Arizona Baseline Security Controls

NIST Low Security Program
Security Control MODERATE Area

Req.# Family Control Name 800-53 [Control and Control [Control and Control Enhancement] (Function Area ->
Control # Enhancement] Functional Sub-Area)
ACCESS CONTROL ACCESS CONTROL AC-1 Protect -> Access

POLICY AND Control
PROCEDURES
Example Required Required
Security Program
Security Control NIST Low MODERATE Area
Req.# Control Name 800-53 [Control and Control
Family Control # Enhancement] [Control and Control Enhancement] (Function Area ->
Functional Sub-Area)
DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:58 1 of 881

NIST 800-53 Rev. 4 Control Vendor's Response
[Control and Control Enhancement] (Please Address all the controls and control enhancements, then describe if the the
Detailed breakdown of required controls controls are implemented, Partially Implemented or Not Implemented)
The organization: 1. Access Control Policy - Partially Implemented

a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 2. Access Control Procedure - Implemented
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational b. Reviews and Updates
entities, and compliance; and 1.Company A reviews and updates the Access Control Policy Annually- Implemented
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and 2. Company A reviews and updates the Access Control Procedure Annually or when a change in
b. Reviews and updates the current: system or process occurs - Partially Implemented
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].

[Control and Control Enhancement]
Detailed breakdown of required controls (Please Document the control that is implemented and meets requirement)

Supporting Documentation
Vendor's Compensating Controls
Overall Control(s) (Policies and procedures must be explicitly referenced (if Control or Control enhancement Can't
Implementation Status (Reference Where does the Control(s) originate from? (title and date or version) so that it is clear which Be Met - What is the alternative security
on Comments Page ) document is being referred to. Section numbers or controls or remediation plan employed by
similar mechanisms should allow the reviewer to organization)
easily find the reference.)
Enterprise Policy, Section, Date 1. Access Control Policy - Partially Implemented

Implemented ✘ Service Provider Corporate 8120 6.2 7/15 - Our organization currently follows a strict set
Partially Implemented
8270 6.2 7/15 of procedures in the event of an incident. This
✘ Service Provider System Specific
8280 6.1 - 6.7.1 7/15 policy is in draft form, and is in the process of
Planned Service Provider Hybrid (Corporate and System Specific) 8310 6.1 - 6.10 7/15 being written and approved. The policy will be
8320 6.1 - 6.18 7/15 completed by mm/dd/yyyy.
Alternative Implementation Configured by Customer (Customer System Specific)
2. Company A reviews and updates the Access
Not Applicable Provided by Customer (Customer System Specific) Control Procedure Annually or when a change in
system or process occurs - Partially
Shared (Service Provider and Customer Responsibility) Implemented - Our organization reviews and
updates the the Access Control Procedure every
Controls inherited by IaaS two years if needed or when a change in
system or process occurs
Overall Control(s) (Policies and procedures must be explicitly referenced (if Control Can't Be Met - What is the
Implementation Status (Reference Where does the Control originate from? (title and date or version) so that it is clear which
on Comments Page ) document is being referred to. Section numbers or alternative security controls employed by
organization)
similar mechanisms should allow the reviewer to
easily find the reference. )

Vendor Non-Compliance Risk Statement
(If you can't meet this control at all please explain why) General Assessment Questions Detailed Control Testing Procedure(s)
(Please See Risk Statement for examples of Non-Compliance
language Column O)
Access provided is not consistent with job function as Access Control Policy 1) Is there a documented access control policy or Obtain access control policy and procedures; other relevant documents or records and ascertain if
is not documented, communicated, and understood. standard that provides guidance regarding (I) the organization develops and documents access control policy and procedures;
criteria for granting access and is communicated (ii) the organization disseminates access control policy and procedures to appropriate elements within the
to administrators and data / application owners organization;
for controlling access to information systems? (iii) responsible parties within the organization periodically review access control policy and procedures; and
2) Is the policy or standard reviewed and if (iv) the organization updates access control policy and procedures when organizational review indicates updates
needed, updated on a scheduled basis? are required.

language Column O)

SOA Policy Number SOA Policy Number SOA SOA Policy Number SOA SOA Policy Number SOA
Risk Statement Examples SOA SubSection 1
1 2 SubSection 2 3 SubSection 3 4 SubSection 4
Access provided is not consistent with job

function as Access Control Policy is not
documented, communicated, and understood.
8120 6.2 8270 6.2 8280 6.1 - 6.7.1 8310 6.1 - 6.10 8320 6.1 - 6.18

Arizona Breach Notification Arizona Computer tampering
COBIT Reference (Control Objective)
A.R.S. § 44-7500 A.R.S. § 13-2316
[CobiT v5 - High Level Control

Objective AP013; DSS02;
DSS05]Controls have been defined to
ensure system security by defining IT
security policies, procedures and
standards, and monitoring, detecting,
reporting security vulnerabilities and
incidents.

A.R.S. § 44-7500 A.R.S. § 13-2316

Consolidated Control Activities
(See Column AE through AO)
An access control policy is established, documented, and reviewed based on business and security requirements for access.
ntrol #15] The processes and tools used to track/control/prevent/correct secure access to information according to the formal determination of which persons, computers, and applications have a need and right to access information based on an approved classification.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.5 Policy Area 5: Access Control Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of informa
vices and communication configurations allowing access to CJIS information.
1075] 9.3.1.1 Access Control Policy and Procedures (AC-1)

:
ment, and disseminate to designated agency officials:
rol policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
facilitate the implementation of the access control policy and associated access controls; and
date the current:
policy every three years (or if there is a significant change); and
procedures at least annually.


Associated Requirement Sections
HIPAA Security Section - 45 CFR 164.308(a)(3)(ii)(B)

HIPAA Security Section - 45 CFR 164.312(a)(1)
HIPAA Security Section - 45 CFR 164.312(c)(2)
NIST 800-53 Rev.4 - AC-1
Critical Control 15: Controlled Access Based on the Need to
Know
CJISD-ITS-DOC-08140-5.1 Criminal Justice Information Services
(CJIS) Security Policy] 5.5 Policy Area 5: Access Control

R0001 ACCESS CONTROL ACCESS CONTROL AC-1 Protect -> Access

POLICY AND Control
PROCEDURES
Required Required

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational
entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].

