Upload
vantuong
View
328
Download
18
Embed Size (px)
Citation preview
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 1 of 17
ISO 27702 CONTROLS VS. NIST CONTROLS AND DETERMINATION OF ISO 27002 METRICS© Carlos Ormella Meyer
Introduction
In base to that mapping we prepared a Table (*) with the reverse mapping, that is, each ISO 27002 control has been linked to NIST control/s.
Then, we extended the mapping table by collecting corresponding NIST metrics, as found in NIST 800-55 Appendix A.
NIST Control Name NIST Metrics/Measures ISO 27002 Control Metrics
5.1.1
AT-1
CP-1
While NIST uses controls other than those of the ISO 27002, there is a mapping in NIST 800-53r1 Appendix G from NIST controls to other standard controls such as those of ISO 27002.
Keep in mind that the metrics set forth in NIST 800-55 are not for every control but for the whole family or group concerned. Therefore the application of a metric should be discussed with attention to details of each NIST 800-53r1 control (page.42 et seq), taking into account the concepts of corresponding ISO 27002 control.
Finally, appropriate metrics for each ISO 27002 control could be determined reviewing mapped-NIST control metrics (acceptable or not, or with comments) . Furthermore, some additional metrics could be derived from analysis of the ISO 27002 controls applying GQM (Goal Question Metric).
(*) The table that follows responds to an extract of the document we have used in our projects and that in turn is a practical exercise that is proposed to extend / complete by attendants to the Workshop Seminar on "Metrics for Information Security" and similar seminars that are given regularly in different Latin American countries.
METRICS TABLE - © Carlos Ormella Meyer
ISO 27002 Control Name
ISO Ctrl.
NIST Ctrl.
Information Security Policy Document
Security Awareness and Training Policy and Procedures
1)% of total required policies, procedures, awareness and training that have been developed
Contingency Planning Policy and Procedures
2)% of the total required Contingency Policy implementation procedures have been developed
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 2 of 17
5.1.2 N/A N/A N/A
6.1.1
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
6.1.2
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
6.1.3
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
6.1.4
AC-20
CA-1
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
6.1.5
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
PS-6 Access Agreements
6.1.6
IR-4 Incident HandlingIR-6 Incident Reporting
Review of Information Security Policy
1) Frequency of reviews by security management 2) Frequency of security policy reviews
Management Commitment to information security
Security Planning Policy and Procedures
1)% of the total required security policy and security planning procedures have been developed
Information security Co-ordination
Security Planning Policy and Procedures
Allocation of information security Responsibilities
Security Planning Policy and Procedures
Authorization process for Information Processing facilities
Personally Owned Information SystemsCertification, Accreditatión, and Securiy Assessment Policies and ProceduresSecurity Planning Policy and Procedures
Confidentiality agreements
Security Planning Policy and Procedures
Contact with authorities
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 3 of 17
6.1.6 PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
6.1.7
AT-5
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
SI-5 Security Alerts and Advisories
6.1.8
CA-2 Security Assessments
PL-1
PL-2 System Security Plan
PL-3 System Security Plan Update
6.2.1
PS-7 Third-party Personnel Security
RA-3 Risk Assessment
SA-9
6.2.2 AC-2 Account ManagementIR-6 Incident Reporting
6.2.3
AC-2 Account ManagementAT-2 Security AwarenessIR-6 Incident ReportingMA-5 Maintenance Personnel
PS-7 Third-party Personnel Security
SA-9
Inventory of assets 7.1.1 CM-2
7.1.2 N/A N/A
