1.1 Critical Element: Is risk periodically assessed?
1.1.1 Is the current system configuration documented, including links to other systems?
1.1.2 Are risk assessments performed and documented on a regular basis or whenever the system, facilities, or other conditions change?
1.1.3 Has data sensitivity and integrity of the data been considered?
1.1.4 Have threat sources, both natural and manmade, been identified?
1.1.5 Has a list of known system vulnerabilities, system flaws, or weaknesses that could be exploited by the threat sources been developed and maintained current?
1.1.6 Has an analysis been conducted that determines whether the security requirements in place adequately mitigate vulnerabilities?
1.2. Critical Element: Do program officials understand the risk to systems under their control and determine the acceptable level of risk?
1.2.1 Are final risk determinations and related management approvals documented and maintained on file?
1.2.2 Has a mission/business impact analysis been conducted?
1.2.3 Have additional controls been identified to sufficiently mitigate identified risks?
2. Review of Security Controls
2.1. Critical Element: Have the security controls of the system and interconnected systems been reviewed?
2.1 1 Has the system and all network boundaries been subjected to periodic reviews?
2.1.2 Has an independent review been performed when a significant change occurred?
2.1.3 Are routine self-assessments conducted ?
2.1.4 Are tests and examinations of key controls routinely made, i.e., network scans, analyses of router and switch settings, penetration testing?
2.1.5 Are security alerts and security incidents analyzed and remedial actions taken?
2.2. Critical Element: Does management ensure that corrective actions are effectively implemented?
2.2.1 Is there an effective and timely process for reporting significant weakness and ensuring effective remedial action?
3. Life Cycle
3.1. Critical Element: Has a system development life cycle methodology been developed?
Initiation Phase
3.1.1 Is the sensitivity of the system determined?
3.1.2 Does the business case document the resources required for adequately securing the system?
3.1.3 Does the Investment Review Board ensure any investment request includes the security resources needed?
3.1.4 Are authorizations for software modifications documented and maintained?
3.1.5 Does the budget request include the security resources required for the system?
Development/Acquisition Phase
3.1.6 During the system design, are security requirements identified?
3.1.7 Was an initial risk assessment performed to determine security requirements?
3.1.8 Is there a written agreement with program officials on the security controls employed and residual risk?
3.1.9 Are security controls consistent with and an integral part of the IT architecture of the agency?
3.1.10 Are the appropriate security controls with associated evaluation and test procedures developed before the procurement action?
3.1.11 Do the solicitation documents (e.g., Request for Proposals) include security requirements and evaluation/test procedures?
3.1.12 Do the requirements in the solicitation documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented?
3.2. Critical Element: Are changes controlled as programs progress through testing to final approval?
Implementation
3.2.1 Are design reviews and system tests run prior to placing the system in production?
3.2.2 Are the test results documented?
3.2.3 Is certification testing of security controls conducted and documented?
3.2.4 If security controls were added since development, has the system documentation been modified to include them?
3.2.5 If security controls were added since development, have the security controls been tested and the system recertified?
3.2.6 Has the application undergone a technical evaluation to ensure that it meets applicable federal laws, regulations, policies, guidelines, and standards?
3.2.7 Does the system have written authorization to operate either on an interim basis with planned corrective action or full authorization?
Operation/Maintenance Phase
3.2.8 Has a system security plan been developed and approved?
3.2.9 If the system connects to other systems, have controls been established and disseminated to the owners of the interconnected systems?
3.2.10 Is the system security plan kept current?
Disposal Phase
3.2.11 Are official electronic records properly disposed/archived?
3.2.12 Is information or media purged, overwritten, degaussed, or destroyed when disposed or used elsewhere?
3.2.13 Is a record kept of who implemented the disposal actions and verified that the information or media was sanitized?
4.1. Critical Element: Has the system been certified/recertified and authorized to process (accredited)?
4.1.1 Has a technical and/or security evaluation been completed or conducted when a significant change occurred?
4.1.2 Has a risk assessment been conducted when a significant change occurred?
4.1.3 Have Rules of Behavior been established and signed by users?
4.1.4 Has a contingency plan been developed and tested?
4.1.5 Has a system security plan been developed, updated, and reviewed?
4.1.6 Are in-place controls operating as intended?
4.1.7 Are the planned and in-place controls consistent with the identified risks and the system and data sensitivity?
4.1.8 Has management authorized interconnections to all systems (including systems owned and operated by another program, agency, organization or contractor)?