Implemented Service Provider Corporate

Partially Implemented Service Provider System Specific
Planned Service Provider Hybrid (Corporate and System Specific)
Not Applicable Provided by Customer (Customer System Specific)

Shared (Service Provider and Customer Responsibility)
Controls inherited by IaaS

language Column O)
1) Is there a documented access control policy or Obtain access control policy and procedures; other relevant documents or records and ascertain if
standard that provides guidance regarding (I) the organization develops and documents access control policy and procedures;
criteria for granting access and is communicated (ii) the organization disseminates access control policy and procedures to appropriate elements within the
to administrators and data / application owners organization;
for controlling access to information systems? (iii) responsible parties within the organization periodically review access control policy and procedures; and
2) Is the policy or standard reviewed and if (iv) the organization updates access control policy and procedures when organizational review indicates updates
needed, updated on a scheduled basis? are required.

Access provided is not consistent with job

function as Access Control Policy is not
documented, communicated, and understood.
8120 6.2 8270 6.2 8280 6.1 - 6.7.1 8310 6.1 - 6.10 8320 6.1 - 6.18

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP013; DSS02;
ensure system security by defining IT
security policies, procedures and
standards, and monitoring, detecting,
reporting security vulnerabilities and
incidents.

An access control policy is established, documented, and reviewed based on business and security requirements for access.
ntrol #15] The processes and tools used to track/control/prevent/correct secure access to information according to the formal determination of which persons, computers, and applications have a need and right to access information based on an approved classification.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.5 Policy Area 5: Access Control Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of informa
vices and communication configurations allowing access to CJIS information.
1075] 9.3.1.1 Access Control Policy and Procedures (AC-1)

:
rol policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
facilitate the implementation of the access control policy and associated access controls; and
date the current:
policy every three years (or if there is a significant change); and
procedures at least annually.


NIST 800-53 Rev.4 - AC-1
Know
(CJIS) Security Policy] 5.5 Policy Area 5: Access Control

R0002 ACCESS CONTROL ACCOUNT AC-2 Protect -> Access

MANAGEMENT Control
Required Required (1,2,3,4,5,7,9,10,12)

The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment:
organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other
attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined
procedures or conditions];
g. Monitors the use of, information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
Control Enhancement:
(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT
The organization employs automated mechanisms to support the management of information system accounts.
(2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined
time period for each type of account].
(3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS
The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
(4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment:
organization-defined personnel or roles]. Control Enhancement:
(5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT
The organization requires that users log out when [Assignment: organization-defined time-period
of expected inactivity or description of when to log out].





language Column O)
Are there processes in place to ensure access Obtain access control policy; procedures addressing account management; security plan; list of active system
provided to users (e.g., the role provided to a accounts along with the name of the individual associated with each account; lists of recently transferred,
user for an application, or privileged access separated, or terminated employees; list of recently disabled information system accounts along with the name
provided to an IT administrator, etc.) aligns with of the individual associated with each account; system-generated records with user IDs and last login date; other
business requirements and/or access control relevant documents or records and ascertain if
policy? (I) the organization manages information system accounts, including authorizing, establishing, activating,
[Note: an example could be documented modifying, reviewing, disabling, and removing accounts;
approval from asset/business owner, timely (ii) the organization defines in the security plan, explicitly or by reference, the frequency of information system
removal of access from transferred or account reviews and the frequency is at least annually;
terminated employees, etc.]. (iii) the organization reviews information system accounts in accordance with organization-defined frequency;
and
(iv) the organization initiates required actions on information system accounts based on the review.
(v) determine if the organization employs automated mechanisms to support information system account
management functions.
(vi) the organization defines in the security plan, explicitly or by reference, a time period for each type of account
after which the information system terminates temporary and emergency accounts; and
(vii) the information system automatically terminates temporary and emergency accounts after organization-
defined time period for each type of account.
(viii) the organization defines in the security plan, explicitly or by reference, a time period after which the
information system disables inactive accounts; and
(ix) the information system automatically disables inactive accounts after organization-defined time period.
(x) the organization employs automated mechanisms to audit account creation, modification, disabling, and
termination actions; and
(xi) the organization employs automated mechanisms to notify, as required, appropriate individuals.

Unauthorized access is gained to information

systems.
8310 6.1 8310 6.3-6.10

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP013; DSS02, DSS05]
Controls have been defined to ensure
system security by defining IT security
policies, procedures and standards,
and monitoring, detecting, reporting
security vulnerabilities and incidents.
A.R.S 13-2316 (A)

and Abuse Act of 1986 (US) 18 USC 1031]Control user access to information in accordance with a defined access control policy. Provide protection from unauthorized access.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The agency shall validate information system accounts at least annu
lidation process. The validation and documentation of accounts can be delegated to local agencies.
ment includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The agency shall identify authorized users of the information system and specify access rights/privil
t access to the information system based on:
know/need-to-share that is determined by assigned official duties.
all personnel security criteria.
onsible for account creation shall be notified when:
mation system usage or need-to-know or need-to-share changes.
nated or transferred or associated accounts are removed, disabled, or otherwise secured.
ntrol #15] The processes and tools used to track/control/prevent/correct secure access to information according to the formal determination of which persons, computers, and applications have a need and right to access information based on an approved classification
ntrol #16] The processes and tools used to track/control/prevent/correct the use of system and application accounts.
1075] The agency must:

lect the accounts with access to FTI to support agency missions/business functions;
t managers for information system accounts;
tions for group and role membership;
ized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
val for requests to create information system accounts;
modify, disable, and remove information system accounts in accordance with documented agency account management procedures;
e of information system accounts;
managers when accounts are no longer required, when users are terminated or transferred, or when individual information system usage or need to- know permission changes;
ss to information systems that receive, process, store, or transmit FTI based on a valid access authorization, need-to-know permission, and under the authority to re-disclosed FTI under the provisions of IRC 6103;
ts for compliance with account management requirements at a minimum of annually for user accounts and semi-annually for privileged accounts; and
cess for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
system must automatically disable inactive accounts after 120 days of

Computer Fraud and Abuse Act of 1986 (US) 18 USC 1031 -

Section 1030. a) 1
NIST 800-53 Rev.4 - AC-2 (1) (2) (3) (4)
Know
Critical Control 16: Account Monitoring and Control
(CJIS) Security Policy

R0003 ACCESS CONTROL ACCESS ENFORCEMENT AC-3 Protect -> Access

Control
Required Required

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable
access control policies.





language Column O)
Are information systems (applications, operating Obtain access control policy; procedures addressing access enforcement; information system configuration
systems, network devices, databases, etc.) settings and associated documentation; list of assigned authorizations (user privileges); information system audit
configured and access enforcement mechanisms records; other relevant documents or records and ascertain if
employed per approved policy to provide (I) the information system enforces assigned authorizations for controlling access to the system in accordance
protection from unauthorized access by with applicable policy; and
malicious users, software or systems? (ii) user privileges on the information system are consistent with the documented user authorizations.

