What is involved in Security control

Find out what the related areas are that Security control connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security control thinking-frame.

How far is your company on its Security Controls journey?

Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Security control related domains to cover and 157 essential critical questions to check off in that domain.

The following domains are covered:

Security control, Security controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:

Security control Critical Criteria:

Recall Security control goals and describe which business rules are needed as Security control interface.

– Have we developed a continuous monitoring strategy for the information systems (including monitoring of security control effectiveness for system-specific, hybrid, and common controls) that reflects the organizational Risk Management strategy and organizational commitment to protecting critical missions and business functions?

– Have the it security cost for the any investment/project been integrated in to the overall cost including (c&a/re-accreditation, system security plan, risk assessment, privacy impact assessment, configuration/patch management, security control testing and evaluation, and contingency planning/testing)?

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– What training is provided to personnel that are involved with Cybersecurity control, implementation, and policies?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Do we have sufficient processes in place to enforce security controls and standards?

– What is the purpose of Security control in relation to the mission?

– Which Security control goals are the most important?

– How much does Security control help?

Security controls Critical Criteria:

Depict Security controls results and report on the economics of relationships managing Security controls and constraints.

– What vendors make products that address the Security control needs?

– Does Security control appropriately measure and monitor risk?

– What are the known security controls?

– What is Effective Security control?

Access control Critical Criteria:

Discuss Access control engagements and reinforce and communicate particularly sensitive Access control decisions.

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?

– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?

– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?

– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?

– What are your key performance measures or indicators and in-process measures for the control and improvement of your Security control processes?

– Do access control logs contain successful and unsuccessful login attempts and access to audit logs?

– Is the process actually generating measurable improvement in the state of logical access control?

– Access control: Are there appropriate access controls over PII when it is in the cloud?

– Access Control To Program Source Code: Is access to program source code restricted?

– What is the direction of flow for which access control is required?

– Should we call it role based rule based access control, or rbrbac?

– Do the provider services offer fine grained access control?

– What type of advanced access control is supported?

– What access control exists to protect the data?

– What is our role based access control?

– How do we maintain Security controls Integrity?

– Who determines access controls?

CIA Triad Critical Criteria:

Meet over CIA Triad tasks and summarize a clear CIA Triad focus.

– What tools do you use once you have decided on a Security control strategy and more importantly how do you choose?

– What prevents me from making the changes I know will make me a more effective Security control leader?

– Why is it important to have senior management support for a Security control project?

Countermeasure Critical Criteria:

Be clear about Countermeasure engagements and diversify disclosure of information – dealing with confidential Countermeasure information.

– Do several people in different organizational units assist with the Security control process?

DoDI 8500.2 Critical Criteria:

Discourse DoDI 8500.2 tactics and reduce DoDI 8500.2 costs.

– Who is responsible for ensuring appropriate resources (time, people and money) are allocated to Security control?

– What are the long-term Security control goals?

Environmental design Critical Criteria:

Track Environmental design adoptions and ask what if.

– How likely is the current Security control plan to come in on schedule or on budget?

– Who needs to know about Security control ?

– What threat is Security control addressing?

Health Insurance Portability and Accountability Act Critical Criteria:

Deliberate Health Insurance Portability and Accountability Act management and sort Health Insurance Portability and Accountability Act activities.

– Is there any existing Security control governance structure?

ISAE 3402 Critical Criteria:

Guide ISAE 3402 visions and work towards be a leading ISAE 3402 expert.

– Are we making progress? and are we making progress as Security control leaders?

– What sources do you use to gather information for a Security control study?

– Can Management personnel recognize the monetary benefit of Security control?

ISO/IEC 27001 Critical Criteria:

Scrutinze ISO/IEC 27001 visions and find answers.

– How do your measurements capture actionable Security control information for use in exceeding your customers expectations and securing your customers engagement?

– What other organizational variables, such as reward systems or communication systems, affect the performance of this Security control process?

– How does the organization define, manage, and improve its Security control processes?

Information Assurance Critical Criteria:

Participate in Information Assurance goals and learn.

– What may be the consequences for the performance of an organization if all stakeholders are not consulted regarding Security control?

– Does Security control create potential expectations in other areas that need to be recognized and considered?

– What knowledge, skills and characteristics mark a good Security control project manager?

Information security Critical Criteria:

Check Information security decisions and integrate design thinking in Information security innovation.

– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?

– Does mgmt communicate to the organization on the importance of meeting the information security objectives, conforming to the information security policy and the need for continual improvement?

– Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the information security function)?

– Is there an information security policy to provide mgmt direction and support for information security in accordance with business requirements, relevant laws and regulations?

– Is a risk treatment plan formulated to identify the appropriate mgmt action, resources, responsibilities and priorities for managing information security risks?