4.2. Critical Element: Is the system operating on an interim authority to process in accordance with specified agency procedures?
4.2.1 Has management initiated prompt action to correct deficiencies?
5. System Security Plan
5.1. Critical Element: Is a system security plan documented for the system and all interconnected systems if the boundary controls are ineffective?
5.1.1 Is the system security plan approved by key affected parties and management?
5.1.2 Does the plan contain the topics prescribed in NIST Special Publication 800-18?
5.1.3 Is a summary of the plan incorporated into the strategic IRM plan?
5.2. Critical Element: Is the plan kept current?
5.2.1 Is the plan reviewed periodically and adjusted to reflect current conditions and risks?
Operational Controls
6. Personnel Security
6.1. Critical Element: Are duties separated to ensure least privilege and individual accountability?
6.1.1 Are all positions reviewed for sensitivity level?
6.1.2 Are there documented job descriptions that accurately reflect assigned duties and responsibilities and that segregate duties?
6.1.3 Are sensitive functions divided among different individuals?
6.1.4 Are distinct systems support functions performed by different individuals?
6.1.5 Are mechanisms in place for holding users responsible for their actions?
6.1.6 Are regularly scheduled vacations and periodic job/shift rotations required?
6.1.7 Are hiring, transfer, and termination procedures established?
6.1.8 Is there a process for requesting, establishing, issuing, and closing user accounts?
6.2. Critical Element: Is appropriate background screening for assigned positions completed prior to granting access?
6.2.1 Are individuals who are authorized to bypass significant technical and operational controls screened prior to access and periodically thereafter?
6.2.2 Are confidentiality or security agreements required for employees assigned to work with sensitive information?
6.2.3 When controls cannot adequately protect the information, are individuals screened prior to access?
6.2.4 Are there conditions for allowing system access prior to completion of screening?
7. Physical and Environmental Protection
7.1. Critical Element: Have adequate physical security controls been implemented that are commensurate with the risks of physical damage or access?
Physical Access Control
7.1.1 Is access to facilities controlled through the use of guards, identification badges, or entry devices such as key cards or biometrics?
7.1.2 Does management regularly review the list of persons with physical access to sensitive facilities?
7.1.3 Are deposits and withdrawals of tapes and other storage media from the library authorized and logged?
7.1.4 Are keys or other access devices needed to enter the computer room and tape/media library?
7.1.5 Are unused keys or other entry devices secured?
7.1.6 Do emergency exit and re-entry procedures ensure that only authorized personnel are allowed to re-enter after fire drills, etc?
7.1.7 Are visitors to sensitive areas signed in and escorted?
7.1.8 Are entry codes changed periodically?
7.1.9 Are physical accesses monitored through audit trails and apparent security violations investigated and remedial action taken?
7.1.10 Is suspicious access activity investigated and appropriate action taken?
7.1.11 Are visitors, contractors and maintenance personnel authenticated through the use of preplanned appointments and identification checks?
Fire Safety Factors
7.1.12 Are appropriate fire suppression and prevention devices installed and working?
7.1.13 Are fire ignition sources, such as failures of electronic devices or wiring, improper storage materials, and the possibility of arson, reviewed periodically?
Supporting Utilities
7.1.14 Are heating and air-conditioning systems regularly maintained?
7.1.15 Is there a redundant air-cooling system?
7.1.16 Are electric power distribution, heating plants, water, sewage, and other utilities periodically reviewed for risk of failure?
7.1.17 Are building plumbing lines known and do not endanger system?
7.1.18 Has an uninterruptible power supply or backup generator been provided?
7.1.19 Have controls been implemented to mitigate other disasters, such as floods, earthquakes, etc.?
7.2. Critical Element: Is data protected from interception?
Interception of Data
7.2.1 Are computer monitors located to eliminate viewing by unauthorized persons?
7.2.2 Is physical access to data transmission lines controlled?
7.3. Critical Element: Are mobile and portable systems protected?
Mobile and Portable Systems
7.3.1 Are sensitive data files encrypted on all portable systems?
7.3.2 Are portable systems stored securely?
8. Production, Input/Output Controls
8.1. Critical Element: Is there user support?
8.1.1 Is there a help desk or group that offers advice?
8.2. Critical Element: Are there media controls?
8.2.1 Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information?
8.2.2 Are there processes for ensuring that only authorized users pick up, receive, or deliver input and output information and media?
8.2.3 Are audit trails used for receipt of sensitive inputs/outputs?
8.2.4 Are controls in place for transporting or mailing media or printed output?
8.2.5 Is there internal/external labeling for sensitivity?
8.2.6 Is there external labeling with special handling instructions?
8.2.7 Are audit trails kept for inventory management?
8.2.8 Is media sanitized for reuse?
8.2.9 Is damaged media stored and /or destroyed?
8.2.10 Is hardcopy media shredded or destroyed when no longer needed?
9. Contingency Planning
9.1. Critical Element: Have the most critical and sensitive operations and their supporting computer resources been identified?
9.1.1 Are critical data files and operations identified and the frequency of file backup documented?
9.1.2 Are resources supporting critical operations identified?
9.1.3 Have processing priorities been established and approved by management?
9.2. Critical Element: Has a comprehensive contingency plan been developed and documented?
9.2.1 Is the plan approved by key affected parties?
9.2.2 Are responsibilities for recovery assigned?
9.2.3 Are there detailed instructions for restoring operations?
9.2.4 Is there an alternate processing site; if so, is there a contract or interagency agreement in place?
9.2.5 Is the location of stored backups identified?
9.2.6 Are backup files created on a prescribed basis and rotated off-site often enough to avoid disruption if current files are damaged?
9.2.7 Is system and application documentation maintained at the off-site location?
9.2.8 Are all system defaults reset after being restored from a backup?
9.2.9 Are the backup storage site and alternate site geographically removed from the primary site and physically protected?
9.2.10 Has the contingency plan been distributed to all appropriate personnel?
9.3. Critical Element: Are tested contingency/disaster recovery plans in place?
9.3.1 Is an up-to-date copy of the plan stored securely off-site?
9.3.2 Are employees trained in their roles and responsibilities?
9.3.3 Is the plan periodically tested and readjusted as appropriate?
10. Hardware and System Software Maintenance
10.1. Critical Element: Is access limited to system software and hardware?
10.1.1 Are restrictions in place on who performs maintenance and repair activities?
10.1.2 Is access to all program libraries restricted and controlled?
10.1.3 Are there on-site and off-site maintenance procedures (e.g., escort of maintenance personnel, sanitization of devices removed from the site)?
10.1.4 Is the operating system configured to prevent circumvention of the security software and application controls?
10.1.5 Are up-to-date procedures in place for using and monitoring use of system utilities?
10.2. Critical Element: Are all new and revised hardware and software authorized, tested and approved before implementation?
10.2.1 Is an impact analysis conducted to determine the effect of proposed changes on existing security controls, including the required training needed to implement the control?
10.2.2 Are system components tested, documented, and approved (operating system, utility, applications) prior to promotion to production?
10.2.3 Are software change request forms used to document requests and related approvals?
10.2.4 Are there detailed system specifications prepared and reviewed by management?
10.2.5 Is the type of test data to be used specified, i.e., live or made up?
10.2.6 Are default settings of security features set to the most restrictive mode?
10.2.7 Are there software distribution implementation orders including effective date provided to all locations?
10.2.8 Is there version control?
10.2.9 Are programs labeled and inventoried?
10.2.10 Are the distribution and implementation of new or revised software documented and reviewed?
10.2.11 Are emergency change procedures documented and approved by management, either prior to the change or after the fact?
10.2.12 Are contingency plans and other associated documentation updated to reflect system changes?
10.2.13 Is the use of copyrighted software or shareware and personally owned software/equipment documented?
10.3. Critical Element: Are systems managed to reduce vulnerabilities?
10.3.1 Are systems periodically reviewed to identify and, when possible, eliminate unnecessary services (e.g., FTP, HTTP, mainframe supervisor calls)?
10.3.2 Are systems periodically reviewed for known vulnerabilities and software patches promptly installed?
11. Data Integrity
11.1. Critical Element: Is virus det/ection and elimination software installed and activated?
11.2.1 Are reconciliation routines used by applications, i.e., checksums, hash totals, record counts?
11.2.2 Is inappropriate or unusual activity reported, investigated, and appropriate actions taken
11.2.3 Are procedures in place to determine compliance with password policies?
11.2.4 Are integrity verification programs used by applications to look for evidence of data tampering, errors, and omissions?
11.2.5 Are intrusion detection tools installed on the system?
11.2.6 Are the intrusion detection reports routinely reviewed and suspected incidents handled accordingly?
11.2.7 Is system performance monitoring used to analyze system performance logs in real time to look for availability problems, including active attacks?
11.2.8 Is penetration testing performed on the system?
11.2.9 Is message authentication used?
12. Documentation
12.1. Critical Element: Is there sufficient documentation that explains how software/hardware is to be used?
12.1.1 Is there vendor-supplied documentation of purchased software?
12.1.2 Is there vendor-supplied documentation of purchased hardware?
12.1.3 Is there application documentation for in-house applications?
12.1.4 Are there network diagrams and documentation on setups of routers and switches?
12.1.5 Are there software and hardware testing procedures and results?
12.1.6 Are there standard operating procedures for all the topic areas covered in this document?
12.1.7 Are there user manuals?
12.1.8 Are there emergency procedures?
12.1.9 Are there backup procedures?
12.2. Critical Element: Are there formal security and operational procedures documented?
12.2.1 Is there a system security plan?
12.2.2 Is there a contingency plan?
12.2.3 Are there written agreements regarding how data is shared between interconnected systems?
12.2.4 Are there risk assessment reports?
12.2.5 Are there certification and accreditation documents and a statement authorizing the system to process?
13. Security Awareness, Training, and Education
13.1. Critical Element: Have employees received adequate training to fulfill their security responsibilities?
13.1.1 Have employees received a copy of the Rules of Behavior?
13.1.2 Are employee training and professional development documented and monitored?
13.1.3 Is there mandatory annual refresher training?
13.1.4 Are methods employed to make employees aware of security, i.e., posters, booklets?
13.1.5 Have employees received a copy of or have easy access to agency security procedures and policies?
14. Incident Response Capability
14.1. Critical Element: Is there a capability to provide help to users when a security incident occurs in the system?
14.1.1 Is a formal incident response capability available?
14.1.2 Is there a process for reporting incidents?
14.1.3 Are incidents monitored and tracked until resolved?
14.1.4 Are personnel trained to recognize and handle incidents?
14.1.5 Are alerts/advisories received and responded to?
14.1.6 Is there a process to modify incident handling procedures and control techniques after an incident occurs?
14.2. Critical Element: Is incident related information shared with appropriate organizations?
14.2.1 Is incident information and common vulnerabilities or threats shared with owners of interconnected systems?
14.2.2 Is incident information shared with FedCIRC concerning incidents and common vulnerabilities and threats?
14.2.3 Is incident information reported to FedCIRC, NIPC , and local law enforcement when necessary?
Technical Controls
15. Identification and Authentication
15.1. Critical Element: Are users individually authenticated via passwords, tokens, or other devices?
15.1.1 Is a current list maintained and approved of authorized users and their access?
15.1.2 Are digital signatures used and conform to FIPS 186-2?
15.1.3 Are access scripts with embedded passwords prohibited?
15.1.4 Is emergency and temporary access authorized?
15.1.5 Are personnel files matched with user accounts to ensure that terminated or transferred individuals do not retain system access?
15.1.6 Are passwords changed at least every ninety days or earlier if needed?
15.1.7 Are passwords unique and difficult to guess (e.g., do passwords require alpha numeric, upper/lower case, and special characters)?
15.1.8 Are inactive user identifications disabled after a specified period of time?
15.1.9 Are passwords not displayed when entered?
15.1.10 Are there procedures in place for handling lost and compromised passwords?
15.1.11 Are passwords distributed securely and users informed not to reveal their passwords to anyone (social engineering)?
15.1.12 Are passwords transmitted and stored using secure protocols/algorithms?
15.1.13 Are vendor-supplied passwords replaced immediately?
15.1.14 Is there a limit to the number of invalid access attempts that may occur for a given user?
15.2. Critical Element: Are access controls enforcing segregation of duties?
15.2.1 Does the system correlate actions to users?
15.2.2 Do data owners periodically review access authorizations to determine whether they remain appropriate?
16. Logical Access Controls
16.1. Critical Element: Do the logical access controls restrict users to authorized transactions and functions?
16.1.1 Can the security controls detect unauthorized access attempts?
16.1.2 Is there access control software that prevents an individual from having all necessary authority or information access to allow fraudulent activity without collusion?
16.1.3 Is access to security software restricted to security administrators?
16.1.4 Do workstations disconnect or screen savers lock system after a specific period of inactivity?
16.1.5 Are inactive users' accounts monitored and removed when not needed?
16.1.6 Are internal security labels (naming conventions) used to control access to specific information types or files?
16.1.7 If encryption is used, does it meet federal standards?
16.1.8 If encryption is used, are there procedures for key generation, distribution, storage, use, destruction, and archiving?
16.1.9 Is access restricted to files at the logical view or field?
16.1.10 Is access monitored to identify apparent security violations and are such events investigated?
16.2. Critical Element: Are there logical controls over network access?
16.2.1 Has communication software been implemented to restrict access through specific terminals?
16.2.2 Are insecure protocols (e.g., UDP, ftp) disabled?
16.2.3 Have all vendor-supplied default security parameters been reinitialized to more secure settings?
16.2.4 Are there controls that restrict remote access to the system?
16.2.5 Are network activity logs maintained and reviewed?
16.2.6 Does the network connection automatically disconnect at the end of a session?
16.2.7 Are trust relationships among hosts and external entities appropriately restricted?
16.2.8 Is dial-in access monitored?
16.2.9 Is access to telecommunications hardware or facilities restricted and monitored?
16.2.10 Are firewalls or secure gateways installed?
16.2.11 If firewalls are installed do they comply with firewall policy and rules?
16.2.12 Are guest and anonymous accounts authorized and monitored?
16.2.13 Is an approved standardized log-on banner displayed on the system warning unauthorized users that they have accessed a U.S. Government system and can be punished?
16.2.14 Are sensitive data transmissions encrypted?
16.2.15 Is access to tables defining network options, resources, and operator profiles restricted?
16.3. Critical Element: If the public accesses the system, are there controls implemented to protect the integrity of the application and the confidence of the public?
16.3.1 Is a privacy policy posted on the web site?
17. Audit Trails
17.1. Critical Element: Is activity involving access to and modification of sensitive or critical files logged, monitored, and possible security violations investigated?
17.1.1 Does the audit trail provide a trace of user actions?
17.1.2 Can the audit trail support after-the-fact investigations of how, when, and why normal operations ceased?
17.1.3 Is access to online audit logs strictly controlled?
17.1.4 Are off-line storage of audit logs retained for a period of time, and if so, is access to audit logs strictly controlled?
17.1.5 Is there separation of duties between security personnel who administer the access control function and those who administer the audit trail?
17.1.6 Are audit trails reviewed frequently?
17.1.7 Are automated tools used to review audit records in real time or near real time?
17.1.8 Is suspicious activity investigated and appropriate action taken?
17.1.9 Is keystroke monitoring used? If so, are users notified?
[Edit footer.html to set your custom footer here]
Current URL: http://compliancemanager.com/ModelStore/ModelPreview?ModelStoreId=148f4a36-0eb4-4258-b132-aed75dcc385c Base URL: http://compliancemanager.com/ Current URL Domain Name: compliancemanager.com
Management Controls
1.1 Critical Element: Is risk periodically assessed?
1.1.1 Is the current system configuration documented, including links to other systems?