Misconfigured access controls provide

unauthorized access to information held in
application systems.
8320 6.1 8410 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316


8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The information system shall enforce assigned authorizations for controlling access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in
mware) and security-relevant information to explicitly authorized personnel.
zed personnel include, for example, security administrators, system and network administrators, and other privileged users with access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system pr
olicies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users (or processes acting on behalf
ices, files, records, processes, programs, domains) in the information system.
ntrol #16] The processes and tools used to track/control/prevent/correct the use of system and application accounts.
1075] 9.3.1.3 Access Enforcement (AC-3 The information system must enforce:
orizations for logical access to information and system resources in accordance with applicable access control policies; and
ccess control policy over defined subjects and objects and controls access to FTI based upon a valid access authorization, intended system usage, and the authority to be disclosed FTI under the provisions of IRC 6103.

NIST 800-53 Rev.4 - AC-3

Know
Critical Control 16: Account Monitoring and Control

R0004 ACCESS CONTROL INFORMATION FLOW AC-4 Protect -> Access

ENFORCEMENT Control
Required (21)

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected
systems based on [Assignment: organization-defined information flow control policies].
Control Enhancements
(21) INFORMATION FLOW ENFORCEMENT |
PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS
The information system separates information flows logically or physically using [Assignment:
organization-defined mechanisms and/or techniques] to accomplish [Assignment: organizationdefined
required separations by types of information].




language Column O)
Does the institution or department have policies Obtain access control policy; procedures addressing information flow enforcement; information system design
and supporting processes in place: documentation; information system configuration settings and associated documentation; information system
1) to "authorize" and regulate connections to baseline configuration; list of information flow authorizations; information system audit records; other relevant
and from applicable information systems, and documents or records and ascertain if the information system enforces assigned authorizations for controlling
[Note: supporting processes can include security the flow of information within the system and between interconnected systems in accordance with applicable
considerations when interfaces are created to policy.
and from the information system; controlling
administrative type access that can enable
interface accounts, etc.].
2) to restrict and control the allocation and use
of administrative access to information systems?
[Note: examples may include approvals needed
to grant administrative type access; monitoring
for administrative access need and usage; etc.].

Users gain access to information that is beyond

their appropriate level of privilege.
8320 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316


For HIPAA Security covered data, special considerations for access privileges have been documented.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The network infrastructure shall control the flow of information between interconnected systems. Information flow control regulates where information is allowed to travel within an information system and betwee
sed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. In other words, controlling how data moves from one place to the next in a secure manner. Examples of controls that are better expressed as flow control than ac
are:
m being transmitted unencrypted across the public network.
raffic that claims to be from within the agency.
y web requests to the public network that are not from the internal web proxy.
s of flow control enforcement can be found in boundary protection devices (e.g. proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capabilit
ntrol #10] The processes and tools used to track/control/prevent/correct security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes.
ntrol #17] The processes and tools used to track/control/prevent/correct data transmission and storage, based on the data's content and associated classification
1075] The information system must enforce approved authorizations for controlling the flow of FTI within the system and between interconnected systems based on the technical safeguards in place to protect the FTI.
ements for protecting the flow of FTI can be found in:
mail Communications
ax Equipment
Multi-Functional Devices
1075] 9.3.1.3 Access Enforcement (AC-3)

system must enforce:
orizations for logical access to information and system resources in accordance with applicable access control policies; and
ccess control policy over defined subjects and objects and controls access to FTI based upon a valid access authorization, intended system usage, and the authority to be disclosed FTI under the provisions of IRC 6103.


HIPAA Security Section - 45 CFR 164.308(a)(4)(ii)(c )
NIST 800-53 Rev.4 - AC-4
Critical Control 10: Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches.
Know.
Critical Control 17: Data Loss Prevention
(CJIS) Security Policy]

R0005 ACCESS CONTROL SEPARATION OF DUTIES AC-5 Protect -> Account

Management
Required

The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.





language Column O)
Has the institution or department identified, Obtain access control policy; procedures addressing divisions of responsibility and separation of duties;
documented, and separated duties of individuals information system configuration settings and associated documentation; list of divisions of responsibility and
(or roles) as necessary to prevent collusion or separation of duties; information system audit records; other relevant documents or records and ascertain if
fraud If so, has such separation of duties been (I) the organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate
implemented through assigned information conflicts of interest in the responsibilities and duties of individuals; and
system access authorizations? (ii) the information system enforces separation of duties through assigned access authorizations.
(Note: Fraud could occur when: administrator
has ability to clear system logs; developers have
update access to production systems; application
roles where individual with access to accounts
payable has access to cash accounts, etc.)

The lack of user segregation of duties may result

in unauthorized or unintentional modification or
misuse of the organization's information assets.
8310 6.3.4

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP001; AP007;
AP011]Controls have been
established for defining the IT
processes, organization and
relationships to be responsive to
business strategy and comply with
governance requirements.

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The information system shall enforce assigned authorizations for controlling access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in
mware) and security-relevant information to explicitly authorized personnel.
zed personnel include, for example, security administrators, system and network administrators, and other privileged users with access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system pr
olicies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users (or processes acting on behalf
ices, files, records, processes, programs, domains) in the information system.

s of individuals to prevent harmful activity without collusion;
aration of duties of individuals; and
tion system access authorizations to support separation of duties.

NIST 800-53 Rev.4 - AC-5


R0006 ACCESS CONTROL LEAST PRIVILEGE AC-6 Protect - Account

Management
Required (1,2,5,9,10)

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users)
which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
(1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and
firmware) and security-relevant information].
(2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions
or security-relevant information], use non-privileged accounts or roles, when accessing non-security functions.
(5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
(9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS
The information system audits the execution of privileged functions.
(10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures.





language Column O)
Has the institution or department established Obtain access control policy; procedures addressing least privilege; list of assigned access authorizations (user
and implemented procedures to restrict system privileges); information system configuration settings and associated documentation; information system audit
access to only authorized personnel based on records; other relevant documents or records and ascertain if
need to know and to other information systems (I) the organization assigns the most restrictive set of rights/privileges or accesses needed by users for the
based on business function requirements? performance of specified tasks; and
[Note the organization may need to control (ii) the information system enforces the most restrictive set of rights/privileges or accesses needed by users.
access to facilities, information inside
applications, software programs for testing and
revision.]