Contact with authorities
Security Planning Policy and Procedures
Contact with special interest groups
Contacts with Security Groups and AssociationsSecurity Planning Policy and Procedures
Independent review of information security
Security Planning Policy and Procedures
Identification of risk related to external parties Outsourced Information
System ServiceAddressing security when dealing with customers
Addressing security in third party agreements
Outsourced Information System ServiceBaseline Configuration and System Component Inventory
Ownership of Assets
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 4 of 17
7.1.3 PL-4 Rules of Behavior
7.2.1 RA-2 Security Categorization
7.2.2
AC-15 Automated MarkingAC-16 Automated LabelingMP-3 Media Labeling
SC-16
8.1.1PS-1
PS-7 Third-party Personnel Security
Screening 8.1.2
PS-2 Position CategorizationPS-3 Personnel Screening
PS-7 Third-party Personnel Security
8.1.3
PL-4 Rules of BehaviorPS-4 Personnel TerminationPS-6 Access Agreements
PS-7 Third-party Personnel Security
8.2.1 PS-7 Third-party Personnel Security
8.2.2
AT-1
AT-2 Security Awareness
AT-3 Security Training
PS-7 Third-party Personnel Security
Acceptable use of assetsClassification Guidelines
Information Labeling and Handling Transmission of Security
Parameters
Roles and Responsibilities
Personnel Security Policy and Procedures
Terms and conditions of employment
Management Responsibility
Information security awareness, education and training
Security Awareness and Training Policy and Procedures
1)% of total required policies, awareness and training procedures that have been developed
1) No, it does not fit well to 8.2.2 control 2) OK 3) OK 4) OK 5)% of total staff who are taught security awareness 6) Frequency of update training plans
2)% of total staff who are taught security awareness before allowing access to systems
3)% of total staff with significant roles and responsibilities that has received security training before being allowed to access to systems
4)% of total service provider of information systems to which they were established security requirements including roles and responsibilities
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 5 of 17
Disciplinary process 8.2.3 PS-8 Personnel Sanctions
8.3.1 PS-4 Personnel TerminationPS-5 Personnel Transfer
Return of assets 8.3.2 PS-4 Personnel Termination
8.3.3AC-2 Account ManagementPS-4 Personnel TerminationPS-5 Personnel Transfer
9.1.1 PE-3 Physical Access Control
9.1.2
PE-2
PE-3 Physical Access Control
PE-5
PE-6 Monitoring Physical AccessPE-7 Visitor ControlPE-8 Access Logs
9.1.3 N/A N/A
9.1.4 PE-13 Fire ProtectionPE-15 Water Damage Protection
9.1.5 PE-3 Physical Access Control
9.1.6PE-2
PE-3 Physical Access ControlPE-16 Delivery and Removal
9.2.1
PE-13 Fire Protection
PE-14
PE-15 Water Damage Protection
PE-18
Support utilities 9.2.2
PE-9
PE-10 Emergency ShutoffPE-11 Emergency Power
Termination responsibility
Removal of access rights
Physical security Perimeter
Physical entry controls
Physical Access Authorizations
Access Control for Display Medium
Securing offices, rooms and facilitiesProtecting against external and environmental threatsWorking in secure areas
Public access, delivery and loading areas
Physical Access Authorizations
Equipment sitting and protection
Temperature and Humiodity Controls
Location of Information System ComponentsPower Equipment and Power Cabling
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 6 of 17
Support utilities 9.2.2
PE-12 Emergency Lighting
Cabling security 9.2.3PE-4
PE-9
9.2.4 MA-2 Periodic MaintenanceMA-5 Maintenance Personnel
9.2.5 AC-20
9.2.6 MP-6
9.2.7 PE-16 Delivery and Removal
10.1.1MA-1
MP-1
10.1.2CM-3 Configuration Change Control
CM-4
10.1.3 AC-5 Separation of Duties
10.1.4 N/A N/A
Service Delivery 10.2.1 SA-9
10.2.2 SA-9
10.2.3 CM-3 Configuration Change Control
10.3.1 SA-2 Allocation of Resources
System acceptance 10.3.2
AT-3 Security Training
Access Control for Transmission MediumPower Equipment and Power Cabling
