167 Security Controls Criteria for Multi-purpose Projects

What is involved in Security Controls

Find out what the related areas are that Security Controls connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security Controls thinking-frame.

How far is your company on its Security Controls journey?

Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Security Controls related domains to cover and 167 essential critical questions to check off in that domain.

The following domains are covered:

Security Controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:

Security Controls Critical Criteria:

Review Security Controls quality and raise human resource and employment practices for Security Controls.

– What are our best practices for minimizing Security Controls project risk, while demonstrating incremental value and quick wins throughout the Security Controls project lifecycle?

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Do we have sufficient processes in place to enforce security controls and standards?

– How can we improve Security Controls?

– What are the known security controls?

– Is Security Controls Required?

Access control Critical Criteria:

Value Access control quality and describe the risks of Access control sustainability.

– Question to cloud provider: Does your platform offer fine-grained access control so that my users can have different roles that do not create conflicts or violate compliance guidelines?

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?

– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?

– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?

– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?

– If data need to be secured through access controls (e.g. password-protected network space), how will they be applied?

– Do access control logs contain successful and unsuccessful login attempts and access to audit logs?

– Is the process actually generating measurable improvement in the state of logical access control?

– Access control: Are there appropriate access controls over PII when it is in the cloud?

– What are your most important goals for the strategic Security Controls objectives?

– Have the types of risks that may impact Security Controls been identified and analyzed?

– Access Control To Program Source Code: Is access to program source code restricted?

– Should we call it role based rule based access control, or rbrbac?

– Do the provider services offer fine grained access control?

– What access control exists to protect the data?

– What is our role based access control?

– Who determines access controls?

CIA Triad Critical Criteria:

Align CIA Triad goals and pay attention to the small things.

– Do those selected for the Security Controls team have a good general understanding of what Security Controls is all about?

– How can we incorporate support to ensure safe and effective use of Security Controls into the services that we provide?

– Who is the main stakeholder, with ultimate responsibility for driving Security Controls forward?

Countermeasure Critical Criteria:

Deliberate over Countermeasure decisions and work towards be a leading Countermeasure expert.

– Does Security Controls create potential expectations in other areas that need to be recognized and considered?

– How to Secure Security Controls?

DoDI 8500.2 Critical Criteria:

Steer DoDI 8500.2 quality and devise DoDI 8500.2 key steps.

– What are your key performance measures or indicators and in-process measures for the control and improvement of your Security Controls processes?

– What role does communication play in the success or failure of a Security Controls project?

– Is the scope of Security Controls defined?

Environmental design Critical Criteria:

Define Environmental design results and integrate design thinking in Environmental design innovation.

– Think about the functions involved in your Security Controls project. what processes flow from these functions?

– Does the Security Controls task fit the clients priorities?

Health Insurance Portability and Accountability Act Critical Criteria:

Troubleshoot Health Insurance Portability and Accountability Act risks and transcribe Health Insurance Portability and Accountability Act as tomorrows backbone for success.

– How do we know that any Security Controls analysis is complete and comprehensive?

– What are the business goals Security Controls is aiming to achieve?

– What is our formula for success in Security Controls ?

ISAE 3402 Critical Criteria:

Grade ISAE 3402 results and shift your focus.

– What is the total cost related to deploying Security Controls, including any consulting or professional services?

– Will new equipment/products be required to facilitate Security Controls delivery for example is new software needed?

– What potential environmental factors impact the Security Controls effort?

ISO/IEC 27001 Critical Criteria:

Discuss ISO/IEC 27001 tactics and get going.

– Think about the kind of project structure that would be appropriate for your Security Controls project. should it be formal and complex, or can it be less formal and relatively simple?

– In a project to restructure Security Controls outcomes, which stakeholders would you involve?

Information Assurance Critical Criteria:

Meet over Information Assurance quality and tour deciding if Information Assurance progress is made.

– How does the organization define, manage, and improve its Security Controls processes?

– How do we maintain Security Controlss Integrity?

Information security Critical Criteria:

Guard Information security quality and look for lots of ideas.

– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?

– Is there an information security policy to provide mgmt direction and support for information security in accordance with business requirements, relevant laws and regulations?

– Does the ISMS policy provide a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security?

– Is a risk treatment plan formulated to identify the appropriate mgmt action, resources, responsibilities and priorities for managing information security risks?

– Are information security events and weaknesses associated with information systems communicated in a manner to allow timely corrective action to be taken?

– Do suitable policies for the information security exist for all critical assets of the value added chain (degree of completeness)?

– Have the roles and responsibilities for information security been clearly defined within the company?

– Have standards for information security across all entities been established or codified into law?

– Is there a consistent and effective approach applied to the mgmt of information security events?

– What is true about the trusted computing base in information security?

– what is the difference between cyber security and information security?

– Does mgmt establish roles and responsibilities for information security?

– Is an organizational information security policy established?

– : Return of Information Security Investment, Are you spending enough?

– Is information security managed within the organization?

– What is the goal of information security?

OSI model Critical Criteria:

Categorize OSI model governance and don’t overlook the obvious.

– What will drive Security Controls change?

Payment Card Industry Data Security Standard Critical Criteria:

X-ray Payment Card Industry Data Security Standard visions and tour deciding if Payment Card Industry Data Security Standard progress is made.

– How do we Improve Security Controls service perception, and satisfaction?

– Do we have past Security Controls Successes?

Physical Security Critical Criteria:

Think about Physical Security governance and learn.

– How do you determine the key elements that affect Security Controls workforce satisfaction? how are these elements determined for different workforce groups and segments?

– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?

– Are there any disadvantages to implementing Security Controls? There might be some that are less obvious?

– Is the security product consistent with physical security and other policy requirements?

SSAE 16 Critical Criteria:

Troubleshoot SSAE 16 governance and differentiate in coordinating SSAE 16.

– What are your current levels and trends in key measures or indicators of Security Controls product and process performance that are important to and directly serve your customers? how do these results compare with the performance of your competitors and other organizations with similar offerings?

– What are all of our Security Controls domains and what do they do?

– How do we manage Security Controls Knowledge Management (KM)?

Security Critical Criteria:

Substantiate Security governance and customize techniques for implementing Security controls.

– What are the current regulatory and regulatory reporting requirements in the United States (e.g. local, state, national, and other) for organizations relating to Cybersecurity?

– Encryption helps to secure data that may be stored on a stolen laptop but what about the sensitive data that is sent via e-mail or downloaded to a USB device?

– Based on our information security Risk Management strategy, do we have official written information security and privacy policies, standards, or procedures?

– Approximately, what is the average length of employment or tenure for it security personnel in your organization over the past few years?

– Confidentiality and security are components of the trust that are so essential to CRM. How do you build this trust in the new ecology?

– Has identifying and assessing security and privacy risks been incorporated into the overall Risk Management planning?

– Do we have a minimum baseline level of security that meets what we would consider good security hygiene?

– Does the cloud service agreement specify security responsibilities of the provider and of the customer?

– Are we protecting our data properly at rest if an attacker compromises our applications or systems?

– How will the switch happen to public cloud when the private cloud infrastructure gets mixed out?

– Who determines the it security staffing and recruitment strategy in your organization?

– Who has access, and what is left behind when you scale down a service?

– Do we appropriately integrate Cybersecurity risk into business risk?

– What specific regulatory or industry requirements are applicable?

– Classification: How and when is PII classified?

– Are Cybersecurity responsibilities assigned?

– What percent of time are contracts not used?

– How often are locks changed?

– How resilient is it?

Security engineering Critical Criteria:

Extrapolate Security engineering tactics and clarify ways to gain access to competitive Security engineering services.

– For your Security Controls project, identify and describe the business environment. is there more than one layer to the business environment?

– Can we do Security Controls without complex (expensive) analysis?

– Will Security Controls deliverables need to be tested and, if so, by whom?

Security management Critical Criteria:

Demonstrate Security management tasks and point out Security management tensions in leadership.

– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?

– Does the service agreement have metrics for measuring performance and effectiveness of security management?

– Why is it important to have senior management support for a Security Controls project?

– Is there a business continuity/disaster recovery plan in place?

– So, how does security management manifest in cloud services?

– Are damage assessment and disaster recovery plans in place?

– Are there recognized Security Controls problems?

Security risk Critical Criteria:

Closely inspect Security risk failures and find the ideas you already have.

– Has anyone made unauthorized changes or additions to your systems hardware, firmware, or software characteristics without your IT departments knowledge, instruction, or consent?

– What performance goals do organizations adopt to ensure their ability to provide essential services while managing Cybersecurity risk?

– For the most critical systems, are multiple operators required to implement changes that risk consequential events?

– Do you have a process for looking at consequences of cyber incidents that informs your risk management process?

