTRANETS 63 AC-21: USER-BASED COLLABORATION & INFORMATION SHARING 63 AC-22: PUBLICLY ACCESSIBLE CONTENT 63 AC-23: DATA MINING PROTECTION 64 AC-24: ACCESS CONTROL DECISIONS 64 AC-25: SECURITY REFERENCE MONITOR 64

AUDIT & ACCOUNTABILITY (AU) 64 AU-01: AUDIT & ACCOUNTABILITY POLICY & PROCEDURES 64 AU-02: AUDITABLE EVENTS 65 AU-03: CONTENT OF AUDIT RECORDS 65 AU-04: AUDIT STORAGE CAPACITY 65 AU-05: RESPONSE TO AUDIT PROCESSING FAILURES 66 AU-06: AUDIT REVIEW, ANALYSIS & REPORTING 66 AU-07: AUDIT REDUCTION & REPORT GENERATION 66 AU-08: TIME STAMPS 67 AU-09: PROTECTION OF AUDIT INFORMATION 67 AU-10: NON-REPUDIATION 67 AU-11: AUDIT RECORD RETENTION 68 AU-12: AUDIT GENERATION 68 AU-13: MONITORING FOR INFORMATION DISCLOSURE 68 AU-14: SESSION AUDIT 69 AU-15: ALTERNATE AUDIT CAPABILITY 69 AU-16: CROSS-ORGANIZATIONAL AUDITING 69

CONFIGURATION MANAGEMENT (CM) 69 CM-01: CONFIGURATION MANAGEMENT POLICY & PROCEDURES 69 CM-02: BASELINE CONFIGURATION 69 CM-03: CONFIGURATION CHANGE CONTROL 70 CM-04: SECURITY IMPACT ANALYSIS 70 CM-05: ACCESS RESTRICTION FOR CHANGE 70 CM-06: CONFIGURATION SETTINGS 71 CM-07: LEAST FUNCTIONALITY 71 CM-08: INFORMATION SYSTEM COMPONENT INVENTORY 71 CM-09: CONFIGURATION MANAGEMENT PLAN 72 CM-10: SOFTWARE USAGE RESTRICTIONS 72 CM-11: USER-INSTALLED SOFTWARE 73

IDENTIFICATION & AUTHENTICATION (IA) 73 IA-01: IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES 73 IA-02: USER IDENTIFICATION & AUTHENTICATION (ORGANIZATIONAL USERS) 73 IA-03: DEVICE IDENTIFICATION & AUTHENTICATION 74 IA-04: IDENTIFIER MANAGEMENT (USERNAMES) 74 IA-05: AUTHENTICATOR MANAGEMENT (PASSWORDS) 74 IA-06: AUTHENTICATOR FEEDBACK 75 IA-07: CRYPTOGRAPHIC MODULE AUTHENTICATION 75 IA-08: USER IDENTIFICATION & AUTHENTICATION (NON-ORGANIZATIONAL USERS) 75 IA-09: SERVICE PROVIDER IDENTIFICATION & AUTHENTICATION (VENDORS) 76 IA-10: ADAPTIVE IDENTIFICATION & AUTHENTICATION 76 IA-11: RE-AUTHENTICATION 76