Equipment MaintenanceSecurity of equipment off-premises
Personally Owned Information Systems
Secure disposal or reuse of equipment
Media Sanitization and Disposal
Removal of Property
Documented operating Procedures
System Maintenance Policy and ProceduresMedia Protection Policy and Procedures
Change Management Monitoring Configuration
ChangesSegregation of Duties
Separation of development and Operations facilities
Outsourced Information System Service
Monitoring and review of third party services
Outsourced Information System Service
Manage changes to the third party servicesCapacity management
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 7 of 17
System acceptance 10.3.2CA-1
CA-4 Security CertificationCA-6 Security AccreditationCP-2 Plan de Contingencia
10.4.1
AT-2 Security Awareness
CP-1
CP-2 Plan de Contingencia
IR-1
SC-18 Mobile Code
SI-3 Malicious Code Protection
SI-5 Security Alerts and Advisories
10.4.2 SC-18 Mobile Code
Information Backup 10.5.1
CP-4 Contingency Plan TestingCP-6 Alternate Storage SitesCP-9 Information System BackupPE-3 Physical Access Control
PE-14
Network controls 10.6.1AC-5 Separation of DutiesSC-8 Transmission IntegritySC-9 Transmission Confidenciality
10.6.2
AC-4 Information Flow Enforcement
Certification, Accreditatión, and Securiy Assessment Policies and Procedures
Controls against malicious code
1)% of total staff who are taught security awareness before allowing access to systems
1) Not, only limited to the prohibition of unauthorized software 2) OK 3) OK 4) Not here 5) Not here 6) OK 7) OK 8) Number of controls on data content and software used in critical processes 9) Number of violations detected in the download of files with no evidence of malicious content tested10)% of total staff who are taught awareness regarding use, reporting and recovery of malicious code attacks
Contingency Planning Policy and Procedures
2)% of the total required Contingency Policy implementation procedures have been developed
3)% of total systems of high and medium impact on those who contingency plans have been successfully tested in the last period
Incident Response Policy and Procedures
4)% of total incidents have been reported within the time scheduled for the appropriate category in each case
5) Number of total restrictions on mobile code download and execution on users' computers
6) Number of events produced by malicious code (viruses, worms, trojans, spyware, etc.).
7)% of total warnings and alerts that have been circulated in time
Controls against Mobile code
Temperature and Humiodity Controls
Security of Network services
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 8 of 17
10.6.2
CA-3
SA-9
SI-4
10.7.1
MP-1
MP-4 Media Storage
MP-6
PE-14
PE-16 Delivery and Removal
Disposal of Media 10.7.2
MP-1
MP-4 Media Storage
MP-6
10.7.3
MP-1
MP-2 Media AccessMP-3 Media LabelingMP-4 Media Storage
SI-10
SI-12
10.7.4
MP-1
MP-4 Media Storage
SA-5
SC-14 Public Access Protections
10.8.1
SC-1
Security of Network services
Information Security ConnectionsOutsourced Information System Service
Information System Monitoring Tools and Techniques
Management of removable media
Media Protection Policy and Procedures
Media Sanitization and DisposalTemperature and Humiodity Controls
Media Protection Policy and Procedures
Media Sanitization and Disposal
Information handling procedures
Media Protection Policy and Procedures
Informatio Accuracy, Completeness, Validity and AuthenticityInformation Output Handling and Retention
Security of system documentation
Media Protection Policy and Procedures
Information System Documentation
Information exchange policies and procedures
System and Communication Protection Policy and Procedures
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 9 of 17
10.8.1 SC-4 Information RemmantsSC-8 Transmission IntegritySC-9 Transmission Confidenciality
10.8.2
AU-10 Non RepudiationMP-3 Media Labeling
SC-16
10.8.3 MP-5 Media Transport
10.8.4 SC-5 Denial of Service Protection
10.8.5 CP-2 Plan de Contingencia
10.9.1
AU-10 Non Repudiation
CA-3
SC-8 Transmission IntegritySC-9 Transmission Confidenciality
10.9.2SC-11 Trsuted Path
SC-16
10.9.3 SC-14 Public Access Protections
Audit logging 10.10.1
AC-5 Separation of Duties
AU-1
AU-2 Auditable EventsAU-3 Content of Audit Records
AU-11 Audit Retention
SI-4
10.10.2
AC-13
AU-1
AU-6
Information exchange policies and procedures
Exchange agreements Transmission of Security
ParametersPhysical media in transitElectronic MessagingBusiness Information systems
Electronic Cimmerce
Information Security Connections
On-Line transactions Transmission of Security
ParametersPublicly available information
Audit and Accountability Policy and Procedures
Information System Monitoring Tools and Techniques
Monitoring system use
Supervision and Review - Access ControlAudit and Accountability Policy and ProceduresAudit Monitoring, Analysis and Reporting
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 10 of 17
10.10.2
RA-3 Risk Assessment
SI-4
10.10.3
AU-1
AU-4 Audit Storage CapacityAU-5 Audit Processing
AU-7
AU-9 Protection of Audit Information
10.10.4
AU-1
AU-3 Content of Audit Records
AU-6
SI-4
Fault logging 10.10.5AU-1
RA-3 Risk AssessmentSI-2 Flaw Remediation
Clock Syncronization 10.10.6 AU-1
AU-8 Time Stamps
11.1.1 AC-1
User Registration 11.2.1
AC-2 Account ManagementPS-4 Personnel TerminationPS-5 Personnel Transfer
PS-7 Third-party Personnel Security
PS-8 Personnel Sanctions
11.2.2AC-2 Account Management
Monitoring system use
Information System Monitoring Tools and Techniques
Protection of log information
Audit and Accountability Policy and Procedures
Audit Reducton and Report Generation
Administrator and operator logs
Audit and Accountability Policy and Procedures
Audit Monitoring, Analysis and Reporting
Information System Monitoring Tools and Techniques
Audit and Accountability Policy and Procedures
Audit and Accountability Policy and Procedures
Access control Policy
Access Control Policy and Procedures
Privilege Measurement
1)% of total remote access points from which login have made without authorized registration
4)% of total identification with privileges that have no identification for non-privileged tasks 5)% of total staff members who have been assigned roles and
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 11 of 17
11.2.2
AC-6 Least Privilege
11.2.3 IA-2
IA-4 Identifier Management
11.2.4
AC-2 Account ManagementAC-3 Imposición de acceso
AC-13
Password Use 11.3.1 N/A N/A
11.3.2 AC-11 Session LockAC-12 Session Terminations
11.3.3 PE-5
11.4.1 AC-1
11.4.2
AC-17 Remote Access
AC-18 Wireless Access Restrictions
IA-2
IA-3
11.4.3AC-17 Remote Access
IA-3
11.4.4 AC-17 Remote AccessMA-4 Remote Maintenance
11.4.5
AC-3 Access EnforcementAC-4 Information Flow Enforcement
CA-3
Privilege Measurement have been assigned roles and
responsibilities and implemented conformign tools as RBAC (Based
2) Number of privileges set for the access of people, ports, protocols and services
User password management
User identificaton and Authentication
Review of user access rights Supervision and Review -
Access Control
Unattended user equipment
Clear Desk and Clear Screen Policy
Access Control for Display Medium
Policy on use of network services
Access Control Policy and Procedures
User authentication for external connections
1) Number of documents indicating the types of monitoring and controls.
1) OK 2) OK 3) OK 4) OK 5)% of total nodes and / or remote users for which it has determined the level of protection required
2) Number of wireless access points that have been used to gain unauthorized access.
User identificaton and Authentication
3)% of total users of high-impact systems that use two-factor authentication based on user information and software or hardware token.
Device Identification and Authentication
4)% of all devices that have been identified and authenticated (with MAC, TCP / IP, EAP, Radius, TTL, etc.) before establishing a connection.
Equipment identification in networks
Device Identification and Authentication
Remote diagnostic and configuration port protection
Segregation in networks
Information Security Connections
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 12 of 17
11.4.5
SC-2 Application PartitioningSC-3 Security Function Isolation
11.4.6
AC-4 Information Flow Enforcement
CA-3
SC-7 Boundary Protection
11.4.7AC-4 Information Flow Enforcement
CA-3
11.5.1
AC-7 Unsuccessful Login AttemptsAC-8 System Use NotificationAC-9 Previous Logon NotificationIA-6 Authenticator Feedback
11.5.2IA-2
IA-4 Identifier ManagementIA-5 Authenticator Feedback
11.5.3 IA-5 Authenticator Feedback
11.5.4 N/A N/A
Session Time-out
11.5.5 AC-12 Session Terminations11.5.6 SC-10 Network Disconnect
11.6.1 CM-5
11.6.2 N/A N/A
11.7.1
AC-18 Wireless Access Restrictions
AC-19
AC-20
AT-2 Security AwarenessAT-3 Security TrainingCP-9 Information System Backup
IA-3
Segregation in networks
Network connection control
Information Security Connections
Network Routing control Information Security
Connections
Secure Log-on procedures
User identification and authentication
User identificaton and Authentication
Password Management systemUse of system utilities
Access Restrictions for Change
Sensitive system isolation
Mobile computing and communication
Access Control for Portable and Mobile SystemsPersonally Owned Information Systems
Device Identification and Authentication
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 13 of 17
Teleworking 11.7.2
AC-2 Account Management
AC-18 Wireless Access Restrictions
PE-17 Alternate Work Site
12.1.1
SA-1
SA-4 AcquisitionsSA-8 Security Design PrinciplesSI-9 Information Input Restrictions
12.2.1
SI-7
SI-9 Information Input Restrictions
SI-10
SI-11 Error Handling
12.2.2
SI-7
SI-9 Information Input Restrictions
SI-10
SI-11 Error HandlingMessage integrity 12.2.3 SI-11 Error Handling
12.2.4
SI-7
SI-11 Error Handling
SI-12
12.3.1
AU-10 Non Repudiation
SC-12
SC-17
Key Management 12.3.2SC-12
SC-17
Security requirement analysis and specifications
System and Services Acquisition Policy and Procedures
Input data validation
Software and Information Integrity
Informatio Accuracy, Completeness, Validity and Authenticity
Control of internal processing
Software and Information Integrity
Informatio Accuracy, Completeness, Validity and Authenticity
Output data validation
Software and Information Integrity
Information Output Handling and Retention
Policy on the use of cryptographic controls
Cryptography Key Establishment and Mgmt.Public Key Infrastructure CertificatesCryptography Key Establishment and Mgmt.Public Key Infrastructure Certificates
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 14 of 17
12.4.1CM-1
CM-3 Configuration Change ControlSI-2 Flaw Remediation
12.4.2 N/A N/A
12.4.3 N/A N/A
12.5.1
CM-1
CM-3 Configuration Change ControlRA-3 Risk Assessment
SA-10
SA-11 Developer security TestingSI-2 Flaw Remediation
12.5.2
CM-3 Configuration Change Control
SA-10
SA-11 Developer security TestingSI-2 Flaw Remediation
12.5.3 CM-3 Configuration Change Control
12.5.4 N/A N/A
12.5.5 N/A N/A
12.6.1
RA-3 Risk Assessment 1) Number of assessments conductedRA-5 Vulnerability Scanning 2) Number of scans performed
SI-2 Flaw Remediation
13.1.1
AT-2 Security AwarenessAT-3 Security Training
IR-1
IR-2 Incident Response Training
Control of Operational software
Configuration Management Policy and Procedures
Protection of system test dataAccess control to program source library
Change Control Procedures
Configuration Management Policy and Procedures
Developer Configuration Management
Technical review of applications after Operating system changes
Developer Configuration Management
Restrictions on changes to software packagesInformation LeakageOutsourced Software Development
Control of technical vulnerabilities
3) OK 4)% of total assets that have been inventoried 5)% of the total required roles and responsibilities have been assigned
3)% of all known or scanned security holes that have been corrected
Reporting Information security events
Incident Response Policy and Procedures
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 15 of 17
13.1.1
IR-6 Incident Reporting
13.1.2 IR-1
IR-6 Incident Reporting
13.2.1
AU-6
IR-1
IR-4 Incident Handling
SC-5 Denial of Service Protection 4)% of DoS attacks that were protected
13.2.2 IR-4 Incident Handling
13.2.3 N/A N/A
14.1.1 CP-1
RA-3 Risk Assessment
14.1.2 RA-3 Risk Assessment
14.1.3
CP-1
CP-2 Plan de ContingenciaCP-3 Contingency TrainingCP-5 Contingency Plan Update
IR-7 Incident Response Assistance
14.1.4
AT-2 Security AwarenessAT-3 Security TrainingCP-2 Plan de ContingenciaCP-3 Contingency TrainingCP-5 Contingency Plan UpdateCP-7 Alternate Processing SitesCP-8 Telecommunication Services
CP-10
Reporting Information security events
Reporting security weaknesses
Incident Response Policy and Procedures
Responsibilities and Procedures
Audit Monitoring, Analysis and Reporting
1) Number of inappropriate or unusual activities found in the audit records
1) OK, but it could be extended to the evidence subject 2) OK 3) OK 4) OK., but it could be extended to malicious code and others according a) paragraph in ISO 27002 13.2.1 control. 5) Amount of recovery controls made
Incident Response Policy and Procedures
2)% of total incidents have been reported within the time scheduled for the appropriate category in each case3) Number of actions taken to strengthen the ability of incident management
Learning for Information security incidentsCollection of evidenceInformation Security in Business continuity management
Contingency Planning Policy and Procedures
Business continuity and Risk Assessment
Developing and implementing continuity plans including information security
Contingency Planning Policy and Procedures
Business continuity planning framework
Information System Recovery and Reconstitution
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 16 of 17
14.1.5
CP-4 Contingency Plan TestingCP-5 Contingency Plan Update
IR-3
15.1.1
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IR-1
MA-1
MP-1
PE-1
PL-1
PS-1
RA-1
SA-1
Testing, maintaining and re-assessment business continuity plans
Pruebas de Respuesta a Incidentes
Identification of applicable legislation
Access Control Policy and ProceduresSecurity Awareness and Training Policy and ProceduresAudit and Accountability Policy and ProceduresCertification, Accreditatión, and Securiy Assessment Policies and ProceduresConfiguration Management Policy and ProceduresContingency Planning Policy and ProceduresIdentification and Authentication Policy and ProceduresIncident Response Policy and ProceduresSystem Maintenance Policy and ProceduresMedia Protection Policy and ProceduresPhysical and Environmental Protection Policy and ProceduresSecurity Planning Policy and ProceduresPersonnel Security Policy and ProceduresRisk Assessment Policy and ProceduresSystem and Services Acquisition Policy and Procedures
05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 17 of 17
15.1.1
SC-1
SI-1
15.1.2CM-2
SA-6 Software Usage RestrictionsSA-7 User Installed Software
15.1.3
AU-9 Protection of Audit Information
AU-11 Audit Retention
MP-1
MP-3 Media LabelingMP-4 Media Storage
15.1.4 AT-2 Security AwarenessPL-5 Privacy Impact Assessment
15.1.5 AC-8 System Use NotificationPL-4 Rules of Behavior
15.1.6 N/A N/A
15.2.1
CA-2 Security Assessments
CA-5 Plan of Action and Milestones
CA-7 Continuous Monitoring
15.2.2 CA-2 Security AssessmentsCA-7 Continuous Monitoring
15.3.1 PL-6
15.3.2 AU-9 Protection of Audit Information
Identification of applicable legislation
System and Communication Protection Policy and ProceduresSystem and Informatin Integrity Policy and Procedures
Intellectual property rights (IPR)
Baseline Configuration and System Component Inventory
Protection of organizational records
Media Protection Policy and Procedures
Data Protection and privacy of personal informationPrevention of misuse of information processing facilitiesRegulation of cryptographic controls
Compliance with security policy
Technical compliance checking
Information System Audit controls
Security Related Activity Planning
Protection of information system audit tools