B.3 Strategies and Actions
Use the worksheets in this section when you define and document the organizationwide protection strategy and near-term action items during process 8A. The following worksheets are contained in this section:
B.3.1 Current Security Practices Worksheets
| Process 8 |
Activity: Before the Workshop: Consolidate Information from processes 1 to 3 (Section 10.2) |
| Purpose |
To compile current security practice and organizational vulnerability information from processes 1 to 3. |
| Instructions |
Note that there are two tables for each practice area in the Current Security Practices Worksheet. The first table summarizes the results of the surveys that were completed during processes 1 to 3. The second table consolidates contextual information (protection strategy practices and organizational vulnerabilities) that was identified during the protection strategy discussion from processes 1 to 3. Compile the results of the surveys that you asked participants to complete during processes 1 to 3. Consider the following guidelines when compiling survey data:
If 75 percent or more of respondents replied "yes," mark the result as Yes. The percentage of respondents stating that a practice was used by the organization was high enough that the practice is most likely used by the organization. If 75 percent or more of respondents replied "no," mark the result as No. The percentage of respondents stating that a practice was not used by the organization was high enough that the practice is most likely not used by the organization. If 75 percent or more of respondents replied "Don't Know," mark the result as Unclear. Neither the yes nor no criteria were met. Since the percentages of "yes" and "no" responses do not meet the 75 percent threshold, indicate that it is unclear whether the practice is present or not. This result could mean that some people use the practice while others don't, or that the practice is present to some degree but is not effective enough. Compile contextual information about security practices and organizational vulnerabilities that you recorded during processes 1 to 3. Recall that you conducted a facilitated discussion about current security practices in the organization after participants completed the surveys. |
Current Security Practices Worksheet
| Staff members understand their security roles and responsibilities. This is documented and verified. |
|
|
|
|
| There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. |
|
|
|
|
| Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented, and compliance is periodically verified. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| The organization's business strategies routinely incorporate security considerations. |
|
|
|
|
| Security strategies and policies take into consideration the organization's business strategies and goals. |
|
|
|
|
| Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Management allocates sufficient funds and resources to information security activities. |
|
|
|
|
| Security roles and responsibilities are defined for all staff in the organization. |
|
|
|
|
| The organization's hiring and termination practices for staff take information security issues into account. |
|
|
|
|
| The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. |
|
|
|
|
| Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. |
|
|
|
|
|
There is a documented process for management of security policies:
Creation Administration (including periodic reviews and updates) Communication |
|
|
|
|
| The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. |
|
|
|
|
| The organization uniformly enforces its security policies. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
|
The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):
Protecting information belonging to other organizations Understanding the security policies and procedures of external organizations Ending access to information by terminated external personnel |
|
|
|
|
| The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| An analysis of operations, applications, and data criticality has been performed. |
|
|
|
|
| The organization has documented, reviewed, and tested business continuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. |
|
|
|
|
| The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls. |
|
|
|
|
| All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. |
|
|
|
|
| There are documented policies and procedures for managing visitors. |
|
|
|
|
| There are documented policies and procedures for physical control of hardware and software. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. |
|
|
|
|
| Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Maintenance records are kept to document the repairs and modifications of a facility's physical components. |
|
|
|
|
| An individual's or group's actions can be accounted for with respect to all physically controlled media. |
|
|
|
|
| Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| There are documented and tested security plan(s) for safeguarding the systems and networks. |
|
|
|
|
| Sensitive information is protected by secure storage (e.g., backups stored off-site, discard process for sensitive information). |
|
|
|
|
| The integrity of installed software is regularly verified. |
|
|
|
|
| All systems are up to date with respect to revisions, patches, and recommendations in security advisories. |
|
|
|
|
| There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. |
|
|
|
|
| Changes to IT hardware and software are planned, controlled, and documented. |
|
|
|
|
|
IT staff members follow procedures when issuing, changing, and terminating users' passwords, accounts, and privileges:
Unique user identification is required for all information system users, including third-party users. Default accounts and default passwords have been removed from systems. |
|
|
|
|
| Only necessary services are running on systems; all unnecessary services have been removed. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Tools and mechanisms for secure system and network administration are used, and they are routinely reviewed and updated or replaced. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| System and network monitoring and auditing tools are routinely used by the organization. Unusual activity is dealt with according to the appropriate policy or procedure. |
|
|
|
|
| Firewall and other security components are periodically audited for compliance with policy. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Appropriate access controls and user authentication (e.g., file permissions, network configuration) consistent with policy are used to restrict user access to information, sensitive systems, specific applications and services, and network connections. |
|
|
|
|
| There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. |
|
|
|
|
| Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner. Methods or mechanisms are periodically reviewed and verified. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
|
There is a documented set of procedures for managing vulnerabilities:
Selecting vulnerability evaluation tools, checklists, and scripts Keeping up to date with known vulnerability types and attack methods Reviewing sources of information on vulnerability announcements, security alerts, and notices Identifying infrastructure components to be evaluated Scheduling vulnerability evaluations Interpreting and responding to the results Maintaining secure storage and disposition of vulnerability data |
|
|
|
|
| Vulnerability management procedures are followed and are periodically reviewed and updated. |
|
|
|
|
| Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Appropriate security controls are used to protect sensitive information while in storage and during transmission (e.g., data encryption, public key infrastructure, virtual private network technology). |
|
|
|
|
| Encrypted protocols are used for remote management of systems, routers, and firewalls. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
|
System architecture and design for new and revised systems include the following considerations:
Security strategies, policies, and procedures History of security compromises Results of security risk assessments |
|
|
|
|
| The organization has up-to-date diagrams that show the enterprisewide security architecture and network topology. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
| Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. |
|
|
|
|
| Incident management procedures are periodically tested, verified, and updated. |
|
|
|
|
| There are documented policies and procedures for working with law enforcement agencies. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
|
Staff members follow good security practice:
Securing information for which they are responsible Not divulging sensitive information to others (resistance to social engineering) Having adequate ability to use information technology hardware and software Using good password practices Understanding and following security policies and regulations Recognizing and reporting incidents |
|
|
|
|
| All staff at all levels of responsibility implement their assigned roles and responsibility for information security. |
|
|
|
|
| There are documented procedures for authorizing and overseeing all staff (includ-ing personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. |
|
|
|
|
| Senior management |
|
|
| Operational area management |
|
|
| Staff |
|
|
| IT staff |
|
|
B.3.2 Protection Strategy Worksheets
| Process 8 |
Activity: Create Protection Strategy (Section 10.3) |
| Purpose |
To create an organizationwide strategy for enabling security activities |
| Instructions |
Review the survey results and contextual security practice information from processes 1 to 3 before creating the protection strategy. |
For each security practice area, select strategies to enable security practices in your organization. When selecting strategies, consider the following: Note that the Protection Strategy Worksheet contains questions to guide your selection of strategies. |
Finally, consider what issues related to each security practice area cannot be addressed by your organization. Record any such issues that you identify. |
Protection Strategy Worksheet
What can you do to maintain or improve the level of information security training that all staff members receive (consider awareness training as well as technology-related training)? Does your organization have adequate in-house expertise for all supported technologies? What can you do to improve your staff's technology expertise? What can you do to ensure that all staff members understand their security roles and responsibilities? |
Consider the following:
|
|
Issues:
What issues related to security awareness and training cannot be addressed by your organization?
|
Are security issues incorporated into your organization's business strategy? What can you do to improve the way in which security issues are integrated with your organization's business strategy? Are business issues incorporated into your organization's security strategy? What can you do to improve the way in which business issues are integrated with your organization's security strategy? What can you do to improve the way in which security strategies, goals, and objectives are documented and communicated to the organization? |
Consider the following:
|
|
Issues:
What issues related to security strategy cannot be addressed by your organization?
|
Does management allocate sufficient funds and resources to information security activities? What level of funding for information security activities is appropriate for your organization? What can you do to ensure that security roles and responsibilities are defined for all staff in your organization? Do your organization's hiring and retention practices take information security issues into account (also applies to contractors and vendors)? What could you do to improve your organization's hiring and retention practices? What can you do to improve the way in which your organization manages its information security risk? What can you do to improve the way in which security-related information is communicated to your organization's management? |
Consider the following:
|
|
Issues:
What issues related to security management cannot be addressed by your organization?
|
What can you do to ensure that your organization has a comprehensive set of documented, current security policies? What can you do to improve the way in which your organization creates, updates, and communicates security policies? Does your organization have procedures to ensure compliance with laws and regulations affecting security? What can you do to improve how well your organization complies with laws and regulations affecting security? What can you do to ensure that your organization uniformly enforces its security policies? |
Consider the following:
|
|
Issues:
What issues related to security policies and regulations cannot be addressed by your organization?
|
Does your organization have policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners)? What can your organization do to improve the way in which it protects information when working with external organizations? What can your organization do to improve the way in which it verifies that external organizations are taking proper steps to protect critical information and systems? What can your organization do to improve the way in which it verifies that outsourced security services, mechanisms, and technologies meet its needs and requirements? |
Consider the following:
|
|
Issues:
What issues related to collaborative security management cannot be addressed by your organization?
|
Does your organization have a defined business continuity plan? Has the business continuity plan been tested? What can you do to ensure that your organization has a defined and tested business continuity plan? Does your organization have a defined disaster recovery plan? Has the disaster recovery plan been tested? What can you do to ensure that your organization has a defined and tested disaster recovery plan? What can you do to ensure that staff members are aware of and understand your organization's business continuity and disaster recovery plans? |
Consider the following:
|
|
Issues:
What issues related to contingency planning and disaster recovery cannot be addressed by your organization?
|
What training and education initiatives could help your organization maintain or improve its physical security practices? What funding level is appropriate to support your organization's physical security needs? Are your policies and procedures sufficient for your organization's physical security needs? How could they be improved? Who has responsibility for physical security? Should anyone else be involved? What other departments in your organization should be involved with physical security? What external experts could help you with physical security? How will you communicate your requirements? How will you verify that your requirements were met? |
|
|
Issues:
What issues related to physical security cannot be addressed by your organization?
|
What training and education initiatives could help your organization maintain or improve its information technology security practices? What funding level is appropriate to support your organization's information technology security needs? Are your policies and procedures sufficient for your organization's information technology security needs? How could they be improved? Who has responsibility for information technology security? Should anyone else be involved? What other departments in your organization should be involved with information technology security? What external experts could help you with information technology security? How will you communicate your requirements? How will you verify that your requirements were met? |
|
|
Issues:
What issues related to information technology security cannot be addressed by your organization?
|
What training and education initiatives could help your organization maintain or improve its staff security practices? What funding level is appropriate to support your staff security needs? Are your policies and procedures sufficient for your staff security needs? How could they be improved? Who has responsibility for staff security? Should anyone else be involved? What other departments in your organization should be involved with staff security? What external experts could help you with staff security? How will you communicate your requirements? How will you verify that your requirements were met? |
|
|
Issues:
What issues related to staff security cannot be addressed by your organization?
|
B.3.3 Action List Worksheet
| Process 8 |
Activity: Create Action List (Section 10.6) |
| Purpose |
To define action items that people in your organization can take in the near term without the need for specialized training, policy changes, etc. |
| Instructions |
As you created the protection strategy and risk mitigation plans, you should have recorded any near-term actions that could help you implement the strategy and plans. Review your list of actions and decide if any are appropriate for the action list. Record the action items on the Action List Worksheet. |
Think about any additional near-term actions that could help you implement your protection strategy and risk mitigation plans. Answer the following question: What near-term actions need to be taken? Remember to review the actions and recommendations that you recorded in Section B.2.8. Record the action items on the Action List Worksheet. |
Now that you have identified specific action items for the action list, you need to assign responsibility for completing them as well as a completion date. Answer the following question for each action item on your list and record the results on the Action List Worksheet:
Who will be responsible for each action item? By when does the action item need to be addressed? What can management do to facilitate the completion of this action item? |
| |
Responsibility: |
| Completion date: |
| Required management actions: |
| |
Responsibility: |
| Completion date: |
| Required management actions: |
|
