The list of questions in Tables 8.3, 8.4, and 8.5 can be used to develop a Security Self-Assessment.The questions are based on the recommendations set forth in Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, August 2001, by the National Institute of Standards.
However, additional questions and categories have been added to increase the breadth of coverage. Some of the original rhetoric from NIST 800-26 has been simplified and modified in order to provide clarity. For example, I have changed NIST’s reference of “Personnel Security” to “User Trust” since securing the personnel was never the intention. Some of the questions may be found in categories different than the original NIST recommendations.
Federal laws and regulations, and NIST guidance are cited along with the rel- evant questions in Tables 8.3, 8.4, and 8.5. If a particular question is not appli- cable to your information system you can indicate that by inserting N.A. into any of the right-hand columns.
Management security controls refer to security controls that are required and reviewed through organizational accountability processes.
Table 8.3 Management Assurance Control Questions
No. Questions L1 L2 L3 L4
Risk Management
Required by: FISMA § 3541 (2)(A) and § 3544(b)(1); OMB Circular A-130 III;
FISCAM SP-1
Recommended by: NIST SP 800-18; NIST SP 800-30 Are initial risk assessments performed before a system is put into production?
Are risk assessments performed on a regular schedule?
Are risk assessment reports documented and archived?
Are changes to the system documented in a configuration management plan or utility?
Is the current system configuration documented?
Is a topological map of the network documented and updated on a regular basis?
Have data sensitivity levels been determined?
Have natural threat sources been identified and considered?
Have human threat sources been identified and considered?
Has a list of vulnerabilities that could be exploited by threats, errors, or security weaknesses been developed?
Has a risk assessment that determines if security requirements adequately mitigate threats been done?
Has a business (mission) risk assessment been done?
Have final risk determinations and
sign-offs been documented and approved by management?
Continued
Table 8.3 continued Management Assurance Control Questions
No. Questions L1 L2 L3 L4
When a significant change occurs to the system is a new risk assessment conducted?
Security Controls
Required by: FISMA § 3541 (1) and § 3544 (a)(2)(D); OMB Circular A-130 III;
FISCAM SP-5
Recommended by: NIST SP 800-18; NIST SP 800-30 Are Security Self-assessmentsconducted on a regular schedule?
Have adequate security controls been implemented to mitigate the identified risks?
Are tests of essential security controls (e.g., network scans, penetration tests) performed on a regular basis?
Are security incidents properly categorized?
Are security incidents reported to management?
If the system connects to other systems, have security controls been established for the interconnections?
Are security controls for network boundaries and interconnections reviewed periodically for vulnerabilities?
Have security controls of interconnections been distributed to the interconnected system owners?
When a significant change to the information system occurs, are the security controls and design reviewed by a third-party independent expert?
Are security controls of the system consistent with security controls of the adjacent IT infrastructure?
Continued
Table 8.3 continued Management Assurance Control Questions
No. Questions L1 L2 L3 L4
Are security controls supported by signed agency agreements and memorandums of understanding?
After new security controls are added, are they tested as required?
Do security controls operate as intended?
Life Cycle Support
Required by: FISMA § 3544 (b)(2)(C); OMB Circular A-130 III; FISCAM CC-1.1 Recommended by: NIST SP 800-18; NIST SP 800-30
Are security requirements identified during the system or application design?
Are design reviews and operational tests conducted prior to placing a system or application into production?
Do design reviews system tests and operational tests include a test for security requirements?
Are all test results documented?
Does the information system have written authorization to operate?
Have planned corrective actions been implemented as scheduled?
Is the sensitivity (confidentiality, integrity, availability) reviewed during each
lifecycle phase?
Are security requirements developed and evaluated before procurement occurs?
Are adequate budget provisions made for security?
Are security resources justified by business requirements?
Continued
Table 8.3 continued Management Assurance Control Questions
No. Questions L1 L2 L3 L4
Authorization
Required by: FISCAM CC-1.2 Recommended by: NIST SP 800-30
Are authorizations for software mod- ifications documented and maintained?
Do solicitation documents (e.g., RFPs and product evaluations) include security requirements?
Do solicitation documents require and permit that security controls (e.g.,
patches) be updated and implemented as required?
Does management review and approve all security documents?
Is the system authorized to operate by full ATO or IATO?
Is the system certified (or recertified) every three years as required?