Information in applications is accessed by users

and support personnel outside of defined
business requirements.
8310 6.3.3, 6.4-6.8 8320 6.4-6.8 8410 6.4

A.R.S. § 44-7500 A.R.S. § 13-2316

A.R.S 13-2316 (A)

mputer Fraud and Abuse Act of 1986 (US) 18 USC 1032] Information inside applications is restricted to authorized personnel based on a need to know or least privilege basis. This is accomplished through authorization controls that limit information that is displayed in applications bas
rements.[PCI DSS v2.0] Assignment of privileges is based on individual personnel's job classification and function. Requirement for an authorization form signed by management that specifies required privileges. Implementation of an automated access control system. For shared hosti
runs and has access to processes and privileges that have access to that entity's cardholder data environment.
establishes and implements procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall approve individual access privileges and shall enforce physical and logical access restrictions associated with changes to the information system; and generate, retain, and review records reflecting a
enforce the most restrictive set of rights/privileges or access needed by users for the performance of specified tasks. The agency shall implement least privilege based on specific duties, operations, or information systems as necessary to mitigate risk to CJI. This limits access to CJI to o
he need and the right to know.
vilege changes shall be maintained for a minimum of one year or at least equal to the agency’s record retention policy – whichever is greater.
ntrol #12] The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

nciple of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions;
orize access to FTI; (CE1)
sers of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions; and (CE2)
ged accounts on the information system to a limited number of individuals with a need to perform administrative duties; (CE5)
system must:
ution of privileged functions; and (CE9)
rivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. (CE10)


Section 1030. a) 2
PCI DSS v2.0 - Sec 7.1
PCI DSS v2.0 - Sec 7.1.1
PCI DSS v2.0 - Sec A.1.2
HIPAA Security Section - 45 CFR 164.308(a)(3)(i)
NIST 800-53 Rev.4 - AC-6 (1) (2) (5) (9) (10)
Critical Control 12: Controlled Use of Administrative Privileges
Know

R0007 ACCESS CONTROL UNSUCCESSFUL LOGON AC-7 Protect -> System

ATTEMPTS Configuration
Hardening & Patch
Management
Required Required

The information system:

a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-
defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released
by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of
unsuccessful attempts is exceeded.




language Column O)
Has the institution or department implemented Obtain access control policy; procedures addressing unsuccessful logon attempts; security plan; information
procedures and controls to lock user access to system configuration settings and associated documentation; information system audit records; other relevant
information resources after a defined number of documents or records and ascertain if
unsuccessful login attempts? (I) the organization defines in the security plan, explicitly or by reference, the maximum number of consecutive
invalid access attempts to the information system by a user and the time period in which the consecutive invalid
access attempts occur;
(ii) the information system enforces the organization-defined limit of consecutive invalid access attempts by a
user during the organization-defined time period;
(iii) the organization defines in the security plan, explicitly or by reference, the time period for lock out mode or
delay period;
(iv) the organization selects either a lock out mode for the organization-defined time period or delays next login
prompt for the organization-defined delay period for information system responses to consecutive invalid access
attempts;
(v) the information system enforces the organization-selected lock out mode or delayed login prompt.

Unauthorized access is gained to operating

systems.
8320 6.9

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP013; DS05]Controls have
been defined to ensure system
security by defining IT security
A.R.S 13-2316 (A)

and Abuse Act of 1986 (US) 18 USC 1033] Security facilities are used to restrict access to operating systems to authorized users.
systems containing PCI covered data, passwords are changed at least every 90 days, require a minimum password length of seven characters, contain both numeric and alphabetic characters. Users are not allowed to submit a new password that is the same of any of the last for pass
will be locked out if they have entered six incorrect passwords in a row. The lock-out duration for the attempts will be at least 30 minutes or until an administrator enables the ID.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Where technically feasible, the system shall enforce a limit of no more than 5 consecutive invalid access attempts by a user (attempting to access CJI or systems with access to CJI). The system shall automatically lock
r a 10 minute time period unless released by an administrator.
1075] 9.3.1.7 Unsuccessful Logon Attempts (AC-7 The information system must:
of three consecutive invalid logon attempts by a user during a 120-minute period; and
lock the account until released by an administrator. Specific to mobile device requirements, the logon is to the mobile device, not to any one account on the device.
1075] 9.3.1.14 Access Control for Mobile Devices (AC-19) A mobile device is a computing device that (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive informatio
non-removable, or removable data
ncludes a self-contained power source.
:
e restrictions, configuration requirements, connection requirements, and implementation guidance for agency-controlled mobile devices;
connection of mobile devices to agency information systems;
tion to protect the confidentiality and integrity of information on mobile devices (e.g., smartphones and laptop computers) (CE5); and
ormation from mobile devices based on 10 consecutive, unsuccessful device logon attempts (e.g., personal digital assistants,.
d tablets). Laptop computers are excluded from this requirement (AC-7, CE2).


Section 1030. a) 3
NIST 800-53 Rev.4 - AC-7

R0008 ACCESS CONTROL SYSTEM USE AC-8 Protect ->

NOTIFICATION Identification &
Authentication
Required Required
R0009 ACCESS CONTROL CONCURRENT SESSION AC-10 Protect>informatio

LOCK n & Authentication
Required


a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that
provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and
guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or
further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that
generally prohibit those activities; and
3. Includes a description of the authorized uses of the system.
Control: The information system:

a. Prevents further access to the system by initiating a session lock after [Assignment:
organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and
authentication procedures.







language Column O)
Do institutional or departmental information Obtain access control policy; privacy and security policies; procedures addressing system use notification;
systems display an approved system use information system notification messages; information system configuration settings and associated
notification message or banner before granting documentation; other relevant documents or records and ascertain if
access to the information system? (I) the information system displays a system use notification message before granting system access informing
potential users:
- that the user is accessing a U.S. Government information system;
- that system usage may be monitored, recorded, and subject to audit;
- that unauthorized use of the system is prohibited and subject to criminal and
civil penalties; and
- that use of the system indicates consent to monitoring and recording;
(ii) the system use notification message provides appropriate privacy and security notices (based on associated
privacy and security policies or summaries);
(iii) the organization approves the information system use notification message before its use; and
(iv) the system use notification message remains on the screen until the user takes explicit actions to log on to
the information system.
1.Does the information system enforce a session Obtain access control policy; procedures addressing session lock; information system design documentation;
lock after a determined amount of time information system configuration settings and associated documentation; security plan; other relevant
2. Does the information system retain session documents or records and ascertain if
lock until the users reestablishes access using (I) the organization defines in the security plan, explicitly or by reference, the time period of user inactivity after
established credentials which the information system initiates a session lock;
(ii) the information system initiates a session lock after the organization-defined time period of inactivity;
(iii) the information system provides the capability for users to directly initiate session lock mechanisms; and
(iv) the information system maintains the session lock until the user reestablishes access using appropriate
identification and authentication procedures.

