147 Security Controls Success Criteria

What is involved in Security Controls

Find out what the related areas are that Security Controls connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security Controls thinking-frame.

How far is your company on its Security Controls journey?

Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Security Controls related domains to cover and 147 essential critical questions to check off in that domain.

The following domains are covered:

Security Controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:

Security Controls Critical Criteria:

Systematize Security Controls leadership and report on the economics of relationships managing Security Controls and constraints.

– In the case of a Security Controls project, the criteria for the audit derive from implementation objectives. an audit of a Security Controls project involves assessing whether the recommendations outlined for implementation have been met. in other words, can we track that any Security Controls project is implemented as planned, and is it working?

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Is Security Controls dependent on the successful delivery of a current project?

– Do we have sufficient processes in place to enforce security controls and standards?

– Are there recognized Security Controls problems?

– What are the known security controls?

Access control Critical Criteria:

Shape Access control outcomes and remodel and develop an effective Access control strategy.

– Question to cloud provider: Does your platform offer fine-grained access control so that my users can have different roles that do not create conflicts or violate compliance guidelines?

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?

– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?

– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?

– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?

– At what point will vulnerability assessments be performed once Security Controls is put into production (e.g., ongoing Risk Management after implementation)?

– If data need to be secured through access controls (e.g. password-protected network space), how will they be applied?

– Access control: Are there appropriate access controls over PII when it is in the cloud?

– Access Control To Program Source Code: Is access to program source code restricted?

– What is the direction of flow for which access control is required?

– Should we call it role based rule based access control, or rbrbac?

– Do the provider services offer fine grained access control?

– How do we go about Comparing Security Controls approaches/solutions?

– What type of advanced access control is supported?

– Have all basic functions of Security Controls been defined?

– What access control exists to protect the data?

– What is our role based access control?

– Who determines access controls?

CIA Triad Critical Criteria:

See the value of CIA Triad goals and diversify disclosure of information – dealing with confidential CIA Triad information.

– What will be the consequences to the business (financial, reputation etc) if Security Controls does not go ahead or fails to deliver the objectives?

– What is the total cost related to deploying Security Controls, including any consulting or professional services?

– What knowledge, skills and characteristics mark a good Security Controls project manager?

Countermeasure Critical Criteria:

Concentrate on Countermeasure strategies and get going.

– Does Security Controls include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design models exist?

– Does Security Controls analysis show the relationships among important Security Controls factors?

DoDI 8500.2 Critical Criteria:

Be responsible for DoDI 8500.2 visions and use obstacles to break out of ruts.

– what is the best design framework for Security Controls organization now that, in a post industrial-age if the top-down, command and control model is no longer relevant?

– What are the barriers to increased Security Controls production?

– How is the value delivered by Security Controls being measured?

Environmental design Critical Criteria:

Pilot Environmental design outcomes and check on ways to get started with Environmental design.

– What tools and technologies are needed for a custom Security Controls project?

– Who will be responsible for documenting the Security Controls requirements in detail?

– Are we Assessing Security Controls and Risk?

Health Insurance Portability and Accountability Act Critical Criteria:

Sort Health Insurance Portability and Accountability Act governance and correct better engagement with Health Insurance Portability and Accountability Act results.

– How does the organization define, manage, and improve its Security Controls processes?

– What are the Essentials of Internal Security Controls Management?

– Why are Security Controls skills important?

ISAE 3402 Critical Criteria:

Explore ISAE 3402 outcomes and report on developing an effective ISAE 3402 strategy.

– What are the success criteria that will indicate that Security Controls objectives have been met and the benefits delivered?

– How important is Security Controls to the user organizations mission?

– Which Security Controls goals are the most important?

ISO/IEC 27001 Critical Criteria:

Concentrate on ISO/IEC 27001 failures and research ways can we become the ISO/IEC 27001 company that would put us out of business.

– How do we ensure that implementations of Security Controls products are done in a way that ensures safety?

– Does Security Controls appropriately measure and monitor risk?

Information Assurance Critical Criteria:

Generalize Information Assurance governance and intervene in Information Assurance processes and leadership.

– What are our best practices for minimizing Security Controls project risk, while demonstrating incremental value and quick wins throughout the Security Controls project lifecycle?

– Is there any existing Security Controls governance structure?

Information security Critical Criteria:

Own Information security tasks and simulate teachings and consultations on quality process improvement of Information security.

– Does the information security function actively engage with other critical functions, such as it, Human Resources, legal, and the privacy officer, to develop and enforce compliance with information security and privacy policies and practices?

– Is there an information security policy to provide mgmt direction and support for information security in accordance with business requirements, relevant laws and regulations?

– Does the ISMS policy provide a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security?

– Is a risk treatment plan formulated to identify the appropriate mgmt action, resources, responsibilities and priorities for managing information security risks?

– Are Human Resources subject to screening, and do they have terms and conditions of employment defining their information security responsibilities?

– If a survey was done with asking organizations; Is there a line between your information technology department and your information security department?

– Do suitable policies for the information security exist for all critical assets of the value added chain (indication of completeness of policies, Ico )?

– Are we requesting exemption from or modification to established information security policies or standards?

– What information security and privacy standards or regulations apply to the cloud customers domain?

– Is there a consistent and effective approach applied to the mgmt of information security events?

– what is the difference between cyber security and information security?

– Does mgmt establish roles and responsibilities for information security?

– Is information security an it function within the company?

– What is information security?

OSI model Critical Criteria:

Refer to OSI model risks and know what your objective is.

– How can the value of Security Controls be defined?

– What are current Security Controls Paradigms?

Payment Card Industry Data Security Standard Critical Criteria:

Wrangle Payment Card Industry Data Security Standard quality and find answers.

– What role does communication play in the success or failure of a Security Controls project?

– Do we monitor the Security Controls decisions made and fine tune them as they evolve?

– What new services of functionality will be implemented next with Security Controls ?

Physical Security Critical Criteria:

Start Physical Security planning and frame using storytelling to create more compelling Physical Security projects.

– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Among the Security Controls product and service cost to be estimated, which is considered hardest to estimate?

– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?

– Is the security product consistent with physical security and other policy requirements?

– To what extent does management recognize Security Controls as a tool to increase the results?

SSAE 16 Critical Criteria:

Inquire about SSAE 16 leadership and reinforce and communicate particularly sensitive SSAE 16 decisions.

– What is our formula for success in Security Controls ?

– How can you measure Security Controls in a systematic way?

Security Critical Criteria:

Deliberate Security results and optimize Security leadership as a key to advancement.

– Is the security of organizations information and information processing facilities maintained when these are accessed, processed, communicated to or managed by external parties?

– Based on our information security Risk Management strategy, do we have official written information security and privacy policies, standards, or procedures?

– Have total life-cycle support, ease-of-use, scalability, and interoperability requirements been determined?

– Question to cloud provider: Can I integrate my current IdAM system with your cloud services?

– Have security reviews included requirements for support, plug-in components, or middleware?

– What percentage of revenues is generated from services provided by sub-contractors?

– How do you manage the new access devices using their own new application software?

– Are users knowledgeable about PKI, and how much training will they undergo?

– When do you ask for help from Information Technology (IT)?

– What issues/factors affect IT security service decisions?

– Where is this procedure or policy written and kept?

– Have you had a pci compliance assessment done?

– Is router-to-router authentication supported?

– What Information is Personally Identifiable?

– What percent of time are contracts not used?

– Prioritising waiting lists: How and why?

– Do we develop a Cyber Security Center?

– What can be done at the client side?

Security engineering Critical Criteria:

Confer over Security engineering quality and separate what are the business goals Security engineering is aiming to achieve.

– Who is responsible for ensuring appropriate resources (time, people and money) are allocated to Security Controls?

– Does our organization need more Security Controls education?

Security management Critical Criteria:

Talk about Security management tasks and report on setting up Security management without losing ground.

– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?

– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?

– Does the service agreement have metrics for measuring performance and effectiveness of security management?

– Is there a business continuity/disaster recovery plan in place?

– So, how does security management manifest in cloud services?

– Does the Security Controls task fit the clients priorities?

– What are the business goals Security Controls is aiming to achieve?

Security risk Critical Criteria:

Audit Security risk failures and prioritize challenges of Security risk.

– What is the framework we use for general Cybersecurity certifications that integrate both knowledge and skill while predicting constraints of innate abilities on performance, and do we need specific certifications?

– Are you aware of anyone attempting to gain information in person, by phone, mail, email, etc., regarding the configuration and/or cyber security posture of your website, network, software, or hardware?

– How do various engineering job roles and Cybersecurity specialty roles engage to maximize constructive overlap and differences to address security for these systems?

– How do you monitor your Cybersecurity posture on business IT systems and ICS systems and communicate status and needs to leadership?

– How can you tell if the actions you plan to take will contain the impact of a potential cyber threat?

– Is there a person at our organization who assesses vulnerabilities, consequences, and threats?

– Do your response plans include lessons learned and mechanisms for continual improvement?

– Do you have an enterprise-wide risk management program that includes Cybersecurity?

– Do we appropriately integrate Cybersecurity risk into business risk?

– What needs to happen for improvement actions to take place?

– Why Cybersecurity?

Security service Critical Criteria:

Pilot Security service projects and find answers.

– During the last 3 years, have you experienced a disruption to your computer system that lasted longer than 4 hours for any reason (other than planned downtime)?

– Do you monitor your network in real time to detect possible intrusions or abnormalities in the performance of your system?

– Organizations must be especially diligent about regularly measuring their compliance performance: Is the policy effective?

– Are user accounts audited regularly to determine their security levels are appropriately set?

– Does our security program adequately protected against opportunistic and targeted attackers?

– Documentation Logs What records should be kept from before, during, and after an incident?

– Is your organizations policy consistent with that of contractors you work with?

– Are network and system backups performed at least once per week?

– Is your privacy policy reviewed and updated at least annually?

– What is the range of the limitation of liability in contracts?

– Do you have log/event monitoring solutions in place today?

– Have you had a security audit performed in the past?

– When does the IT security services life cycle end?

– Is there a patch management process in place?

– What is the estimated value of the project?

– Do you allow remote access to your system?

– Who has authority to customize contracts?

– Are contingencies and disasters covered?

– Who should be notified about incidents?

– Indemnification Clause to your benefit?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | http://theartofservice.com



Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Access control External links:

Multi-Factor Authentication – Access control | Microsoft Azure

What is Access Control? – Definition from Techopedia

Linear Pro Access – Professional Access Control Systems

CIA Triad External links:

The CIA Triad – TechRepublic

CIA Triad of Cybersecurity – InfoSec Resources

CIA Triad of Information Security – Techopedia.com

DoDI 8500.2 External links:

DoDI 8500.2 – Intelsat General Corporation

Environmental design External links:

Jessica Ross Design – Interior and Environmental Design

LEED | Leadership in Energy & Environmental Design

Health Insurance Portability and Accountability Act External links:

Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act (HIPAA)

ISAE 3402 External links:

22. What are SSAE 16 and ISAE 3402? What happened to …

Differences Between ISAE 3402 SSAE 16 – A-LIGN

ISAE 3402 – Overview

ISO/IEC 27001 External links:

ISO/IEC 27001
http://ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

Information Assurance External links:

Information Assurance Training Center

Title Information Assurance Jobs, Employment | Indeed.com

[PDF]Information Assurance Workforce Improvement Program

Information security External links:

Information Security

Title & Settlement Information Security


OSI model External links:

Seven Layer OSI model Flashcards | Quizlet

The OSI Model Demystified – YouTube

The OSI Model Layers from Physical to Application – Lifewire

Payment Card Industry Data Security Standard External links:

[PDF]Payment Card Industry Data Security Standard (PCI DSS)

Physical Security External links:

ADC LTD NM Leader In Personnel & Physical Security

Army COOL Summary – ASI H3 – Physical Security Operations

System and Data Verification Solution for Physical Security

SSAE 16 External links:

What is SSAE 16? – Definition from WhatIs.com

SSAE 16 – Overview

SSAE 16 – Official Site

Security External links:

my Social Security | Social Security Administration

What You Can Do Online | Social Security Administration

Security engineering External links:

Master of Science in Cyber Security Engineering – UW Bothell

Master of Science Cyber Security Engineering – USC Online

Security management External links:

Security Management System

Bitdefender Central – Remote Security Management Hub

Security Management and Intelligence | Microsoft

Security risk External links:

Security Risk (eBook, 2011) [WorldCat.org]

Security Risk (1954) – IMDb

Security service External links:

Contact Us | Security Service

Defense Security Service – Official Site

myBranch Online Banking Log In | Security Service

Leave a Reply

Your email address will not be published. Required fields are marked *