SYSTEM & COMMUNICATION PROTECTION (SC) 76

Page 6: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 6 of 103

SC-01: SYSTEM & COMMUNICATION POLICY & PROCEDURES 76 SC-02: APPLICATION PARTITIONING 77 SC-03: SECURITY FUNCTION ISOLATION 77 SC-04: INFORMATION IN SHARED RESOURCES 77 SC-05: DENIAL OF SERVICE (DOS) PROTECTION 78 SC-06: RESOURCE PRIORITY 78 SC-07: BOUNDARY PROTECTION (FIREWALL PLACEMENT) 78 SC-08: TRANSMISSION INTEGRITY 79 SC-09: TRANSMISSION CONFIDENTIALITY 79 SC-10: NETWORK DISCONNECT 79 SC-11: TRUSTED PATH 80 SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT & MANAGEMENT 80 SC-13: USE OF CRYPTOGRAPHY 80 SC-14: PUBLIC ACCESS PROTECTIONS 81 SC-15: COLLABORATIVE COMPUTING DEVICES 81 SC-16: TRANSMISSION OF SECURITY ATTRIBUTES 81 SC-17: PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATES 82 SC-18: MOBILE CODE 82 SC-19: COMMUNICATIONS TECHNOLOGIES 82 SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (DNS) 83 SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) 84 SC-22: ARCHITECTURE & PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 84 SC-23: SESSION AUTHENTICITY 84 SC-24: FAIL IN KNOWN STATE 84 SC-25: THIN NODES 84 SC-26: HONEYPOTS 85 SC-27: OPERATING SYSTEM-INDEPENDENT APPLICATIONS 85 SC-28: ENCRYPTING DATA AT REST 85 SC-29: HETEROGENEITY 85 SC-30: CONCEALMENT & MISDIRECTION 85 SC-31: COVERT CHANNEL ANALYSIS 86 SC-32: INFORMATION SYSTEM PARTITIONING 86 SC-33: TRANSMISSION PREPARATION INTEGRITY 86 SC-34: NON-MODIFIABLE EXECUTABLE PROGRAMS 86 SC-35: HONEYCLIENTS 87 SC-36: DISTRIBUTED PROCESSING & STORAGE 87 SC-37: OUT-OF-BAND CHANNELS 87 SC-38: OPERATIONS SECURITY 87 SC-39: PROCESS ISOLATION 87 SC-40: WIRELESS LINK PROTECTION 88 SC-41: PORT & I/O DEVICE ACCESS 88 SC-42: SENSOR CAPABILITY & DATA 88 SC-43: USAGE RESTRICTIONS 88 SC-44: DETONATION CHAMBERS 89

SYSTEM & INFORMATION INTEGRITY (SI) 89 SI-01: SYSTEM & INFORMATION INTEGRITY POLICY & PROCEDURES 89 SI-02: FLAW REMEDIATION (PATCH MANAGEMENT) 89 SI-03: MALICIOUS SOFTWARE (MALWARE) PROTECTION 90 SI-04: INFORMATION SYSTEM MONITORING 90 SI-05: SECURITY ALERTS, ADVISORIES & DIRECTIVES 91 SI-06: SECURITY FUNCTIONALITY VERIFICATION 91 SI-07: INFORMATION SYSTEM & DATA INTEGRITY 92 SI-08: SPAM PROTECTION 92 SI-09: INFORMATION INPUT RESTRICTIONS 92 SI-10: INPUT DATA VALIDATION 93 SI-11: ERROR HANDLING 93 SI-12: INFORMATION OUTPUT HANDLING & RETENTION 93 SI-13: PREDICTABLE FAILURE PREVENTION 93

Page 7: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 7 of 103

SI-14: NON-PERSISTENCE 94 SI-15: INFORMATION OUTPUT FILTERING 94 SI-16: MEMORY PROTECTION 94 SI-17: FAIL-SAFE PROCEDURES 94

PRIVACY CONTROLS 95 SENSITIVE DATA AUTHORITY & PURPOSE (AP) 95

AP-01: AUTHORITY TO COLLECT 95 AP-02: PURPOSE SPECIFICATION 95

DATA ACCOUNTABILITY, AUDIT & RISK MANAGEMENT (AR) 95 AR-01: GOVERNANCE & PRIVACY PROGRAM 95 AR-02: PRIVACY IMPACT & RISK ASSESSMENT 95 AR-03: PRIVACY REQUIREMENTS FOR CONTRACTORS & SERVICE PROVIDERS 96 AR-04: PRIVACY MONITORING & AUDITING 96 AR-05: PRIVACY AWARENESS & TRAINING 96 AR-06: PRIVACY REPORTING 97 AR-07: PRIVACY-ENHANCED SYSTEM DESIGN & DEVELOPMENT 97 AR-08: ACCOUNTING OF DISCLOSURES 97