Unauthorized users log on to information

systems.
8320 6.1
Does not enforce a session lock

A.R.S. § 44-7500 A.R.S. § 13-2316


8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The information system shall display an approved system use notification message, before granting access, informing potential users of various usages and monitoring rules. The system use notification message shal
wing information:
essing a restricted information system.
may be monitored, recorded, and subject to audit.
use of the system is prohibited and may be subject to criminal and/or civil penalties.
em indicates consent to monitoring and recording.
rity policies shall be consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. For pub
e information is available and when appropriate, is displayed before granting access;

s to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities; and
en to public users of the information system includes a description of the authorized uses of the system.
1075] The information system must:

g access to the system, display to users an IRS-approved warning banner that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
ntains U.S. Government information;
are monitored and audited;
use of the system is prohibited; and
use of the system is subject to criminal and civil sanctions. The warning banner must be applied at the application, database, operating system, and network device levels for all systems that receive, process, store, or transmit FTI.
ning banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.
ssible systems, the information system must:
-approved warning banner granting further access;
nces, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
iption of the authorized uses of the system. For sample warning banners approved by the Office of Safeguards

NIST 800-53 Rev.4 - AC-8


R0010 ACCESS CONTROL SESSION LOCK AC-11 Protect -> Account

Management
Required (1)
R0011 ACCESS CONTROL SESSION TERMINATION AC-12 Protect -> Account

Management
Required


a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon
receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.
(1) SESSION LOCK | PATTERN-HIDING DISPLAYS
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring
session disconnect].







language Column O)
1) Does the information system enforce Obtain access control policy; procedures addressing session lock; information system design documentation;
automatic session time-out after a pre- information system configuration settings and associated documentation; security plan; other relevant
determined / reasonable period of inactivity documents or records and ascertain if
(e.g., 10 minutes)? (I) the organization defines in the security plan, explicitly or by reference, the time period of user inactivity after
2) Upon log-off or system time-out, does the which the information system initiates a session lock;
system kill the session in such a manner that an (ii) the information system initiates a session lock after the organization-defined time period of inactivity;
unauthorized user cannot logon (e.g., in case of a (iii) the information system provides the capability for users to directly initiate session lock mechanisms; and
web application, using an old session id for (iv) the information system maintains the session lock until the user reestablishes access using appropriate
instance)? identification and authentication procedures.
Does the institution or department have Obtain documents relating to security safeguards and ascertain if the information system automatically
documented processes and operational controls terminates a user session when trigger events or conditions are met (such as organization-defined periods of user
for terminating user session after a specific inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use).
period of inactivity?

Unauthorized users access operating systems by

physically or logically accessing valid inactive
and/or unattended sessions.
8320 6.11
Inadequate session limit mechanisms may

expose sensitive information or operating
systems to unauthorized access.

A.R.S. § 44-7500 A.R.S. § 13-2316



Inactive sessions are shut down after a defined period of inactivity.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access usin
d authentication procedures. Users shall directly initiate session lock mechanisms to prevent inadvertent viewing when a device is unattended. A session lock is not a substitute for logging out of the information system. In the interest of officer safety, devices that are: (1) part of a poli
dispatch functions and located within a physically secure location, are exempt from this requirement. Note: an example of a session lock is a screen saver with password.

r access to the system by initiating a session lock after 15 minutes
pon receiving a request from a user; and
sion lock until the user reestablishes access using established
d authentication procedures.
ntrol Guidance
1075] The information system must automatically terminate a user session after 15 minutes of inactivity.

HIPAA Security Section - 45 CFR 164.312(a)(2)(iii)

NIST 800-53 Rev.4 - AC-11 (1)
NIST 800-53 Rev.4 - AC-12

R0012 ACCESS CONTROL PERMITTED ACTIONS AC-14 Protect ->

WITHOUT Identification &
IDENTIFICATION OR Authentication
AUTHENTICATION
Required Required

The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or
authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or
authentication.




language Column O)
Are procedures in place for obtaining necessary Obtain access control policy; procedures addressing permitted actions without identification and authentication;
electronic information during an emergency information system configuration settings and associated documentation; security plan; other relevant
without identification and authentication only to documents or records and ascertain if the organization identifies and documents specific user actions that can be
the extent necessary to accomplish performed on the information system without identification or authentication.
mission/business objectives?

During an emergency access to information will

not be available or will be disclosed to
unauthorized parties.
8320 6.12

A.R.S. § 44-7500 A.R.S. § 13-2316


Established (and implemented as needed) procedures are in place for obtaining necessary electronic information during an emergency.

c user actions that can be performed on the information system without identification or authentication consistent with agency missions/business functions. FTI may not be disclosed to individuals on the information system without identification and authentication; and
provide supporting rationale in the SSR for the information system the user actions not requiring identification or authentication.
ss without identification and authentication would be instances in which the agency maintains a publicly accessible website for
tication is required.

HIPAA Security Section - 45 CFR 164.312(a)(2)(ii)

NIST 800-53 Rev.4 - AC-14

R0013 ACCESS CONTROL REMOTE ACCESS AC-17 Protect -> Portable

& Remote
Computing
Required Required (1,2,3,4,9)

The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote
access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
(1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL
The information system monitors and controls remote access methods.
(2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
(3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
(4) REMOTE ACCESS | PRIVILEGED COMMANDS / ACCESS
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment:
organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system.
(9) REMOTE ACCESS | DISCONNECT / DISABLE ACCESS
The organization provides the capability to expeditiously disconnect or disable remote access to
the information system within [Assignment: organization-defined time period].





language Column O)
Does the institution or department have policies Obtain access control policy; procedures addressing remote access to the information system; information
and processes in place for: system configuration settings and associated documentation; information system audit records; other relevant
(i) providing secure remote access to information documents or records and ascertain if
systems, including rules on when privileged (I) the organization authorizes, monitors, and controls remote access to the information system for all allowed
access is provided, methods of remote access to include both establishment of the remote connection and subsequent user actions
(ii) monitoring and authorizing remote access to across that connection.
information systems, and (ii) the information system employs automated mechanisms to facilitate the monitoring and control of remote
(iii) enforcing requirements for remote access methods.
connections to the information system in place? (iii) the information system employs cryptography to protect the confidentiality and integrity of remote access
sessions.
[Note: Documentation on methods should also
include usage restrictions and implementation
guidance for each allowed remote access
method; secure remote connections include
proper configuration and use of encryption;
example of privileged remote access include
approval(s) required based on business need,
and use of stronger authentication such as two-
factor].