Have all system interconnections, agreements, and memorandums of understanding been authorized by management?
Has management verified that the existing security controls are consistent with data sensitivity?
Does management correct deficiencies (e.g., Plans of Action & Milestones) in a timely manner?
Has the Security Plan been approved by management?
Have all users been authorized for system access by management?
Continued
Table 8.3 continued Management Assurance Control Questions
No. Questions L1 L2 L3 L4
Security Plan
Required by: OMB Circular A-130 III; FISCAM SP 2-1 Recommended by: NIST SP 800-18; NIST SP 800-30
Has a Security Planbeen developed and distributed for review?
Is the Security Planupdated on a regular basis?
Does the Security Planinclude a general description of the system?
Does the Security Planinclude a diagram of the system or network components (e.g., network map)?
Is the purpose of the system noted in the Security Plan?
Are all security controls documented in the Security Plan?
Does the Security Planinclude laws, regulations, and policies that the system must adhere to?
Does the Security Planinclude document- ation of physical and environmental safeguards?
Are the system interconnections described in the Security Plan?
Does the Security Plan provide rationale and justification of the sensitivity
(confidentiality, integrity, availability) levels?
Is information about backups (e.g., schedule, storage location) documented in the Security Plan?
Operational security controls refer to installations, configurations, and mit- igating actions performed by operations staff.
Table 8.4 Operational Assurance Control Questions
No. Question L1 L2 L3 L4
User Trust
Required by: FISMA § 3543 (a)(2) & 3545(f); OMB Circular A-130 III, FISCAM SD-1, 1.2, 2, 3.2
Recommended by: NIST SP 800-18; NIST SP 800-30 Is suspicious activity investigated and appropriate action taken?
Have Rules of Behaviorbeen established and agreed to by all users?
Are Rules of Behavioravailable for personnel to reference on an on-going basis?
Are all positions reviewed for user trust levels?
Are background investigations performed as required?
Do separation of duties exist according to requirements?
Do job descriptions accurately reflect levels of experience, responsibilities, and expertise?
Are processes in place to hold users accountable for their actions?
Does an enrollment process exist for issuing user accounts?
Do termination procedures exist for closing user accounts?
Are regularly scheduled vacations and job rotations required?
Are privileged users (authorized to bypass security controls) screened at a higher level of risk (e.g., credit checks)?
Are security clearances issued and enforced as required?
Continued
Table 8.4 continued Operational Assurance Control Questions
No. Question L1 L2 L3 L4
User Trust
Is security awareness training given on an annual basis?
Do users receive periodic training to ensure that they understand their responsibilities?
Are training classes documented and is attendance taken?
Do employees have access to the agency (and bureau) security policies?
Are security awareness materials (e.g., posters, signs, booklets) distributed and displayed?
Are users recertified on a regular basis?
Does a Help desk or user support resources exist?
Do user manuals exist for applications that users are required to use?
Physical and Environmental Safeguards
Required by: FISMA § 3545 (f); FISCAM AC-3 & SC-2.2
Recommended by: NIST SP 800-18, NIST SP 800-30, NIST SP 800-37 Is access to buildings controlled by
guards, badges, smart cards, biometrics, or other entry devices?
Is access to the computer room controlled by an automated entry device?
Is access to facilities tracked through sign-in books and audit trails?
Are entry codes to buildings and computer rooms changed periodically?
Are visitors signed-in and escorted as necessary?
Continued
Table 8.4 continued Operational Assurance Control Questions
No. Question L1 L2 L3 L4
Are visitors provided badges that are publicly viewable?
Are wiring closets locked with access controlled?
Are fire suppression devices installed and working?
Are fire risk sources (old wiring, improper storage materials) reviewed periodically?
Are heating, air conditioning, and ventilation systems operational and regularly maintained?
Is a backup air-conditioning system in place for the computer room?
Is the temperature and humidity of computer rooms monitored with alarms?
Is preventative maintenance performed on electrical power distribution and circuit breakers?
Are circuits documented including information about locations and power capabilities?
Is an uninterruptible power supply installed and operational?
Are plumbing, sewage systems and lines operational and regularly maintained?
Are plumbing lines documented with their whereabouts indicated?
Have environmental safeguards been put into place to protect against natural disasters?
Are mobile systems stored securely?
Do emergency exit and re-entry procedures exist?
Continued