DATA QUALITY & INTEGRITY (DI) 97 DI-01: DATA QUALITY 97 DI-02: DATA INTEGRITY 98

DATA MINIMIZATION & RETENTION (DM) 98 DM-01: MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION (PII) 98 DM-02: DATA RETENTION & DISPOSAL 98 DM-03: MINIMIZATION OF PII USED IN TESTING, TRAINING & RESEARCH 98

INDIVIDUAL PARTICIPATION & REDRESS (IP) 99 IP-01: CONSENT 99 IP-02: INDIVIDUAL ACCESS 99 IP-03: REDRESS 99 IP-04: USER FEEDBACK MANAGEMENT 100

DATA SECURITY (SE) 100 SE-01: INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION (PII) 100 SE-02: PRIVACY INCIDENT RESPONSE 100

DATA TRANSPARENCY (TR) 100 TR-01: PRIVACY NOTICE 100 TR-02: SAFE HARBOR 101 TR-03: DISSEMINATION OF PRIVACY PROGRAM INFORMATION 101

DATA USE LIMITATION (UL) 101 UL-01: INTERNAL USE 101 UL-02: INFORMATION SHARING WITH THIRD PARTIES 102

GLOASSARY 103 ACRONYMS 103 DEFINITIONS 103

Page 8: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 8 of 103

TECHNOLOGY AUDIT OVERVIEW PURPOSE The purpose of this audit is to review the ACME’s due care and due diligence documentation and procedures, in an effort to identify areas of technology management that do not meet industry-recognized best practices and develop a plan to correct those deficiencies. This template is based on the NIST 800-53 revision 4 control set. SCOPE The scope of this audit is intended to cover all business-supported technologies at all geographic locations, including outsourcing arrangements. AUDIT CONTROLS Within NIST 800-53, there are five (5) general classes of security control objectives and these classes are further broken down into twenty-six (26) families of security control objective.

Program o Focus is on information security program-level security topics. o These focus is on the overall framework for the program to govern management, operational, technical and

privacy controls. Management

o Focus is on techniques and concerns that are normally addressed by management in ACME’s information security program.

o These focus on the management of the information security program and the management of risk within ACME.

Operational o Focus on techniques and concerns that are generally implemented and executed by people, as opposed to

systems, that are put in place to improve the security of a particular system or group of systems. o These often require technical or specialized expertise; often relying upon management activities as well as

technical controls. Technical

o Focus on processes and technologies that computer system control or execute. o These are dependent upon the proper functioning of the system for their effectiveness and therefore require

significant operational considerations. Privacy

o Focus is on controls that impact Personally Identifiable Information (PII). o These dependent upon the proper functioning of the other classes of controls for their effectiveness and

therefore require significant operational considerations.

Page 9: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 9 of 103

Each family contains security controls related to the security functionality of the family. A two-character identifier is assigned to uniquely identify each control family. The table below summarizes the classes and families in the security control catalog and the associated family identifiers.

Level of Focus Family Identifier Program Security Program Management PM

Management Awareness & Training AT Management Personnel Security PS Management Planning PL Management Risk Assessment RA Management System & Services Acquisition SA Operational Certification, Accreditation & Security Assessments CA Operational Contingency Planning CP Operational Incident Response IR Operational Maintenance MA Operational Media Protection MP Operational Physical & Environmental Protection PE

Technical Access Control AC Technical Audit & Accountability AU Technical Configuration Management CM Technical Identification & Authentication IA Technical System & Communications Protection SC Technical System & Information Integrity SI