Users of corporate information systems expose

business information to exploitable
vulnerabilities when using teleworking solutions.
8320 6.13

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency’s information system by a user (or an information syste
emporarily through an external, non-agency-controlled network (e.g., the Internet).
employ automated mechanisms to facilitate the monitoring and control of remote access methods. The agency shall control all remote accesses through managed access control points. The agency may permit remote access for privileged functions only for compelling operational ne
tionale for such access in the security plan for the information system.
ntrol #7] The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
ntrol #13] The processes and tools used to detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
ntrol #14] The processes and tools used to detect/prevent/correct the use of systems and information based on audit logs of events that are considered significant or could impact the security of an organization.

document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed;
ote access to the information system prior to allowing such connections; and
document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only. (CE4)
system must:
ontrol remote access methods; (CE1)
ptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection; and (CE2)
te accesses through a limited number of managed network access control points. (CE3)
defined as any access to an agency information system by a user communicating through an external network, for example, the Internet. Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication. FTI cannot be access
es, agents, representatives, or contractors located offshore—outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore.

NIST 800-53 Rev.4 - AC-17 (1) (2) (3) (4)

Critical Control 7: Wireless Device Control.
Critical Control 12: Controlled Use of Administrative Privileges.
Critical Control 13: Boundary Defense.
Critical Control 14: Maintenance, Monitoring, and Analysis of
Security Audit Logs

R0014 ACCESS CONTROL WIRELESS ACCESS AC-18 Protect -> Security

Systems
Management
Required Required (1)

The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections.
(1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.





language Column O)
Are wireless device(s) and access point(s) Obtain access control policy; procedures addressing wireless implementation and usage (including restrictions);
securely managed through: NIST Special Publications 800-48 and 800-97; activities related to wireless authorization, monitoring, and control;
(i) a defined and effective process for information system audit records; other relevant documents or records and ascertain if
authorizing the setting up of wireless access (I) the organization establishes usage restrictions and implementation guidance for wireless technologies;
points; (ii) the organization authorizes, monitors, and controls wireless access to the information system; and
(ii) a defined and documented standard for (iii) the wireless access restrictions are consistent with NIST Special Publications 800-48 and 800-97.
configuring wireless access points for security; (iv) the organization uses authentication and encryption to protect wireless access to the information system.
(iii) having in place a process to regularly review
wireless access points for proper configuration
and rogue wireless access points; and
(iv) having a defined architecture where wireless
access points are properly segregated from wired
network (e.g., use of Firewalls)?

Unauthorized parties gain access to resources by

exploiting vulnerabilities in unsecured wireless
networks.
8320 6.14

A.R.S. § 44-7500 A.R.S. § 13-2316


reless network technology is designed to specifically address security considerations as required by access control policies and/or business requirements. For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vend
limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall: (i) establish usage restrictions and implementation guidance for wireless technologies; and (ii) authorize, monitor, control wireless access to the information system. Wireless technologies, in the sim
ore devices to communicate without physical connections—without requiring network or peripheral cabling.
less technologies include, but are not limited to: 802.11x, cellular networks, Bluetooth, satellite and microwave. Wireless technologies require at least the minimum security applied to wired technology and, based upon the specific technology, may require some additional security co
1x Wireless Protocols
tion testing to ensure rogue APs (Access Points) do not exist in the 802.11 Wireless Local Area Network (WLAN) and to fully understand the wireless network security posture.
mplete inventory of all Access Points (APs) and 802.11 wireless devices.
cured areas to prevent unauthorized physical access and user manipulation.
boundaries to determine the precise extent of the wireless coverage and design the AP wireless coverage to limit the coverage area to only what is needed for operational purposes.
thentication and encryption mechanisms for the management interface of the AP.
APs have strong administrative passwords and ensure that all passwords are changed in accordance with section 5.6.2.1.
et function on APs is used only when needed and is only invoked by authorized personnel. Restore the APs to the latest security settings, when the reset functions are used, to ensure the factory default settings are not utilized.
fault service set identifier (SSID) in the APs. Disable the broadcast SSID feature so that the client SSID must match that of the AP. Validate that the SSID character string does not contain any agency identifiable information (division, department, street, etc.) or services.
rity features of the wireless product, including the cryptographic authentication, firewall, and other privacy features.
ncryption key sizes are at least 128-bits and the default shared keys are replaced by unique keys.
he ad hoc mode has been disabled unless the environment is such that the risk has been assessed and is tolerable. Note: some products do not allow disabling this feature; use with caution or use different vendor.
nessential management protocols on the APs and disable hypertext transfer protocol (HTTP) when not needed or protect HTTP access with authentication and encryption.
g (if supported) and review the logs on a recurring basis per local policy. At a minimum logs shall be reviewed monthly.
rtually (e.g. virtual local area network (VLAN) and ACLs) or physically (e.g. firewalls), the wireless network from the operational wired infrastructure. Limit access between wireless networks and the wired network to only operational needs.
ng of access points that will no longer be used by the agency, clear access point configuration to prevent disclosure of network configuration, keys, passwords, etc.
2.11 Protocols
Privacy (WEP) and Wi-Fi Protected Access (WPA) cryptographic algorithms, used by all pre-802.11i protocols, do not meet the requirements for FIPS 140-2 and are to be used only if additional security controls are employed.
low the guidelines below regarding wireless implementation and cases where the WEP and WPA security features are used to provide wireless security in conjunction with the CJIS required minimum encryption specifications.
access control (MAC) access control lists (ACL); however, MAC ACLs do not represent a strong defense mechanism by themselves because they are transmitted in the clear from WLAN clients to APs so they can be captured easily.
WPA.
ault shared keys are replaced by more secure unique keys.
on of key-mapping keys rather than default keys so that sessions are unique when using WEP.
:
e restrictions, configuration/connection requirements, and implementation guidance for wireless access;
less access to the information system prior to allowing such connections; and


NIST 800-53 Rev.4 - AC-18 (1)
Critical Control 7: Wireless Device Control

R0015 ACCESS CONTROL ACCESS CONTROL FOR AC-19 Protect -> Access
MOBILE DEVICES Control & Media

The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled
mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems.
(5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on
[Assignment: organization-defined mobile devices].





language Column O)
Are there documented policies, standards, and Obtain access control policy; procedures addressing access control for portable and mobile devices; information
procedures in place for addressing and enforcing system design documentation; information system configuration settings and associated documentation;
security related to usage of mobile devices (e.g., information system audit records; other relevant documents or records and ascertain if
USB drives, PDAs, Smart Phones, tablets, etc.), (I) the organization establishes usage restrictions and implementation guidance for organization-controlled
including Bring Your Own Device (BYOD)? portable and mobile devices; and
(ii) the organization authorizes, monitors, and controls device access to organizational information systems.
[Note: Example controls include: policies that
define how such devices are used in context of
business; and technical controls such as
password requirements to access the device, use
of "containers" to segregate confidential
information, use of encryption on containers,
remote wipe-out capabilities for
PDAs/Smartphones, etc.]