– Will we be inclusive enough yet not disruptive to ongoing business, for effective Cybersecurity practices?

– Is our Cybersecurity function appropriately organized, trained, equipped, staffed and funded?

– Have logical and physical connections to key systems been evaluated and addressed?

– Is there a business case where additional cyber security risks are involved?

– Does the company have an information classification and handling policy?

– How do you assess vulnerabilities to your system and assets?

– How often does the management team discuss Cybersecurity?

– Is a written procedure or checklist in place to do this?

– Has your system or websites availability been disrupted?

– Do your recovery plans incorporate lessons learned?

– What scope do you want your strategy to cover?

– What else do you need to learn to be ready?

– How do you design a secure network?

Security service Critical Criteria:

Examine Security service goals and adjust implementation of Security service.

– If a back door exit was used to circumvent an attack, do the attackers now know of such a back door, and thus should a new back door be constructed?

– Organizations must be especially diligent about regularly measuring their compliance performance: Is the policy effective?

– In the next 12 months will you accept, store, process, or exchange credit/debit card transaction information?

– Is anti-virus software installed on all computers/servers that connect to your network?

– What is the process of adding users and deleting users from Active Directory?

– Do you or any third parties conduct any penetration & vulnerability testing?

– Do you have a formal procedure in place for handling customer complaints?

– Do you monitor log files on a regular basis to help spot abnormal trends?

– What is the range of the limitation of liability in contracts?

– Is your privacy policy reviewed and updated at least annually?

– Do you have log/event monitoring solutions in place today?

– Do you have a dedicated security officer/manager?

– What is the average contract value and duration?

– Are contingencies and disasters covered?

– Indemnification Clause to your benefit?

– Should You Place Security Within IT?

– Are there Security Controls problems defined?

– Do you have VoIP implemented?

– How safe is your it security?

– Who Will Benefit?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | http://theartofservice.com



Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Security Controls External links:

[PDF]Security Controls for Computer Systems (U)

[PDF]Recommended Security Controls for Federal …

SANS Institute – CIS Critical Security Controls

Access control External links:

GoKeyless: Keyless Locks and Access Control Store | …

Open Options – Open Platform Access Control

What is Access Control? – Definition from Techopedia

CIA Triad External links:

CIA Triad – Central Oregon Community College

Parkian Hexad vs the Cia Triad Essay – 1056 Words

The CIA Triad – TechRepublic

Countermeasure External links:

Countermeasure | Definition of Countermeasure by …

Improvised Device Defeat/Explosives Countermeasures …

ACT Cert: Attack Countermeasures Training and …

DoDI 8500.2 External links:

[PDF]DoDI 8500.2 Solution Brief – EventTracker

Environmental design External links:

UC Berkeley College of Environmental Design – Official Site

Health Insurance Portability and Accountability Act External links:

[PDF]Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act …

Health Insurance Portability and Accountability Act …

ISAE 3402 External links:


22. What are SSAE 16 and ISAE 3402? What happened to …

[PDF]AccountChek™ Level Security SSAE 16/ISAE 3402 …

ISO/IEC 27001 External links:

BSI Training – ISO/IEC 27001 Lead Implementer

ISO/IEC 27001 Information Security | BSI America

ISO/IEC 27001:2013
http://ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

Information Assurance External links:

Information Assurance Directorate – National Security Agency

Information Assurance Training Center


Information security External links:


Title & Settlement Information Security

OSI model External links:


Which layer of the osi model does VPN operate in? – Quora

The OSI Model Demystified – YouTube

Payment Card Industry Data Security Standard External links:

Payment Card Industry Data Security Standard – CyberArk

Physical Security External links:

Access Control and Physical Security

Physical Security | CTTSO

Qognify: Big Data Solutions for Physical Security & …

SSAE 16 External links:

SSAE 16 Auditing and Reporting Services – A-LIGN

SSAE 16 – Overview

[PDF]SSAE 16 –Everything You Wanted To Know But Are …
http://www.isacantx.org/Presentations/2011-12 Lunch – SSAE 16.pdf

Security External links:

Application Status – my Social Security

Homeland Security | Home

Security management External links:

Security Management – Official Site

Endpoint Security Management Software and Solutions – Promisec

Personnel Security Management Office for Industry …

Security risk External links:

Security Risk (eBook, 2011) [WorldCat.org]

Security Risk (1954) – IMDb

Title: Security Risk – isfdb.org

Leave a Reply

Your email address will not be published. Required fields are marked *