Privacy Authority & Purpose AP Privacy Data Accountability, Audit & Risk Management AR Privacy Data Minimization & Retention DM Privacy Data Quality & Integrity DI Privacy Data Security SE Privacy Data Transparency TR Privacy Data Use Limitation UL Privacy Individual Participation & Redress IP

NIST SP 800-53 Control Objectives Families & Classes

NIST SP 800-53 Control Objectives Families & Classes

Page 10: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 10 of 103

COMPANY FUNDAMENTALS Helpful hints for filling out this section: This section helps gather a clear understanding of the goals and direction of ACME. BACKGROUND INFORMATION Legal Business Name: Doing Business As (DBA) Name: Address: Phone number: Fax number: Registered Domain Names: BUSINESS DEMOGRAPHICS Years in business: Number of locations (list locations, if applicable): Number of employees (broken down by location): Number of Servers (per location): Number of Desktop Computers (per location): Number of Laptop Computers (per location): Number of Mobile Devices (e.g., smart phones, tablets, etc.) (per location): CORE BUSINESS FUNCTIONS What industry is the company involved in? Who are the company’s target clientele? (e.g., retail, schools, hospitals, etc.)? STRATEGY & TECHNOLOGY VISION

Page 11: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 15 of 103

PM-10: Security Authorization Process Control Requirement: The organization:

Manages (e.g., documents, tracks, and reports) the security state of organizational information systems through security authorization processes;

Designates individuals to fulfill specific roles and responsibilities within the organization’s risk management process; and

Fully integrates the security authorization processes into an organization-wide risk management program. Helpful hints for filling out this section: The objective of this control is that the organization has a process to approve systems through a verification process to ensure the new systems do not expose the organization to undue risk. Findings: (provide details below)

Details: Who is the approver for systems to go into production? PM-11: Business Process Definition Control Requirement: The organization:

Defines business processes with consideration for Information Security and the resulting risk to organizational operations, organizational assets, individuals, and other organizations; and

Determines information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

Helpful hints for filling out this section: The objective of this control is that the organization has defined business processes so security controls can be scoped accordingly to protect organizational interests. Findings: (provide details below)

Details: How would a user know what the business processes are? PM-12: Insider Threat Program Control Objective: The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team. Helpful hints for filling out this section: The objective of this control is that the risks associated with insider threats is properly addressed. Findings: (provide details below)

Details: PM-13: Information Security Workforce Control Objective: The organization establishes an information security workforce development and improvement program. Helpful hints for filling out this section: The objective of this control is that a program is in place to properly educate the entire workforce in cybersecurity threats and keep that program current so evolving threats are properly addressed. Findings: (provide details below)

Details:

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 12: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 16 of 103

PM-14: Testing, Training & Monitoring Control Objective: The organization:

Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:

o Are developed and maintained; and o Continue to be executed in a timely manner;

Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Helpful hints for filling out this section: The objective of this control is that the cybersecurity capabilities are tested on an ongoing basis to ensure the ability to respond is adequate. Findings: (provide details below)

Details: PM-15: Contacts With Security Groups & Associations Control Objective: The organization establishes and institutionalizes contact with selected groups and associations within the security community to:

Facilitate ongoing security education and training for organizational personnel; Maintain currency with recommended security practices, techniques, and technologies; and Share current security-related information including threats, vulnerabilities, and incidents.

Helpful hints for filling out this section: The objective of this control is that the organization is getting current information on threats or other issues to be aware of through contact with professional associations or security groups. This may be as simple as subscribing to newsfeeds or monthly awareness newsletters. Findings: (provide details below)

Details: PM-16: Threat Awareness Program Control Objective: The organization implements a threat awareness program that includes a cross-organization information-sharing capability. Helpful hints for filling out this section: The objective of this control is that there is a program in place to alert all users to threats, as they arise. This can be as simple as a company or department-wide email announcement system. Findings: (provide details below)

Details:

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 13: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 21 of 103