Mobile computing and teleworking expose

systems and information to exploitable
vulnerabilities.
8320 6.15

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.5.7.3 Cellular Cellular telephones, smartphones (i.e. Blackberry, iPhones, etc.), personal digital assistants (PDA), and “aircards” are examples of cellular handheld devices or devices that employ cellular technology.
devices typically include Bluetooth, infrared, and other wireless protocols capable of joining infrastructure networks or creating dynamic ad hoc networks. Cellular devices are at risk due to a multitude of threats and consequently pose a risk to the enterprise.
r handheld devices stem mainly from their size, portability, and available wireless interfaces and associated services. Examples of threats to cellular handheld devices include:
disposal.
access.
esdropping.
king (threat to security of data and safety of law enforcement officer).
prevalent with later generation cellular technologies).
t data.
Risk Mitigations
all, at a minimum, ensure that cellular devices:
e critical patches and upgrades to the operating system.
for local device authentication.
authentication.
resident on the device.
nformation when session is terminated.
al firewalls.
us software.
1075] A mobile device is a computing device that (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable, or removab
a self-contained power source.
:
e restrictions, configuration requirements, connection requirements, and implementation guidance for agency-controlled mobile devices;
connection of mobile devices to agency information systems;
tion to protect the confidentiality and integrity of information on mobile devices (e.g., smartphones and laptop computers) (CE5); and
ormation from mobile devices based on 10 consecutive, unsuccessful device logon attempts (e.g., personal digital assistants, smartphones and tablets). Laptop computers are excluded from this requirement (AC-7, CE2). Additional requirements on protecting FTI accessed by mobile d
obile Devices.

NIST 800-53 Rev.4 - AC-19 (5)

Security Audit Logs

R0016 ACCESS CONTROL USE OF EXTERNAL AC-20 Identify -> External

INFORMATION SYSTEMS Vendors and Third
Party Providers
Identify -> Cloud

Usage and Security
Required Required (1,2)
R0017 ACCESS CONTROL INFORMATION SHARING AC-21 Protect -> Security

Systems
Management
Required

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating,
and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems.
(1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or
transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy
and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information
system.
(2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external
information systems.
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match
the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is
required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information
sharing/collaboration decisions.






language Column O)
Is there an institutional or departmental policy Obtain access control policy; procedures addressing the use of external information systems; external
and supporting processes that require information systems terms and conditions; list of types of applications accessible from external information
information security be considered as part of due systems; maximum FIPS 199 impact level for information processed, stored, or transmitted on external
diligence, contracting, and risk monitoring for information systems; information system configuration settings and associated documentation; other relevant
third-parties that manage, store, or process, documents or records and ascertain if the organization establishes terms and conditions for authorized
confidential information on behalf of the individuals to access the information system from an external information system that include the types of
institution or department (e.g., SaaS , outsourced applications that can be accessed on the organizational information system from the external information system
data center, ASP, cloud services, etc.)? and the maximum FIPS 199 security category of information that can be processed, stored, and transmitted on
the external information system.
(I) Determine if the organization prohibits authorized individuals from using an external information system to
access the information system or to process, store, or transmit organization-controlled information except in
situations where the organization:
- verifies, for authorized exceptions, the employment of required security controls on the external system as
specified in the organization’s information security policy and system security plan when allowing connections to
the external information system; or
- approves, for authorized exceptions, information system connection or processing agreements with the
organizational entity hosting the external information system.
Does the institution or department have Obtain documentation relating to access authorizations and information sharing mechanisms and ascertain if
documented policies and supporting processes (i) information sharing is enabled after ensuring that access authorization matches the information's access
and mechanisms to control how information is restrictions
shared by authorized users? [Note: common (ii) the information sharing mechanisms are enabled to assist personnel in making sharing / collaboration
types of risks include users who may download decisions.
an entire database that has sensitive information
versus providing only the fields that are needed
for business purposes only, whether sharing it
with a third-party or other department within an
institution]

The security of the organizations information

processing facilities is compromised by external
parties.
8320 6.16
Processes which do not restrict access to

information, information processing systems or
applications and sensitive business processes
based on a need to know basis, may result in
accidental or deliberate misuse of access
privileges.
8320 6.17

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP010]Controls have been
defined for managing third-party
services by establishing relationships
and bilateral responsibilities with
qualified third-party service providers
and monitoring the service delivery
to verify and ensure adherence to
agreements.


ere is an established process for engaging service providers including proper due diligence prior to engagement.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] A personally owned information system shall not be authorized to access, process, store or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned info
not apply to the use of personally owned information systems to access agency’s information systems and information that are intended for public access (e.g., an agency’s public website that contains purely public information).
ccessible Computers
e computers shall not be used to access, process, store or transmit CJI. Publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc.
1075] Unless approved by the Office of Safeguards, the agency must prohibit:
rom external information systems;
controlled portable storage devices (e.g., flash drives, external hard drives) containing FTI on external information systems; and (CE2)
ency-owned information systems; system components; or devices to process, store, or transmit FTI; any non-agency-owned information system usage requires the agency to notify the Office of Safeguards 45 days prior to implementation (see Section 7.4, 45-Day Notification Reportin
CE3) External information systems include any technology used to receive, process, transmit, or store FTI that is not owned and managed by the agency.
ntrol Guidance
1075] The agency must restrict the sharing/re-disclosure of FTI to only those authorized in IRC 6103 and as approved by the Office of Safeguards.


NIST 800-53 Rev.4 - AC-20 (1) (2)
Critical Control 13: Boundary Defense
NIST 800-53 Rev.4 - AC-21

R0018 ACCESS CONTROL PUBLICLY ACCESSIBLE AC-22 Identify -> Privacy

CONTENT & Confidentiality
Required Required

The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic
information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency]
and removes such information, if discovered.



language Column O)
1) Is there a defined policy and supporting Obtain access control policy; procedures addressing publicly accessible content; list of users authorized to post
process for sharing / posting institutional publicly accessible content on organizational information systems; training materials and/or records; records of
information in the public domain (e.g., website, publicly accessible information reviews; records of response to nonpublic information on public Web sites;
externally accessible systems)? system audit logs; security awareness training records; other relevant documents or records and ascertain if :
2) Is there a policy and supporting process to (I) the organization designates individuals authorized to post information onto an organizational information
monitor whether confidential information exists system that is publicly accessible;
on publicly accessible servers or websites? (ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain
nonpublic information;
(iii) the organization reviews the proposed content of publicly accessible information for nonpublic information
prior to posting onto the organizational information system;
(iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational
information system for nonpublic information;
(v) the organization reviews the content on the publicly accessible organizational information system for
nonpublic information in accordance with the organization-defined frequency; and
(vi) the organization removes nonpublic information from the publicly accessible organizational information
system, if discovered.

Laws and regulations are violated due to

inappropriate disclosure of personal information.
8320 6.18

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective MEA03] Controls have been
defined to ensure regulatory
compliance by identifying all
applicable laws and regulations and
the corresponding level of IT
compliance and optimizing IT
processes to reduce the risk of non-
compliance.
A.R.S. 44-7501 (A)

ss and Security] All commercial web sites holding personal information adopt security procedures (including managerial procedures) that are appropriate under the circumstances.
97] Records which are contained in a system of records are protected from unauthorized disclosed by any means of communication.
97, Public Law 93-579] Procedures are in place to collect information directly from the subject individual, when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs.
79] An agency that maintains a system of records has established procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to the individual.
nal Rights and Privacy Act Regulations] Procedures are in place to give full access rights of students information to either parent, unless it has been provided with evidence that there is a court order, State statute, or legally binding document that specifically revokes these rights
nal Rights and Privacy Act Regulations] Process are in place to transfer rights from the parents to the student, when a student becomes an eligible student.
nal Rights and Privacy Act Regulations] Procedures are established to disclose student's education records, only after the parent or eligible student provides a signed and dated written consent and only after the removal of all personally identifiable information.
nal Rights and Privacy Act Regulations] Procedures are established to disclose personally identifiable information from an education record, only on the condition that the party to whom the information is disclosed, will not disclose the information to any other party, without the prio
student.
nal Rights and Privacy Act Regulations] Procedures are established to disclose education records to another educational agency or institution, only after notifying the parent or eligible student.
nal Rights and Privacy Act Regulations] Procedures are established to disclose education records to authorized representatives, in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal req
nal Rights and Privacy Act Regulations] Procedures are established to disclose personally identifiable information from an education record to appropriate parties, in connection with an emergency, only if knowledge of the information is necessary to protect the health or safety of the
nal Rights and Privacy Act Regulations] Procedures are established to disclose directory information, only after giving a public notice to parents of students in attendance and eligible students in attendance at the agency or institution.
nal Rights and Privacy Act Regulations] Procedures are established to disclose education records, only if reporting or disclosure is allowed by State statute concerns the juvenile justice system.

viduals authorized to post information onto a publicly accessible information system;
ed individuals to ensure that publicly accessible information does not contain FTI;
oposed content of information prior to posting onto the publicly accessible information system to ensure that FTI is not included; and
ntent on the publicly accessible information system for FTI, at a minimum, quarterly and remove such information, if discovered.

Gramm-Leach-Bliley Act of 1999 (GLBA) – 15 U.S.C.,

Subchapter I, Sec. 6802
Public Law 93-579 - Section 552a.(b)
Public Law 93-579 - Sec. 552a.(e)(1)
Public Law 93-579 - Sec. 552a.(e)(2)
Public Law 93-579 - Sec. 552a.(f)
Public Law 93-579 - Sec. 552a.(n)
Public Law 93-579 - Sec. 552a.(o)(1)
Public Law 93-579 - Sec. 552a.(p)
Public Law 93-579 - Sec. 552a.(q)
NIST 800-53 Rev.4 - AC-22

R0019 AWARENESS AND SECURITY AWARENESS AT-1 Protect -> Security

TRAINING AND TRAINING POLICY Awareness and
AND PROCEDURES Training
&
Identify->
Enterprise Security
Policy, Standards
and Guidelines
Required Required
R0020 AWARENESS AND SECURITY AWARENESS AT-2 Protect -> Security

TRAINING TRAINING Awareness and
Training

The organization:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training
controls; and
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
(2) SECURITY AWARENESS | INSIDER THREAT
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.






language Column O)
Is there an approved policy in place that requires Obtain security awareness and training policy and procedures; other relevant documents or records and
training programs on security responsibilities for ascertain if:
current employees, contractors, and third party I)the organization develops and documents security awareness and training policy and procedures.
users and appropriate technical training for (ii)the organization disseminates security awareness and training policy and procedures to appropriate elements
information system custodians? within the organization.
(iii)responsible parties within the organization periodically review security awareness and training policy and
procedures.
(iv)the organization updates security awareness and training policy and procedures when organizational review
indicates updates are required.
(v)the security awareness and training policy addresses purpose, scope, roles and responsibilities, management
commitment, coordination among organizational entities, and compliance.
(vi)the security awareness and training policy is consistent with the organization’s mission and functions and with
applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the security awareness and training procedures address all areas identified in the security awareness and
training policy and address achieving policy-compliant implementations of all associated security awareness and
training controls.
1. Does the institution or department provide on- Obtain Security awareness and training policy; procedures addressing security awareness training
going basic security awareness training to all implementation; NIST Special Publication 800-50; appropriate codes of federal regulations; security awareness
information system users (including department training curriculum; security awareness training materials; security plan; other relevant documents or records
heads, senior executives, and contractors)? Are and ascertain if
awareness and training materials updated (I)the organization provides basic security awareness training to all information system users (including managers
periodically for addressing relevant security and senior executives) before authorizing access to the system and when required by system changes;
behaviors of the current time based on industry (ii)the security awareness training is consistent with applicable regulations and NIST Special Publication 800-50;
trends, past incidents, etc., as well as indicators (iii)the security awareness and training materials address the specific requirements of the organization and the
of insider threat? information systems to which personnel have authorized access;
(iv)the organization defines in the security plan, explicitly or by reference, the frequency of refresher security
2. Does the organization have targeted training awareness training and the frequency is at least annually.
in place for positions with higher risk profile (e.g., (v)the organization provides refresher security awareness training in accordance with organization-defined
system administrators, personnel with access to frequency.
student records, etc.?

Applications and technology solutions are not

effectively and efficiently used since a training
curriculum for employees has not been
established or regularly updated.
8120 6.2 8210 6 - 6.3
Employees, contractors or third party users

breach security because they are not aware or
trained on information security requirements.
8210 6.2.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP007] