159 Security Controls Success Criteria

What is involved in Security Controls

Find out what the related areas are that Security Controls connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security Controls thinking-frame.

How far is your company on its Security Controls journey?

Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Security Controls related domains to cover and 159 essential critical questions to check off in that domain.

The following domains are covered:

Security Controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, International Standard Book Number, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:

Security Controls Critical Criteria:

Concentrate on Security Controls management and describe which business rules are needed as Security Controls interface.

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– What role does communication play in the success or failure of a Security Controls project?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Do we have sufficient processes in place to enforce security controls and standards?

– Can we do Security Controls without complex (expensive) analysis?

– Who needs to know about Security Controls ?

– What are the known security controls?

Access control Critical Criteria:

Tête-à-tête about Access control risks and budget for Access control challenges.

– Question to cloud provider: Does your platform offer fine-grained access control so that my users can have different roles that do not create conflicts or violate compliance guidelines?

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?

– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?

– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?

– If data need to be secured through access controls (e.g. password-protected network space), how will they be applied?

– Is the process actually generating measurable improvement in the state of logical access control?

– Have the types of risks that may impact Security Controls been identified and analyzed?

– Access Control To Program Source Code: Is access to program source code restricted?

– What is the direction of flow for which access control is required?

– Should we call it role based rule based access control, or rbrbac?

– Do the provider services offer fine grained access control?

– What type of advanced access control is supported?

– What access control exists to protect the data?

– Who sets the Security Controls standards?

– What is our role based access control?

– How to deal with Security Controls Changes?

– Who determines access controls?

CIA Triad Critical Criteria:

Review CIA Triad goals and explain and analyze the challenges of CIA Triad.

– How do your measurements capture actionable Security Controls information for use in exceeding your customers expectations and securing your customers engagement?

– How do you incorporate cycle time, productivity, cost control, and other efficiency and effectiveness factors into these Security Controls processes?

– How do we manage Security Controls Knowledge Management (KM)?

Countermeasure Critical Criteria:

Reconstruct Countermeasure leadership and assess and formulate effective operational and Countermeasure strategies.

– Why is it important to have senior management support for a Security Controls project?

– Do you monitor the effectiveness of your Security Controls activities?

DoDI 8500.2 Critical Criteria:

Categorize DoDI 8500.2 outcomes and report on the economics of relationships managing DoDI 8500.2 and constraints.

– In the case of a Security Controls project, the criteria for the audit derive from implementation objectives. an audit of a Security Controls project involves assessing whether the recommendations outlined for implementation have been met. in other words, can we track that any Security Controls project is implemented as planned, and is it working?

– Think about the functions involved in your Security Controls project. what processes flow from these functions?

– When a Security Controls manager recognizes a problem, what options are available?

Environmental design Critical Criteria:

Explore Environmental design strategies and modify and define the unique characteristics of interactive Environmental design projects.

– Consider your own Security Controls project. what types of organizational problems do you think might be causing or affecting your problem, based on the work done so far?

– Among the Security Controls product and service cost to be estimated, which is considered hardest to estimate?

Health Insurance Portability and Accountability Act Critical Criteria:

Sort Health Insurance Portability and Accountability Act governance and question.

– Is there a Security Controls Communication plan covering who needs to get what information when?

– Who are the people involved in developing and implementing Security Controls?

– How do we go about Securing Security Controls?

ISAE 3402 Critical Criteria:

Gauge ISAE 3402 goals and oversee ISAE 3402 management by competencies.

– What management system can we use to leverage the Security Controls experience, ideas, and concerns of the people closest to the work to be done?

– What are current Security Controls Paradigms?

ISO/IEC 27001 Critical Criteria:

Infer ISO/IEC 27001 governance and clarify ways to gain access to competitive ISO/IEC 27001 services.

– Do several people in different organizational units assist with the Security Controls process?

– Is the Security Controls organization completing tasks effectively and efficiently?

– Is the scope of Security Controls defined?

Information Assurance Critical Criteria:

Deliberate over Information Assurance leadership and improve Information Assurance service perception.

– What are your current levels and trends in key measures or indicators of Security Controls product and process performance that are important to and directly serve your customers? how do these results compare with the performance of your competitors and other organizations with similar offerings?

– How do we make it meaningful in connecting Security Controls with what users do day-to-day?

– Do Security Controls rules make a reasonable demand on a users capabilities?

Information security Critical Criteria:

Accumulate Information security risks and catalog Information security activities.

– Does the information security function actively engage with other critical functions, such as it, Human Resources, legal, and the privacy officer, to develop and enforce compliance with information security and privacy policies and practices?

– Is the software and application development process based on an industry best practice and is information security included throughout the software development life cycle (sdlc) process?

– Do we maintain our own threat catalogue on the corporate intranet to remind employees of the wide range of issues of concern to Information Security and the business?

– Is a risk treatment plan formulated to identify the appropriate mgmt action, resources, responsibilities and priorities for managing information security risks?

– Do suitable policies for the information security exist for all critical assets of the value added chain (indication of completeness of policies, Ico )?

– Do we have an official information security architecture, based on our Risk Management analysis and information security strategy?

– Do suitable policies for the information security exist for all critical assets of the value added chain (degree of completeness)?

– Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?

– Have standards for information security across all entities been established or codified into law?

– Have standards for information security across all entities been established or codified into regulations?

– Are information security policies reviewed at least once a year and updated as needed?

– Is information security ensured when using mobile computing and tele-working facilities?

– Ensure that the information security procedures support the business requirements?

– What best describes the authorization process in information security?

– Is an organizational information security policy established?

– What is the main driver for information security expenditure?

– What is information security?

International Standard Book Number Critical Criteria:

Paraphrase International Standard Book Number outcomes and ask questions.

– How do we ensure that implementations of Security Controls products are done in a way that ensures safety?

– What are the business goals Security Controls is aiming to achieve?

– Are we Assessing Security Controls and Risk?

OSI model Critical Criteria:

Jump start OSI model engagements and work towards be a leading OSI model expert.

– How do we Identify specific Security Controls investment and emerging trends?

– Are there Security Controls Models?

Payment Card Industry Data Security Standard Critical Criteria:

Focus on Payment Card Industry Data Security Standard failures and test out new things.

– What are the barriers to increased Security Controls production?

– What business benefits will Security Controls goals deliver if achieved?

– Does Security Controls appropriately measure and monitor risk?

Physical Security Critical Criteria:

Substantiate Physical Security risks and budget the knowledge transfer for any interested in Physical Security.

– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?

– What prevents me from making the changes I know will make me a more effective Security Controls leader?

– Is the security product consistent with physical security and other policy requirements?

– How do we know that any Security Controls analysis is complete and comprehensive?

SSAE 16 Critical Criteria:

Guard SSAE 16 quality and reinforce and communicate particularly sensitive SSAE 16 decisions.

– How can you negotiate Security Controls successfully with a stubborn boss, an irate client, or a deceitful coworker?

– How do we go about Comparing Security Controls approaches/solutions?

Security Critical Criteria:

Align Security governance and remodel and develop an effective Security strategy.

– Specifically with regard to your customer data, what metadata does the provider have about your data, how is it secured, and what access do you, the customer, have to that metadata?

– Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the information security function)?

– Are security alerts from the intrusion detection or intrusion prevention system (ids/ips) continuously monitored, and are the latest ids/ips signatures installed?

– Confidentiality and security are components of the trust that are so essential to CRM. How do you build this trust in the new ecology?

– Are system backup and recovery procedures documented and regularly tested for all mission critical systems/websites?

– Security consulting services or can we describe in detail our services in addition to an estimated number of hours?

– In the next 12 months will you accept, store, process, or exchange credit/debit card transaction information?

– What best describes the operating structure of your organizations it security function or department?

– How does the firewall quality affect the likelihood of a security breach or the expected loss?

– Do you have a baseline configuration of IT/ICS that is used and regularly maintained?

– Does the it security services guide recommend outsourcing it security services?

– In the managed security scenario, is there a periodic reporting procedure?

– Do we appropriately integrate Cybersecurity risk into business risk?

– Do you require customer sign-off on mid-project changes?

– What is our current (as-is) it security architecture?

– How often are personnel trained in this procedure?

– What Are the Key Privacy Concerns in the Cloud?

– In geographically separated locations?

– How to Handle Scam Emails?

– What to Outsource?

Security engineering Critical Criteria:

Explore Security engineering issues and modify and define the unique characteristics of interactive Security engineering projects.

– What other jobs or tasks affect the performance of the steps in the Security Controls process?

– Why is Security Controls important for you now?

– Why should we adopt a Security Controls framework?

Security management Critical Criteria:

Nurse Security management issues and create a map for yourself.

– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?

– What will be the consequences to the business (financial, reputation etc) if Security Controls does not go ahead or fails to deliver the objectives?

– Does the service agreement have metrics for measuring performance and effectiveness of security management?

– What vendors make products that address the Security Controls needs?

– So, how does security management manifest in cloud services?

– Are damage assessment and disaster recovery plans in place?

Security risk Critical Criteria:

Shape Security risk leadership and find answers.

– Do we support the certified Cybersecurity professional and cyber-informed operations and engineering professionals with advanced problem-solving tools, communities of practice, canonical knowledge bases, and other performance support tools?

– What is the framework we use for general Cybersecurity certifications that integrate both knowledge and skill while predicting constraints of innate abilities on performance, and do we need specific certifications?

– How do various engineering job roles and Cybersecurity specialty roles engage to maximize constructive overlap and differences to address security for these systems?

– Do you have a process for looking at consequences of cyber incidents that informs your risk management process?

– Are recovery activities communicated to internal stakeholders and executive and management teams?

– How do we define and assess risk generally and Cybersecurity risk specifically?

– Is our Cybersecurity strategy aligned with our business objectives?

– How do we measure the effectiveness of our Cybersecurity program?

– What performance requirements do you want from the company?

– Do you use contingency-driven consequence analysis?

– Have we had a PCI compliance assessment done?

– Are Cybersecurity responsibilities assigned?

– Are there beyond-compliance activities?

– Who will be responsible internally?

– How do you design a secure network?

– What is Encryption ?

Security service Critical Criteria:

Brainstorm over Security service strategies and explore and align the progress in Security service.

– Certainly the increasingly mobile work force makes compliance more difficult. With more endpoints, devices and people involved, there is that much more to watch. There are devices not owned by the organization pulling data off the organizations network. Is your organizations policy consistent with that of contractors you work with?

– Follow-up: Follow-up should include regular status reporting, describing new controls and lessons learned to improve future performance. The most important element of the follow-up stage is performing a postmortem analysis of the response procedure itself. Exactly what happened and at what times?

– Encryption helps to secure data that may be stored on a stolen laptop but what about the sensitive data that is sent via e-mail or downloaded to a USB device?

– If a back door exit was used to circumvent an attack, do the attackers now know of such a back door, and thus should a new back door be constructed?

– For the private information collected, is there a process for deleting this information once it is complete or not needed anymore?

– There are numerous state and federal laws requiring IT security compliance. Do you know which apply to your organization?

– Have you had a PCI compliance audit performed in the last 12 months by an approved PCI Qualified Security Assessor?

– If not technically feasible, what safeguards are in place to ensure the security of private information?

– Are we protecting our data properly at rest if an attacker compromises our applications or systems?

– Do you regularly audit 3rd parties with whom you have data sharing agreements with?

– What governs the performance of services in the absence of a contract?

– Do you have a process for monitoring, approving and removing content?

– Are there redundant connections to you critical business partners?

– Do you have any data sharing agreements with any 3rd parties?

– Do you have log/event monitoring solutions in place today?

– Do you require sub-contractors to carry E&O insurance?

– Do you have a dedicated security officer/manager?

– What percent of time are contracts not used?

– What is the IT security service life cycle?

– Who has authority to customize contracts?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | http://theartofservice.com



Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Security Controls External links:

Picture This: A visual guide to security controls – CertMag

Access control External links:

Multi-Factor Authentication – Access control | Microsoft Azure

What is Access Control? – Definition from Techopedia

Linear Pro Access – Professional Access Control Systems

CIA Triad External links:

CIA TRIAD – 13050 – The Cisco Learning Network

CIA Triad of Cybersecurity – InfoSec Resources

CIA Triad of Information Security – Techopedia.com

Countermeasure External links:

Countermeasure | definition of countermeasure by …

Countermeasure | Definition of Countermeasure by …

DoDI 8500.2 External links:

DoDI 8500.2 – Intelsat General Corporation

Environmental design External links:

T. Lake Environmental Design | Landscaping Macon …

Health Insurance Portability and Accountability Act External links:

Health Insurance Portability and Accountability Act …

[PDF]Health Insurance Portability and Accountability Act

ISAE 3402 External links:

[PDF]AccountChek™ Level Security SSAE 16/ISAE 3402 …

22. What are SSAE 16 and ISAE 3402? What happened to …

ISAE 3402 – Overview

ISO/IEC 27001 External links:

ISO/IEC 27001 Information Security Management Standard

ISO/IEC 27001 Information Security | BSI America

ISO/IEC 27001 certification standard

Information Assurance External links:


[PDF]Information Assurance Specialist – GC Associates USA

Information Assurance Training Center

Information security External links:

ALTA – Information Security

Information Security

Title & Settlement Information Security

International Standard Book Number External links:

International Standard Book Number – Quora

[PDF]International Standard Book Number: 0-942920-53-8

What is an ISBN (International Standard Book Number)?

OSI model External links:

OSI Model Flashcards | Quizlet

The OSI model Flashcards | Quizlet

Why is the OSI model important? – Updated 2017 – Quora

Payment Card Industry Data Security Standard External links:

Payment Card Industry Data Security Standard …

Physical Security External links:

Army COOL Summary – ASI H3 – Physical Security Operations

ADC LTD NM Leader In Personnel & Physical Security

UAB – Business and Auxiliary Services – Physical Security

SSAE 16 External links:

SSAE 16 Information Technology Services Report | Paychex

SSAE-18 – An Update to SSAE 16 (Coming 2017)

SSAE 16 Type 2 Compliant – Alliant National

Security External links:

my Social Security | Social Security Administration

Home Security

Security engineering External links:

Master of Science in Cyber Security Engineering – UW …

Blockchain Protocol Analysis and Security Engineering …

Security management External links:

Personnel Security Management Office for Industry …

Endpoint Security Management Software and Solutions – Promisec

Cisco Content Security Management Virtual Appliance …

Security risk External links:

Security Risk (1954) – IMDb

Security Risk (eBook, 2011) [WorldCat.org]

[PDF]Supersedes ADMINISTRATIVE Security Risk …

Security service External links:

myBranch Online Banking Log In | Security Service

Contact Us | Security Service

Leave a Reply

Your email address will not be published. Required fields are marked *