PS-08: Personnel Sanctions Control Requirement: The organization employs a formal sanctions process for personnel failing to comply with established Information Security policies and procedures. Helpful hints for filling out this section: The objective of this control is that the organization employs a formal, organizational process for sanctioning personnel who do not comply with established information system security policies and procedures. Findings: (provide details below)

Details: How are users reprimanded for violating policies or procedures? PLANNING (PL) PL-01: Security Planning Policy & Procedures Control Requirement: The organization develops, disseminates, and reviews/updates:

A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Processes to facilitate the implementation of the security planning policy and associated security planning controls. Helpful hints for filling out this section: The policies and procedures may be issued at an organizational level for all systems within the organization as a common control or uniquely developed and issued as supplemental or stand-alone control procedures for specific systems. The expectation for this control action is that the organization has determined the appropriate elements with the approval of senior management official. An effective capability would not be possible if the policy and procedures were not disseminated to the appropriate elements. Findings: (provide details below)

Details: PL-02: System Security Plan (SSP) Control Requirement: The organization develops a functional architecture for identifying and maintaining key architectural information on each critical information system that, at a minimum, includes:

External interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface;

User roles and the access privileges assigned to each role; Unique security requirements; Types of information processed, stored, or transmitted by the information system and any specific protection needs in

accordance with applicable local, state and Federal laws; and Restoration priority of information or information system services.

Helpful hints for filling out this section: The objective of this control is that the organization develops a security plan for information systems that describe both the security requirements for the information system and the security controls that are planned or in place for meeting those security requirements. Findings: (provide details below)

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 14: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 22 of 103

Details: How are systems documented? This includes from projects down to individual systems. PL-03: System Security Plan (SSP) Update Control Requirement: The organization updates the architecture for information systems. Helpful hints for filling out this section: The objective of this control is that the organization reviews the security plan in accordance with the organization-defined frequency (e.g. annually), and updates the plan as a result of system or organizational changes or problems identified during plan implementation or as a result of security assessments. Findings: (provide details below)

Details: PL-04: Rules of Behavior Control Requirement: The organization:

Develops usage policies for critical technologies (for example, remote access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), e-mail usage and Internet usage) and define proper use of these technologies; and

Develops acceptable use policies, as well as what is prohibited behavior. Helpful hints for filling out this section: The objective of this control is that the organization establishes user responsibilities and expected behavior regarding their use of the information system and the information contained therein, and authorizes a user access to the information system only after receiving signed acknowledgement by that user of his/her acceptance of the rules of behavior. Findings: (provide details below)

Details: PL-05: Privacy Impact Assessment (PIA) Control Requirement: The organization conducts a privacy impact assessment on the information system to evaluate privacy in information systems. Helpful hints for filling out this section: The objective of this control is that the organization conducts a privacy impact assessment on information system. Findings: (provide details below)

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Once a system goes into production, is it ever reviewed again for its documentation & configuration?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Are users required to sign off that they understand and will abide by the rules of behavior?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Are there roles & responsibilities assigned to job functions?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Do the rules of behavior cover all the types of technology in use by the company?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Are there restrictions on the use of social networking sites or posting company-related information on website without authorization?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 15: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 49 of 103

MP-07: Media & Asset Use Control Objective: The organization restricts the use of organization-defined types of digital and/or non-digital media on information systems or system components using security safeguards. Helpful hints for filling out this section: The objective of this control is that restrictions are in place for what is acceptable, such as users being able to use USB drives to store/transfer data. Findings: (provide details below)

Details: MP-08: Media Downgrading Control Objective: The organization:

Establishes an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity;

Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;

Identifies organization-defined information system media requiring downgrading; and Downgrades the identified information system media using the established process.

Helpful hints for filling out this section: The objective of this control is that only authorized personnel can downgrade the sensitivity of data types. This is meant to keep data from being accidentally or maliciously leaked. Findings: (provide details below)

Details: PHYSICAL & ENVIRONMENTAL PROTECTION (PE) PE-01: Physical & Environmental Protection Policy & Procedures Control Requirement: The organization develops, disseminates, and reviews/updates:

A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.

Helpful hints for filling out this section: The policies and procedures may be issued at an organizational level for all systems within the organization as a common control or uniquely developed and issued as supplemental or stand-alone control procedures for specific systems. The expectation for this control action is that the organization has determined the appropriate elements with the approval of senior management official. An effective capability would not be possible if the policy and procedures were not disseminated to the appropriate elements. Findings: (provide details below)

Details:

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 16: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 50 of 103

PE-02: Physical Access Authorization Control Requirement: The organization:

Develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible);

Issues authorization credentials; Reviews and approves the access list and removes from the access list personnel no longer requiring access.

Helpful hints for filling out this section: The objective of this control is that the organization restricts access to locations where information systems reside via defined access control points. The governing details for the implementation of this control for a specific information system would be expected to be captured in an approved security plan, including how this control is implemented in its locations. This control is meant to apply where physical boundaries are drawn around the components of the information system. This control covers information systems not only in data centers, but also in distributed environments; for example, office space, etc. Findings: (provide details below)

Details: PE-03: Physical Access Control Control Requirement: The organization:

Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);

Verifies individual access authorizations before granting access to the facility; Controls entry to the facility containing the information system using physical access devices and/or guards; Controls access to areas officially designated as publicly accessible in accordance with the organization’s assessment of

risk; Secures keys, combinations, and other physical access devices; and Changes combinations and keys and when keys are lost, combinations are compromised, or individuals are transferred

or terminated. Helpful hints for filling out this section: The objective of this control is that the organization controls physical access at all physical access points to the facility; verifies individual access authorizations prior to granting access; and controls access to publicly accessible areas in accordance with the organization’s determination of risk. Findings: (provide details below)

Details: How are employees and visitors kept away from sensitive systems and data? PE-04: Access Control For Transmission Medium Control Requirement: The organization controls physical access to information system distribution and transmission lines within organizational facilities. Helpful hints for filling out this section: The objective of this control is that the organization protects the communications media, which includes the wiring closet as well as the wires going to and from the closet. There may be layered protections, such as fences around the facility, conduit and cable trays, locks on the wiring closet, etc. Findings: (provide details below)

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Is physical access restricted to job function? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 17: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 66 of 103

Who checks to make sure that there is available space in the audit log storage? When was it checked last? AU-05: Response To Audit Processing Failures Control Requirement: The information system:

Alerts designated organizational officials in the event of an audit processing failure; and Takes actions to remedy the audit processing failure.

Helpful hints for filling out this section: The objective of this control is that the organization defines the actions to be taken in response to audit failures, and that the information system alerting appropriate personnel of audit failures and performing these organization-defined actions to manage the auditing capability in the face of failures. Findings: (provide details below)

Details: Who responds to this kind of alert? Are there any repercussions if you lose audit logs due to failures? AU-06: Audit Review, Analysis & Reporting Control Requirement: The organization:

Reviews and analyzes information system audit records for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and

Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, or other organizations based on law enforcement information, intelligence information, or other credible sources of information.

Helpful hints for filling out this section: The objective of this control is that the organization identifies internal processes and procedures and implements them to review and analyze outputs of various auditing functions used by the system; looking for indications of inappropriate or unusual activity, investigating suspicious activity or suspected violations, reporting findings to appropriate officials, and taking action as appropriate. Findings: (provide details below)

Details: AU-07: Audit Reduction & Report Generation Control Requirement: The information system provides an audit reduction and report generation capability. Helpful hints for filling out this section: The objective of this control is that the organization provides automated tools for audit reduction (reducing the volume of raw log data) and audit reports (presenting audit information in a more human usable format) that perform these actions without altering the original audit records. Findings: (provide details below)

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Are event logs consolidated in a central log server? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Do logs contain full-text descriptions of privileged function executions to track what administrators performed?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 18: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 67 of 103

Details: What log management tools are used? Who manages the tools? AU-08: Time Stamps Control Requirement: The information system uses internal system clocks to generate time stamps for audit records and use time-synchronization technology to synchronize all critical system clocks and times. Helpful hints for filling out this section: The objective of this control is that the organization ensures information systems provides time stamps (including date and time) generated by internal system clocks and are used in audit records. Findings: (provide details below)

Details: What sources are used for NTP servers? When was this reviewed last to see if logs are producing the correct times? AU-09: Protection of Audit Information Control Requirement: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Authorizes access to management of audit functionality to only a limited subset of privileged users; and Protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.

Helpful hints for filling out this section: The objective of this control is that the organization protects audit information and audit tools from unauthorized access, modification, and/or deletion; with the scope of protection including all information necessary for successful audit activity, such as audit records, settings, and reports. Findings: (provide details below)

Details: How are audit logs protected? AU-10: Non-Repudiation Control Requirement: The information system protects against an individual falsely denying having performed a particular action. Helpful hints for filling out this section: The objective of this control is that the organization provides the capability to prevent an individual from denying, after the fact, an action for which he/she was responsible. The scope of this capability covers a wide variety of actions such as sending or receiving a message, authoring or signing a document, or performing a step in a transaction process. The implementation of this control may be accomplished through the use of many tools and solutions that are readily available (e.g., cryptographic digital signatures). Therefore, the assessor should have a detailed understanding of the implementation of the tools and solutions. Findings: (provide details below)

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Are all systems synchronized to the same time source? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Are the time stamps local time or UTM? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Are logs backed to up different systems, such as a centralized log server?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Are the logs write-protected to prevent the integrity of the logs?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Page 19: E/^d ô ì ì r ñ ï s - Example Cybersecurity Documentationexamples.complianceforge.com/...assessment-template-nist-800-53.pdf · E/^d ô ì ì r ñ ï Z À ð / v ( } u ] } v ^

NIST 800-53 Rev4 Information Security Assessment Template Page 68 of 103

Details: What cryptology is used to implement digital signatures (e.g. FIPS)? AU-11: Audit Record Retention Control Requirement: The organization retains audit records for an organization-defined time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Helpful hints for filling out this section: The objective of this control is that the organization explicitly defines the length of time that audit records are to be retained and retaining audit information in accordance with the organization-defined length of time. Records are retained in order to enable investigation of security incidents, to meet administrative, legal, audit or other operational purpose, and to be compliant with specific regulatory requirements for retention and availability requirements. Findings: (provide details below)

Details: How long are logs retained before they are purged? AU-12: Audit Generation Control Requirement: The information systems:

Provide audit record generation capability; Allow designated organizational personnel to select which auditable events are to be audited by specific components

of the system; and Generate audit records.

Helpful hints for filling out this section: The objective of this control is that the organization manages the generation of audit logs. Findings: (provide details below)

Details: AU-13: Monitoring For Information Disclosure Control Requirement: The organization monitors for evidence of unauthorized exfiltration or disclosure of organizational information. Helpful hints for filling out this section: The objective of this control is that the organization keeps abreast of information about itself, which may include Internet-based searches for the company’s name, key products, derogatory remarks about the company, and also key employees to see if they reveal too much information in blogs or social networking sites. Findings: (provide details below)

Details:

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Are there any systems incapable of generating logs? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Is this control met? YES ☐ NO ☐ N/A ☐ UNKNOWN ☐ Does the company monitor network activity for evidence of data being copied from the network, such as industrial espionage or Data Loss Prevention (DLP)?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐

Does anyone from the company ever perform key-word Internet searches on the company to see what information is publicly available?

YES ☐ NO ☐ N/A ☐ UNKNOWN ☐