EBK Chapter 2

From FISMApedia
Jump to: navigation, search
 253 2    IT security Competency Areas (Definitions and Functions)
 254 This section contains the fourteen competency areas, along with their affiliated functional
 255 statements/definitions and all work functions categorized as Manage, Design, Implement, or
 256 Evaluate.
 257 2.1    Data Security
 258 Refers to the application of the principles, policies, and procedures necessary to ensure the
 259 confidentiality, integrity, availability, and privacy of data in all forms of media (electronic and
 260 hardcopy) throughout the data life cycle.
 261     2.1.1 Manage
 262     •    Ensure that security classification and data management policies and guidance are issued and
 263         updated
 264     •    Specify policy and coordinate review and approval
 265     •    Report compliance to data security policies
 266     •    Provide oversight
 267     •    Implement appropriate changes and improvement actions as required
 268     2.1.2    Design
 269     •    Develop the data security policy using data security standards, guidelines, and requirements
 270         that include privacy, access, incident management, disaster recovery, and configuration
 271     •    Identify and document the appropriate level of protection for the data
 272     •    Specify information classification, sensitivity, and need-to-know requirements by data or data
 273         type
 274     •    Create data user authentication and authorization system data access levels and privileges
 275     •    Develop acceptable use procedures in support of the data security policy
 276     •    Develop sensitive data collection and management procedures in accordance with standards,
 277         procedures, directives, policies, regulations, and laws
 278     •    Identify appropriate set of information security controls based on perceived risk of
 279         compromise to the data
 280     2.1.3    Implement
 281     •    Perform the data access management process according to established guidelines
 282     •    Apply and maintain data security controls and processes in accordance with data security
 283         policy, guidelines, and requirements
 284     •    Apply media controls and processes
 285     •    Apply and verify data security access controls and privileges
 286     •    Address alleged violations of data security and privacy breaches
 287     •    Apply and maintain privacy controls in accordance with privacy guidance in accordance with
 288         standards, procedures, directives, policy, regulations, and laws
 289     2.1.4    Evaluate
 290     •    Assess the effectiveness of the enterprise data security policies, processes, and procedures
 291         against established standards, guidelines, and requirements and suggest changes where
 292         appropriate
 293     •    Evaluate the effectiveness of products and technologies implemented to provide the
 294         required protection of data
 295     •    Review alleged violations of data security and privacy breaches
 296     •    Identify improvement actions required to maintain appropriate level of data protection
 297 2.2    Digital Forensics
 298 Refers to the knowledge and understanding of digital investigation and analysis techniques used for
 299 recovering, authenticating, and analyzing electronic data to reconstruct events related to security
 300 incidents. Such activities require building a digital knowledge base.  The investigative process is
 301 composed of three phases: acquire, analyze, and report.
 302     2.2.1    Manage
 303     •    Acquire the necessary contractual vehicle and resources, including financial resources, to run
 304         forensic labs and programs
 305     •    Coordinate and build internal and external consensus for developing and managing an
 306         organizational digital forensic program
 307     •    Establish a digital forensic team, usually composed of investigators, IT professionals, and
 308         incident handlers, to perform digital and network forensics
 309     •    Provide adequate work spaces that at a minimum take in to account electrical, thermal,
 310         acoustic, and privacy concerns (i.e., intellectual properties, classification, contraband) and
 311         security requirements (including access control) of equipment and personnel as well as
 312         provide adequate report writing/administrative areas
 313     •    Implement appropriate changes and improvement actions as required
 314     2.2.2    Design
 315     •    Create policies and procedures for establishing and/or operating a digital forensic unit in
 316         accordance with standards, procedures, directives, policy, regulations, and law
 317     •    Establish policies for the imaging (bit for bit copying) of electronic media
 318     •    Specify hardware and software requirements to support the digital forensic program
 319     •    Establish the hardware and software requirements (configuration management) of the
 320         forensic laboratory
 321     •    Develop policies for the preservation of electronic evidence, data recovery and analysis,
 322         reporting and archival requirements of examined material in accordance with standards,
 323         procedures, directives, policy, regulations, and laws
 324     •    Consider establishing examiner requirements that include an ongoing mentorship program,
 325         competency testing prior to assuming individual case responsibilities, periodic proficiency
 326         testing, and participation in a nationally recognized certification program that encompasses a
 327         continuing education requirement
 328     •    Adopt or create a chain of custody procedures that include disposal procedures and when
 329         required, the return of media to its original owner in accordance with standards, procedures,
 330         directives, policy, regulations, and law
 331     2.2.3    Implement
 332     •    Assist in collecting and preserving evidence in accordance with established procedures,
 333         plans, policies, and best practices
 334     •    Perform forensic analysis on networks and computer systems and make recommendations
 335         for remediation
 336     •    Apply, maintain, and analyze results from intrusion detection systems, intrusion prevention
 337         systems, network mapping software, and other tools to protect, detect, and correct
 338         information security-related vulnerabilities and events
 339     •    Follow proper chain-of-custody best practices in accordance with standards, procedures,
 340         directives, policy, regulations, and law
 341     •    Collect and retain audit data to support technical analysis relating to misuse, penetration
 342         reconstruction, or other investigations
 343     •    Provide audit data to appropriate law enforcement or other investigating agencies to include
 344         corporate security elements
 345     •    Assess and extract the relevant pieces of information from the collected data
 346     •    Report complete and accurate findings and the result of analysis of digital evidence to
 347         appropriate resources
 348     •    Coordinate dissemination of forensic analysis findings to appropriate resources
 349     •    Provide training, as appropriate, on using forensic analysis equipment, technologies, and
 350         procedures, such as the installation of forensic hardware and software components
 351     •    Acquire and manage a Standard Operating Environment (SOE) (baseline standard) of
 352         company or agency computer footprint
 353     •    Coordinate applicable legal and regulatory compliance requirements
 354     •    Coordinate, interface and work under the direction of appropriate corporate entities (e.g.,
 355         corporate legal, corporate investigations) with regard to investigations or other legal
 356         requirements, including investigations that involve external governmental entities (e.g.,
 357         international, national, state, local)
 358     2.2.4    Evaluate
 359     •    Ensure the effectiveness and accuracy of forensic tools used by digital forensic examiners
 360         and implement changes as required
 361     •    Assess the effectiveness, accuracy and appropriateness of testing processes and procedures
 362         that are followed by the forensic laboratories and teams and suggest changes where
 363         appropriate
 364     •    Assess the digital forensic staff to ensure that they have the appropriate knowledge, skills,
 365         and abilities to perform forensic activities
 366     •    Validate the effectiveness of the analysis and reporting process and implement changes
 367         where appropriate
 368     •    Review and recommend standard validated forensic tools
 369     •    Assess the digital forensic laboratory quality assurance program, monitor, peer review
 370         process, audit and proficiency testing procedures and implement changes where appropriate
 371     •    Examine penetration testing and vulnerability analysis results to identify risks and implement
 372         patch management
 373     •    Identify improvement actions based on the results of validation, assessment, and review
 374 2.3    Enterprise Continuity
 375 Refers to the application of the principles, policies, and procedures used to ensure an enterprise
 376 continues to perform essential business functions after the occurrence of a wide range of potential
 377 catastrophic events.  For the purposes of the IT security EBK, Enterprise Continuity relates to IT
 378 assets and resources and associated IT security requirements.
 379     2.3.1    Manage
 380     •    Coordinate with corporate stakeholders to establish the enterprise continuity of operations
 381         program
 382     •    Acquire the necessary resources, including financial resources, to conduct an effective
 383         enterprise continuity of operations program
 384     •    Define the enterprise continuity of operations organizational structure and staffing model
 385     •    Define emergency delegations of authority and orders of succession for key positions
 386     •    Direct contingency planning, operations, and programs to manage risk
 387     •    Define the scope of the enterprise continuity of operations program to address business
 388         continuity, business recovery, contingency planning, and disaster recovery and related
 389         activities
 390     •    Integrate enterprise concept of operations activities with related contingency planning
 391         activities
 392     •    Establish an enterprise continuity of operations performance measurement program
 393     •    Identify and prioritize critical business functions
 394     •    Implement appropriate changes and improvement actions as required
 395     2.3.2    Design
 396     •    Develop strategic policy for the organization’s continuity of operations
 397     •    Develop an enterprise continuity of operations plan and procedures
 398     •    Develop and maintain enterprise continuity of operations documentation such as
 399         contingency, business continuity, business recovery, disaster recovery, and incident handling
 400         plans
 401     •    Develop a comprehensive test, training, and exercise program to evaluate and validate the
 402         readiness of enterprise continuity of operations plans, procedures, and execution
 403     •    Prepare internal and external continuity of operations communications procedures and
 404         guideline
 405     2.3.3    Implement
 406     •    Execute the enterprise continuity of operations and related contingency plans and
 407         procedures
 408     •    Control access to information assets during an incident in accordance with the
 409         organizational policy
 410     •    Execute crisis management tests, training, and exercises and apply lessons learned from them
 411     2.3.4    Evaluate
 412     •    Review test, training and exercise results to determine areas for process improvement and
 413         recommend changes as appropriate
 414     •    Assess the effectiveness of the enterprise continuity program, processes, and procedures and
 415         implement changes where appropriate
 416     •    Continuously validate the organization against additional mandates, as developed, to ensure
 417         full compliance
 418     •    Collect and report performance measures and identify improvement actions
 419 2.4    Incident Management
 420 Refers to the knowledge and understanding of the process to prepare and prevent, detect, contain,
 421 eradicate, and recover, and apply lessons learned from incidents impacting the mission of an
 422 organization.
 423     2.4.1    Manage
 424     •    Coordinate with stakeholders to establish the incident management program
 425     •    Establish relationships between the incident response team and other groups, both internal
 426         (e.g., legal department) and external (e.g., law enforcement agencies, vendors, and public
 427         relations Professionals)
 428     •    Acquire and manage the resources, including financial resources, for the incident
 429         management functions
 430     •    Ensure the coordination between the incident response team and the security administration
 431         and technical support teams
 432     •    Apply lessons learned from information security incidents to improve incident management
 433         processes and procedures
 434     •    Implement appropriate changes and improvement actions as required
 435     2.4.2    Design
 436     •    Develop the incident management policy
 437     •    Identify the services the incident response team should provide
 438     •    Create incident response plans in accordance with security policy and organizational goals
 439     •    Develop procedures for performing incident handling and reporting
 440     •    Create incident response exercises and red teaming activities
 441     •    Develop specific processes for collecting and protecting forensic evidence during incident
 442         response
 443     •    Specify the incident response staffing and training requirements
 444     •    Establish incident management measurement program
 445     2.4.3    Implement
 446     •    Apply response actions in reaction to security incidents in accordance with established
 447         policy, plans, and procedures
 448     •    Respond to and report incidents
 449     •    Assist in collecting, processing, and preserving evidence according to standards, procedures,
 450         directives, policy, regulations, and law
 451     •    Monitor the network and information systems for intrusions
 452     •    Execute incident response plans
 453     •    Execute red teaming activities and incidence response exercises
 454     •    Ensure lessons learned from incidents are collected in a timely manner and are incorporated
 455         into plan reviews
 456     •    Collect, analyze, and report incident management measures
 457     2.4.4    Evaluate
 458     •    Assess the efficiency and effectiveness of the incident response program activities and
 459         implement changes as required
 460     •    Examine the effectiveness of red teaming and incident response tests, training, and exercises
 461     •    Assess the effectiveness of communications between incident response team and related
 462         internal and external organizations and implement changes where appropriate
 463     •    Identify incident management improvement actions based on assessments of effectiveness
 464 2.5    IT security Training and Awareness
 465 Refers to the principles, practices, and methods required to raise employee awareness about basic
 466 information security, and to train individuals with information security roles to increase their
 467 knowledge, skills and abilities. Training activities are designed to instruct workers about their security
 468 responsibilities and teach them about information security processes and procedures so duties are
 469 performed optimally and securely within related environments. Awareness activities present essential
 470 information security concepts to the workforce in order to change user behavior.
 471     2.5.1    Manage
 472     •    Identify business requirements and establish the enterprise-wide policy for the IT security
 473         awareness and training program
 474     •    Acquire and manage the necessary resources, including financial resources, to support the IT
 475         awareness and training program
 476     •    Set operational performance measures for training and delivery and ensure that they are met
 477     •    Ensure the organization complies with IT security awareness and training
 478         standards/requirements
 479     •    Implement appropriate improvement actions as required
 480     2.5.2    Design
 481     •    Develop the security awareness and training policy
 482     •    Define the goals and objectives of the IT security awareness and training program
 483     •    Work with appropriate security subject-matter experts to ensure the completeness and
 484         accuracy of the security training program
 485     •    Establish a tracking and reporting strategy for IT security training and awareness
 486     •    Establish a change management process to ensure currency and accuracy of training and
 487         awareness materials
 488     •    Develop a workforce development, training, and awareness program plan
 489     2.5.3    Implement
 490     •    Perform needs assessment to determine skill gaps and identify critical needs based on
 491         mission requirements
 492     •    Develop new or identify existing awareness and training materials that are appropriate and
 493         timely for the intended audiences
 494     •    Deliver awareness and training to the intended audiences based on identified needs
 495     •    Update awareness and training materials when necessary
 496     •    Communicate the management commitment and importance of the IT security awareness
 497         and training program to the workforce
 498     2.5.4    Evaluate
 499     •    Assess and evaluate the IT security awareness and training program for compliance with
 500         corporate policy and measure performance of the program against objectives
 501     •    Review the IT security awareness and training program materials and recommend
 502         improvements
 503     •    Audit the awareness and training program to ensure that it meets the organization’s
 504         stakeholder needs
 505     •    Ensure that information security personnel are receiving the appropriate level and type of
 506         training
 507     •    Collect, analyze, and report performance measures
 508 2.6    IT Systems Operations and Maintenance
 509 Refers to the ongoing application of principles, policies, and procedures to maintain, monitor,
 510 control, and protect IT infrastructure and the information residing on it during the operations phase
 511 of an IT system or application in production.
 512     2.6.1    Manage
 513     •    Establish the security administration program goals and objectives
 514     •    Monitor the security administration program budget
 515     •    Direct the security administration personnel
 516     •    Address security administration program risks
 517     •    Define the scope of the security administration program
 518     •    Establish communications between the security administration team and other security­
 519         related personnel (e.g., technical support, incident management)
 520     •    Integrate the security administration team activities with other security-related team activities
 521         (e.g., technical support, incident management, security engineering)
 522     •    Acquire the necessary resources, including financial resources, to execute the security
 523         administration program
 524     •    Ensure operational compliance with applicable legislation, regulations, standards, and
 525         policies
 526     •    Implement appropriate improvement actions, as required
 527     2.6.2    Design
 528     •    Develop security administration processes and procedures in accordance with standards,
 529         procedures, directives, policy, regulations, and laws
 530     •    Develop personnel, application, middleware, operating system, hardware, network, facility,
 531         and egress security controls
 532     •    Develop security administration tests, test scripts, test criteria, and testing procedures
 533     •    Develop security administration change management procedures to ensure security policies
 534         and controls remain effective following a change
 535     •    Recommend appropriate forensics sensitive policies into the enterprise security plan
 536     2.6.3    Implement
 537     •    Perform security administration processes and procedures in accordance with standards,
 538         procedures, directives, policy, regulations, and law
 539     •    Establish a secure computing environment by applying, monitoring, controlling, and
 540         managing security controls
 541     •    Ensure that information systems are assessed regularly for vulnerabilities and that
 542         appropriate solutions to eliminate or otherwise mitigate identified vulnerabilities are
 543         implemented
 544     •    Monitor IT security performance measures to ensure optimal system performance
 545     •    Perform security performance testing and reporting and recommend security solutions in
 546         accordance with standards, procedures, directives, policy, regulations, and law
 547     •    Perform security administration changes and validation testing
 548     •    Identify, control, and track all IT security configuration items
 549     •    Collaborate with the technical support, incident management, and security engineering teams
 550         to develop, implement, control, and manage new security administration technologies
 551     •    Monitor vendor agreements and Service Level Agreement’s (SLA) to ensure that contract
 552         and performance measures are achieved
 553     •    Establish and maintain controls and surveillance routines to monitor and control
 554         conformance to all applicable information security laws and regulations
 555     2.6.4    Evaluate
 556     •    Review strategic security technologies
 557     •    Review the performance and correctness of applied security controls in accordance with
 558         standards, procedures, directives, policy, regulations, and law and apply corrections as
 559         required
 560     •    Assess the performance of security administration measurement technologies
 561     •    Assess system and network vulnerabilities
 562     •    Assess compliance with standards, procedures, directives, policy, regulations, and law
 563     •    Identify improvement actions based on reviews, assessments, and other data sources
 564 2.7    Network Security and Telecommunications
 565 Refers to the application of the principles, policies, and procedures involved in ensuring the security
 566 of basic network services and data and in maintaining the hardware layer on which it resides.  These
 567 practices address perimeter defense strategies, defense-in-depth strategies, and data encryption
 568 techniques.
 569     2.7.1    Manage
 570     •    Establish a network security and telecommunications program in line with enterprise policy
 571         and security goals
 572     •    Manage the necessary resources, including financial resources, to establish and maintain an
 573         effective network security and telecommunications program
 574     •    Direct network security and telecommunications personnel
 575     •    Define the scope of the network security and telecommunications program
 576     •    Establish communications between the network security and telecommunications team and
 577         related security teams (e.g., technical support, security administration, incident response)
 578     •    Integrate network security and telecommunications program activities with technical
 579         support, security administration, and incident response activities
 580     •    Establish a network security and telecommunications performance measurement program
 581     •    Ensure enterprise compliance with applicable network-based standards, procedures,
 582         directives, policies, regulations, and laws
 583     •    Ensure that network-based audits and management reviews are conducted to implement
 584         process improvement
 585     •    Implement appropriate improvement actions, as required
 586     2.7.2    Design
 587     •    Develop network and host-based security policies in accordance with standards, procedures,
 588         directives, policies, regulations, and laws
 589     •    Specify strategic security plans for network telecommunications in accordance with
 590         established policy to meet organizational security goals
 591     •    Develop network security and telecommunications operations and maintenance standard
 592         operating procedures
 593     •    Develop network security test plans and procedures in accordance with standards,
 594         procedures, directives, policies, regulations, and laws
 595     •    Generate network security performance reports
 596     •    Develop network security and telecommunication audit processes and procedures
 597     2.7.3    Implement
 598     •    Prevent and detect intrusions and protect against viruses
 599     •    Perform audit tracking and reporting
 600     •    Create, develop, apply, control, and manage effective network domain security controls in
 601         accordance with enterprise, network, and host-based policies
 602     •    Test strategic network security technologies for effectiveness; incorporate controls that
 603         ensure compliance with the enterprise, network and host-based security policies
 604     •    Monitor and assess network security threats and issues
 605     •    Gather technical data and monitor and assess network vulnerabilities
 606     •    Correct network security vulnerabilities in response to problems identified in vulnerability
 607         reports
 608     •    Provide real-time network intrusion response
 609     •    Determine whether or not antivirus systems are in place and operating correctly
 610     •    Ensure that messages are confidential and free from tampering and repudiation
 611     •    Defend network communications from tampering and/or eavesdropping
 612     2.7.4    Evaluate
 613     •    Perform a network security evaluation, calculate risks to the enterprise, and recommend
 614         remediation activities
 615     •    Ensure that appropriate solutions to eliminate or otherwise mitigate identified vulnerabilities
 616         are implemented effectively
 617     •    Arrange independent verification and validation of the network to assess full satisfaction of
 618         functional requirements
 619     •    Compile data into measures for analysis and reporting
 620 2.8    Personnel Security
 621 Refers to methods and controls used to ensure that an organization’s selection and application of
 622 human resources (both employee and contractor) are controlled to promote security. Personnel
 623 security controls are used to prevent and detect employee-caused security breaches such as theft,
 624 fraud, misuse of information, and noncompliance. The controls include organization/functional
 625 design elements such as separation of duties, job rotation, and determining position sensitivity.
 626     2.8.1    Manage
 627     •    Coordinate with IT security, physical security, operations security, and other organizational
 628         managers to ensure a coherent, coordinated approach to security across the organization
 629     •    Acquire and manage the necessary resources, including financial resources, to manage and
 630         maintain the personnel security program
 631     •    Establish objectives for the personnel security program relative to the overall security goals
 632         for the enterprise
 633     •    Ensure compliance through periodic audits of methods and controls
 634     •    Ensure personnel security is a component of enterprise continuity of operations
 635     •    Direct the ongoing operations of the personnel security program
 636     •    Implement appropriate improvement actions, as required
 637     2.8.2    Design
 638     •    Establish personnel security processes and procedures for individual job roles
 639     •    Establish procedures to coordinate with other organizations to ensure common processes
 640         are aligned
 641     •    Establish personnel security standards to which external suppliers (e.g., vendors, contractors)
 642         must conform
 643     2.8.3    Implement
 644     •    Coordinate within the personnel security office or with Human Resources to ensure that
 645         position sensitivity is established prior to the interview process and that appropriate
 646         background screening and suitability requirements are identified for each position
 647     •    Coordinate within the personnel security office or with Human Resources to ensure
 648         background investigations are processed based on the level of trust and position sensitivity
 649     •    Review, analyze, and adjudicate reports of investigations, personnel files, and other records
 650         to determine whether to grant, deny, revoke, suspend, or restrict clearances consistent with
 651         national security and/or suitability issues
 652     •    Coordinate with physical security and IT security operations personnel to ensure that
 653         employee access to physical facilities, media, and IT systems and networks is modified or
 654         terminated upon reassignment, change of duties, resignation, or termination
 655     •    Exercise oversight of personnel security program appeals procedures to verify that the rights
 656         of individuals are being protected according to law
 657     •    Periodically review the personnel security program for compliance with standards,
 658         procedures, directives, policy, regulations, and law
 659     2.8.4    Evaluate
 660     •    Review the effectiveness of the personnel security program and recommend changes that
 661         will improve internal practices and/or security organization-wide
 662     •    Assess the relationships between personnel security procedures and organization-wide
 663         security needs and make recommendations for improvement
 664     •    Periodically assess the personnel security program for compliance with standards,
 665         procedures, directives, policies, regulations, and laws
 666 2.9    Physical and Environmental Security
 667 Refers to the methods and controls used to proactively protect an organization from natural or
 668 manmade threats to physical facilities and buildings, as well as to the physical locations where IT
 669 equipment is located or work is performed (e.g., computer rooms, work locations).  Physical and
 670 environmental security protects an organization’s personnel, electronic equipment, and information.
 671     2.9.1    Manage
 672     •    Coordinate with personnel managing IT security, personnel security, operations security, and
 673         other security program areas to provide an integrated and coherent security effort
 674     •    Acquire the necessary resources, including financial resources, to support an effective
 675         physical security program
 676     •    Establish a physical security performance measurement system
 677     •    Establish a program to determine the value of physical assets and their impact if unavailable
 678     •    Implement appropriate improvement recommendations, as required
 679     2.9.2    Design
 680     •    Identify the physical security program requirements and specifications in relationship to the
 681         enterprise security goals
 682     •    Develop the policies and procedures for identifying and mitigating physical and
 683         environmental threats to information assets, personnel, facilities, and equipment
 684     •    Develop a physical security and environmental security plan, including security test plans and
 685         contingency plans, in coordination with other security planning functions
 686     •    Develop countermeasures against identified risks and vulnerabilities
 687     •    Develop criteria for inclusion in the acquisition of facilities, equipment, and services that
 688         impact physical security
 689     2.9.3    Implement
 690     •    Apply physical and environmental controls in support of the physical security plan
 691     •    Control access to information assets in accordance with standards, procedures, directives,
 692         policy, regulations, and law
 693     •    Integrate physical security concepts into test plans, procedures, and exercises
 694     •    Conduct threat and vulnerability assessments to identify physical and environmental risks
 695         and vulnerabilities then update the applicable controls as necessary
 696     •    Review construction projects to ensure that appropriate physical security and protective
 697         design features are incorporated into the design
 698     2.9.4    Evaluate
 699     •    Assess and evaluate the overall effectiveness of the physical and environmental security
 700         policy and controls and make recommendations for improvement
 701     •    Review incident data and make process improvement recommendations
 702     •    Assess the effectiveness of physical and environmental security control testing
 703     •    Evaluate acquisitions that have physical security implications and report findings to
 704         management
 705     •    Compile, analyze, and report performance measures
 706 2.10    Procurement
 707 Refers to the application of principles, policies, and procedures required to plan, apply, and evaluate
 708 the purchase of IT products or services, including "risk-based" pre-solicitation, solicitation, source
 709 selection, award, and monitoring, disposal, and other post-award activities.  Procurement activities
 710 may consist of the development of procurement and contract administration documents that
 711 include, but are not limited to, procurement plans, estimates, requests for information, requests for
 712 quotes, requests for proposals, statements of work, contracts, cost-benefit analyses, evaluation factors
 713 for award, source selection plans, incentive plans, service level agreements, justifications required by
 714 policies or procedures, and contract administration plans.
 715     2.10.1    Manage
 716     •    Collaborate with various stakeholders (which may include internal client, lawyers, Chief
 717         Information Officer (CIO), Chief Information Security Officer, IT security Professional,
 718         Privacy Professional, Security Engineer, suppliers, and many others) on the procurement of
 719         IT security products and services
 720     •    Ensure the inclusion of risk-based IT security requirements in acquisition plans, cost
 721         estimates, statements of work, contracts, and evaluation factors for award, service level
 722         agreements, and other pertinent procurement documents
 723     •    Ensure that suppliers understand the importance of IT security
 724     •    Conduct detailed IT investment reviews and security analyses and review IT investment
 725         business cases for security requirements
 726     •    Ensure that organization’s IT contracts do not violate laws and regulations, and require
 727         compliance with standards when applicable
 728     •    Specify policies for the use of third party information by vendors/partners and connection
 729         requirements and acceptable use policies for vendors that connect to networks
 730     •    Implement appropriate improvement recommendations, if required
 731     2.10.2    Design
 732     •    Develop contracting language that mandates the incorporation of IT security requirements
 733         in information services, IT integration services, IT products, and information security
 734         product purchases
 735     •    Develop contract administration policies that direct the evaluation and acceptance of
 736         delivered IT security products and services under a contract, as well as the security
 737         evaluation of IT and software being procured
 738     •    Develop measures and reporting standards to measure and report on key objectives in
 739         procurements aligned with IT security policies and procedures
 740     •    Develop a vendor management policy and associated program that implements policy with
 741         regard to use of third party information and connection requirement and acceptable use
 742         policies for vendors who connect to corporate networks.  Include due diligence activities to
 743         ensure that vendors are operationally and technically competent to receive third party
 744         information and to connect and communicate with corporate networks
 745     2.10.3    Implement
 746     •    Include IT security considerations as directed by policies and procedures in procurement
 747         and acquisition activities
 748     •    Negotiate final deals (e.g., contracts, contract changes, grants, agreements) that include IT
 749         security requirements that minimize risk to the organization
 750     •    Ensure that physical security concerns are integrated into the acquisition strategies
 751     •    Maintain ongoing and effective communications with suppliers and providers
 752     •    Perform compliance reviews of delivered products and services to assess the delivery of IT
 753         requirements against stated contract requirements and measures
 754     2.10.4    Evaluate
 755     •    Review contracting documents, such as statements of work or requests for proposals, for
 756         inclusion of IT security considerations in accordance with information security requirements,
 757         policies, and procedures
 758     •    Assess industry landscape for applicable IT security trends, including practices for mitigating
 759         security risks associated with global supply chain management
 760     •    Review Memorandum of Agreements, Memorandum of Understandings and/or Service
 761         Level Agreements for agreed level of IT security responsibility
 762     •    Conduct detailed IT investment reviews and security analyses and review IT investment
 763         business cases for security requirements
 764     •    Assess and evaluate the effectiveness of the vendor management program in complying with
 765         corporate policy with regard to use of third party information and connection requirement
 766         and acceptable use policies for vendors who connect to corporate networks
 767     •    Conduct due diligence activities to ensure that vendors are operationally and technically
 768         competent to receive third party information, to connect and communicate with networks,
 769         and to deliver and support secure applications
 770     •    Evaluate effectiveness of procurement function at addressing information security
 771         requirements through procurement activities and recommend improvements
 772 2.11    Regulatory and Standards Compliance
 773 Refers to the application of the principles, policies, and procedures that enable an enterprise to meet
 774 applicable information security laws, regulations, standards, and policies to satisfy statutory
 775 requirements, perform industry-wide best practices, and achieve its information security program
 776 goals.
 777     2.11.1    Manage
 778     •    Establish and administer a risk-based enterprise information security program that addresses
 779         applicable standards, procedures, directives, policies, regulations and laws
 780     •    Define the scope of the enterprise information security compliance program
 781     •    Maintain the information security enterprise compliance program budget
 782     •    Organize and direct a staff that is responsible for information security compliance, licensing
 783         and registration, and data security surveillance
 784     •    Ensure that all employees are informed of their obligations and are motivated to comply
 785         with the applicable information security standards, procedures, directives, policies,
 786         regulations, and laws
 787     •    Identify major enterprise risk factors (product, compliance, and operational) and develop
 788         and coordinate the application of information security strategies, plans, policies, and
 789         procedures to reduce regulatory risk
 790     •    Maintain relationships with all regulatory information security organizations and appropriate
 791         industry groups, forums, stakeholders and organizations
 792     •    Keep informed on pending information security changes, trends, and best practices by
 793         participating in collaborative settings
 794     •    Secure the resources necessary to support an effective information security enterprise
 795         compliance program
 796     •    Establish an enterprise information security compliance performance measures program
 797     •    Implement appropriate improvements, as required
 798     2.11.2    Design
 799     •    Develop enterprise information security compliance strategies, policies, plans, and
 800         procedures in accordance with established standards, procedures, directives, policies,
 801         regulations, and laws
 802     •    Specify enterprise information security compliance program control requirements
 803     •    Author information security compliance performance reports
 804     •    Document information security audit results and develop remedial action policies and
 805         procedures
 806     •    Develop a plan of action and associated mitigation strategies to address program deficiencies
 807     •    Document compliance reporting process in a manner that produces evidence that process
 808         exists
 809     2.11.3    Implement
 810     •    Monitor and assess the information security compliance practices of all personnel in
 811         accordance with enterprise policies and procedures
 812     •    Maintain ongoing and effective communications with key compliance stakeholders
 813     •    Conduct internal audits to determine if information security control objectives, controls,
 814         processes, and procedures are effectively applied and maintained, and perform as expected
 815     2.11.4    Evaluate
 816     •    Assess the effectiveness of enterprise compliance program controls against the applicable
 817         laws, regulations, standards, policies, and procedures
 818     •    Assess the effectiveness of the information security compliance process and procedures for
 819         process improvement and implement changes where appropriate
 820     •    Compile, analyze, and report performance measures
 821 2.12    Risk Management
 822 Refers to the policies, processes, procedures, and technologies used by an organization to create a
 823 balanced approach to identifying and assessing risks to information assets and to manage mitigation
 824 strategies that achieve the security needed at an affordable cost.
 825     2.12.1    Manage
 826     •    Establish a IT security risk management program based on the enterprise business goals and
 827         objectives
 828     •    Advise senior management during the decision making process by helping them understand
 829         and evaluate the impact of IT security risks on business goals, objectives, plans, programs
 830         and actions
 831     •    Acquire and manage the resources, including financial resources, necessary to conduct an
 832         effective risk management program
 833     •    Authorize operations to acknowledge acceptance of residual risk
 834     •    Implement appropriate improvement recommendations, as required
 835     2.12.2    Design
 836     •    Specify risk-based information security requirements and a security concept of operations
 837     •    Develop the policies, processes and procedures for identifying, assessing, and mitigating
 838         risks to information assets, personnel, facilities, and equipment
 839     •    Develop processes and procedures for determining the costs and benefits of risk mitigation
 840         strategies
 841     •    Develop the procedures for documenting the decision to apply mitigation strategies or
 842         acceptance of risk
 843     •    Develop and maintain risk-based security policies, plans, and procedures based on security
 844         requirements and in accordance with standards, procedures, directives, policy, regulation,
 845         and law
 846     2.12.3    Implement
 847     •    Apply controls in support of the risk management program
 848     •    Provide input to policies, plans, procedures, and technologies to balance the level of risk
 849         associated with the benefits provided by mitigating controls
 850     •    Implement threat and vulnerability assessments to identify security risks and update the
 851         applicable security controls regularly
 852     •    Identify risk/functionality tradeoffs and work with stakeholders to ensure Risk Management
 853         implementation is consistent with desired organization’s risk posture
 854     2.12.4    Evaluate
 855     •    Assess the effectiveness of the risk management program and implement changes where
 856         required
 857     •    Review the performance of and provide recommendations for risk management (security
 858         controls, policies/procedures that make up risk management program) tools and techniques
 859     •    Assess the residual risk in the information infrastructure used by the organization
 860     •    Assess the results of threat and vulnerability assessments to identify security risks and update
 861         the applicable security controls regularly
 862     •    Identify changes to risk management policies and processes to remain current with emerging
 863         risk and threat environment
 864 2.13    Strategic Management
 865 Refers to the principles, practices, and methods involved in making managerial decisions and actions
 866 that determine the long-term performance of an organization. Strategic management requires the
 867 practice of external business analyses such as customer analyses, competitor analyses, market
 868 analyses, and industry environmental analyses. Strategic management also requires the performance
 869 of internal business analyses that address financial performance, performance measurement, quality
 870 assurance, risk management, and organizational capabilities and constraints. The goal of these
 871 analyses is to ensure that an organization’s IT security principles, practices and system design are in
 872 line with the organization’s mission statement.
 873     2.13.1    Manage
 874     •    Establish an IT security program to provide security for all systems, networks, and data that
 875         support the operations and business/mission needs of the organization
 876     •    Integrate and align IT security, physical security, personnel security, and other security
 877         components into a systematic process to ensure information protection goals and objectives
 878         are reached
 879     •    Align IT security priorities with the organization’s mission and vision and communicate the
 880         value of IT security within the organization
 881     •    Acquire the necessary resources, including financial resources, to support IT security goals
 882         and objectives and reduce overall organizational risk
 883     •    Establish overall enterprise security architecture (EA) by aligning business processes, IT
 884         software and hardware, local and wide area networks, people, operations, and projects with
 885         the organization’s overall security strategy
 886     •    Acquire and manage the necessary resources, including financial resources, for instituting the
 887         security policy elements in the operational environment
 888     •    Establish the organizational goals that are in accordance with standards, procedures,
 889         directives, policies, regulations and laws
 890     •    Balance the IT security investment portfolio based on EA considerations and enterprise
 891         security priorities
 892     2.13.2    Design
 893     •    Establish a performance management program that will measure the efficiency,
 894         effectiveness, and maturity of the IT security program in support of the business/mission
 895         needs of the organization
 896     •    Develop IT security program components and associated strategy to support organization’s
 897         IT security program
 898     •    Develop information security management strategic plans
 899     •    Integrate applicable laws and regulations into the enterprise information security strategy,
 900         plans, policies, and procedures
 901     2.13.3    Implement
 902     •    Provide feedback to management on the effectiveness and performance of security strategic
 903         plans in accomplishing business/mission needs
 904     •    Perform internal and external enterprise analyses to ensure the organization’s IT security
 905         principles and practices are in line with the organizational mission
 906     •    Integrate business goals with information security program policies, plans, processes, and
 907         procedures
 908     •    Collect, analyze, and report performance measures
 909     •    Use performance measures to inform strategic decision making
 910     2.13.4    Evaluate
 911     •    Determine if security controls and processes are adequately integrated into the investment
 912         planning process based on IT portfolio and security reporting
 913     •    Review security funding within IT portfolio to determine if funding accurately aligns with
 914         security goals and objectives and make funding recommendations accordingly
 915     •    Assess the integration of security with the business/mission and recommend improvements
 916     •    Review the cost goals of each major investment
 917     •    Assess the performance and overall effectiveness of the security program with respect to
 918         security goals and objectives
 919     •    Assess and refresh performance measurement program to ensure currency with
 920         organization’s goals and priorities
 921 2.14    System and Application Security
 922 Refers to the principles, policies, and procedures pertaining to integrating information security into
 923 an IT system or application during the System Development Life Cycle (SDLC) prior to the
 924 Operations and Maintenance phase. The practice of these protocols ensures that the operation of IT
 925 systems and software does not present undue risk to the enterprise and its information assets. This
 926 objective is accomplished through risk assessment; risk mitigation; security control selection,
 927 implementation and evaluation; and software security standards compliance.
 928     2.14.1    Manage
 929     •    Establish the IT system and application security engineering program
 930     •    Acquire the necessary resources, including financial resources, to support the integration of
 931         security in the SDLC
 932     •    Guide IT security personnel through the SDLC phases
 933     •    Define the scope of the IT security program as it applies to the application of SDLC
 934     •    Plan the IT security program components into the SDLC
 935     2.14.2    Design
 936     •    Specify the enterprise and IT system or application security policies
 937     •    Specify the security requirements for the IT system or application
 938     •    Author an IT system or application security plan in accordance with the enterprise and IT
 939         system or application security policies
 940     •    Identify the standards against which to engineer the IT system or application
 941     •    Specify the criteria for performing risk-based audits against the IT system or application
 942     •    Develop processes and procedures to mitigate the introduction of vulnerabilities during the
 943         engineering process
 944     •    Integrate applicable information security requirements, controls, processes, and procedures
 945         into IT system and application design specifications in accordance with established
 946         standards, policies, regulations, and laws
 947     2.14.3    Implement
 948     •    Execute the enterprise and IT system or application security policies
 949     •    Apply and verify compliance with the identified standards against which to engineer the IT
 950         system or application
 951     •    Perform the processes and procedures to mitigate the introduction of vulnerabilities during
 952         the engineering process
 953     •    Perform secure configuration management practices
 954     •    Validate that the engineered IT security and application security controls meet the specified
 955         requirements
 956     •    Reengineer security controls to mitigate vulnerabilities identified during the operations phase
 957     •    Ensure the integration of information security practices throughout the SDLC process
 958     •    Document IT or application security controls addressed within the system
 959     •    Practice secure coding practices
 960     2.14.4    Evaluate
 961     •    Review new and existing risk management technologies to achieve an optimal enterprise risk
 962         posture
 963     •    Review new and existing IT security technologies to support secure engineering across the
 964         SDLC phases
 965     •    Continually assess the effectiveness of the information system’s controls based on risk
 966         management practices and procedures
 967     •    Assess and evaluate system compliance with corporate policies and architectures
 968     •    Assess system maturation and readiness for promotion to the production stage
 969     •    Collect lessons learned from integration of information security into the SDLC and use to
 970         identify improvement actions
 971     •    Collect, analyze, and report performance measures
 972