– Are information security events and weaknesses associated with information systems communicated in a manner to allow timely corrective action to be taken?

– Do suitable policies for the information security exist for all critical assets of the value added chain (indication of completeness of policies, Ico )?

– Do suitable policies for the information security exist for all critical assets of the value added chain (degree of completeness)?

– Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?

– Is there an up-to-date information security awareness and training program in place for all system users?

– Is there a consistent and effective approach applied to the mgmt of information security events?

– Does mgmt establish roles and responsibilities for information security?

– Is an organizational information security policy established?

– What is information security?

OSI model Critical Criteria:

Think carefully about OSI model leadership and improve OSI model service perception.

– How do senior leaders actions reflect a commitment to the organizations Security control values?

Payment Card Industry Data Security Standard Critical Criteria:

Be clear about Payment Card Industry Data Security Standard adoptions and ask questions.

– Is the Security control organization completing tasks effectively and efficiently?

– Will Security control deliverables need to be tested and, if so, by whom?

– Are we Assessing Security control and Risk?

Physical Security Critical Criteria:

Troubleshoot Physical Security quality and raise human resource and employment practices for Physical Security.

– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?

– Is the security product consistent with physical security and other policy requirements?

– Can we do Security control without complex (expensive) analysis?

– What business benefits will Security control goals deliver if achieved?

SSAE 16 Critical Criteria:

Sort SSAE 16 tactics and describe which business rules are needed as SSAE 16 interface.

– How do you determine the key elements that affect Security control workforce satisfaction? how are these elements determined for different workforce groups and segments?

– How do we measure improved Security control service perception, and satisfaction?

– How would one define Security control leadership?

Security Critical Criteria:

Track Security decisions and reduce Security costs.

– What domains of knowledge and types of Cybersecurity-associated skills and abilities are necessary for engineers involved in operating industrial processes to achieve safe and reliable operating goals?

– What will be the policies for data sharing and public access (including provisions for protection of privacy, confidentiality, security, intellectual property rights and other rights as appropriate)?

– Encryption: Several laws and regulations require that certain types of PII should be stored only when encrypted. Is this requirement supported by the CSP?

– Has your organization conducted an evaluation of the Cybersecurity risks for major systems at each stage of the system deployment lifecycle?

– How does the service providers mission and service offering align and enhance the organizations ability to meet the organizations mission?

– Is the compliance of systems with organization security policies and standards ensured?

– Does senior leadership have access to Cybersecurity risk information?

– Does your organization destroy data according to policies in place?

– What role do your security and compliance teams have in DevOps projects?

– Do you need to have an audit of every cloud service provider?

– Can I explain our corporate Cybersecurity strategy to others?

– Are our Cybersecurity capabilities efficient and effective?

– Are systems audited to detect Cybersecurity intrusions?

– Are protection processes being continuously improved?

– Security settings: What if you cant access a feature?

– What should a service agreement include?

– Are there beyond-compliance activities?

– Who has Access?

Security engineering Critical Criteria:

Model after Security engineering planning and budget the knowledge transfer for any interested in Security engineering.

– How can we incorporate support to ensure safe and effective use of Security control into the services that we provide?

– How do we Improve Security control service perception, and satisfaction?

Security management Critical Criteria:

Illustrate Security management outcomes and oversee implementation of Security management.

– What are your current levels and trends in key measures or indicators of Security control product and process performance that are important to and directly serve your customers? how do these results compare with the performance of your competitors and other organizations with similar offerings?

– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?

– Does the service agreement have metrics for measuring performance and effectiveness of security management?

– So, how does security management manifest in cloud services?

– Are damage assessment and disaster recovery plans in place?

Security risk Critical Criteria:

Read up on Security risk results and point out Security risk tensions in leadership.

– Does your company provide end-user training to all employees on Cybersecurity, either as part of general staff training or specifically on the topic of computer security and company policy?

– Has anyone made unauthorized changes or additions to your systems hardware, firmware, or software characteristics without your IT departments knowledge, instruction, or consent?

– Are audit/log records determined, documented, implemented, and reviewed in accordance with your organizations policies?

– For the most critical systems, are multiple operators required to implement changes that risk consequential events?

– Do you have a process for looking at consequences of cyber incidents that informs your risk management process?

– How can you tell if the actions you plan to take will contain the impact of a potential cyber threat?

– Does our company communicate to employees the process for reporting and containing compromise?

– To what extent is Cybersecurity Risk Management integrated into enterprise risk management?

– Does our company have a Cybersecurity policy, strategy, or governing document?

– Is there a business case where additional cyber security risks are involved?

– How do we appropriately integrate Cybersecurity risk into business risk?

– Where do we locate our Cybersecurity Risk Management program/office?

– Are records kept of successful Cybersecurity intrusions?

– How often are personnel trained in this procedure?

– How much to invest in Cybersecurity?

– How do we prioritize risks?

– What is Encryption ?

Security service Critical Criteria:

Reorganize Security service planning and oversee implementation of Security service.

– During the last 3 years, have you been the subject of an investigation or action by any regulatory or administrative agency for privacy related violations?

– For the private information collected, is there a process for deleting this information once it is complete or not needed anymore?

– What is your estimated recovery time for critical systems to restore operations after a cyber attack or other loss/corruption?

– There are numerous state and federal laws requiring IT security compliance. Do you know which apply to your organization?

– Is data (i.e. personal information) encrypted on laptops and other mobile devises used for storing and transferring data?

– Are special privileges restricted to systems administration personnel with an approved need to have these privileges?

– Is firewall technology used to prevent unauthorized access to and from internal networks and external networks?

– Do you ensure that all private information is encrypted whether at rest or in transit?

– Do you have legal review of your content performed by staff or outside attorney?

– Do you have any data sharing agreements with any 3rd parties?

– Are there any industry based standards that you follow?

– Do you have a dedicated security officer/manager?

– What is the average contract value and duration?

– How long are you required to store your data?

– Who has authority to customize contracts?

– Prioritising waiting lists: How and why?

– Do you have VoIP implemented?

– What to Outsource?

– Who Will Benefit?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | theartofservice.com

[email protected]


Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Security control External links:

OIG: Security Control Review of the CFPB’s Public …

AZ Security Control – Remote Dealer Access

Security controls External links:

SANS Institute – CIS Critical Security Controls

[PDF]Recommended Security Controls for Federal …

Access control External links:

What is Access Control? – Definition from Techopedia

Open Options – Open Platform Access Control

Mercury Security Access Control Hardware & Solutions

CIA Triad External links:

CIA Triad Flashcards | Quizlet

Cia Triad – Term Paper

CIA TRIAD – 13050 – The Cisco Learning Network

Countermeasure External links:

Countermeasure Tracking Systems (CTS) | CDC

ACT Cert: Attack Countermeasures Training and …

Countermeasure | Definition of Countermeasure by …

DoDI 8500.2 External links:

DoDI 8500.2 – Intelsat General Corporation

[PDF]DoDI 8500.2 Solution Brief – EventTracker

Environmental design External links:

[PDF]Aviation Environmental Design Tool (AEDT)

Mona + Associates Design – Interiors + Environmental Design

UC Berkeley College of Environmental Design

Health Insurance Portability and Accountability Act External links:

Health Insurance Portability and Accountability Act …

Health Insurance Portability and Accountability Act …

ISAE 3402 External links:


[PDF]AccountChek™ Level Security SSAE 16/ISAE 3402 …

22. What are SSAE 16 and ISAE 3402? What happened to …

ISO/IEC 27001 External links:

ISO/IEC 27001 Information Security | BSI America

ISO/IEC 27001:2013
ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

BSI Training – ISO/IEC 27001 Lead Implementer

Information Assurance External links:

Information Assurance Training Center

Information Assurance Directorate – National Security Agency

Information Assurance Training Center

Information security External links:


Managed Security Services | Information Security Solutions

Title & Settlement Information Security

OSI model External links:

Troubleshooting Along the OSI Model – Pearson IT …

The OSI Model Layers from Physical to Application – Lifewire

A Guide to the OSI Model in Computer Networking

Payment Card Industry Data Security Standard External links:

Payment Card Industry Data Security Standard – CyberArk

[PDF]Payment Card Industry Data Security Standard 3 – …

Physical Security External links:

Qognify: Big Data Solutions for Physical Security & …

ADC LTD NM Leader In Personnel & Physical Security

Access Control and Physical Security

SSAE 16 External links:

[PDF]SSAE 16 –Everything You Wanted To Know But Are …
www.isacantx.org/Presentations/2011-12 Lunch – SSAE 16.pdf

The SSAE 16 Reporting Standard – SOC 1 – SOC 2 – SOC 3

SSAE 16 – Overview

Security engineering External links:

Security Engineering – Covenant Security Solutions

Security Engineering – seceng.com

Security management External links:

Welcome to 365 Security | 365 Security Management Group

VISIBLE VISITORS – Entry Security Management System …

Information Security Management Provider – Sedara

Security risk External links:

Security Risk (1954) – IMDb

Security Risk (eBook, 2011) [WorldCat.org]

Security service External links:

myBranch Online Banking Log In | Security Service

Contact Us: Questions, Complaints | Security Service

Contact Us | Security Service

Categories: Documents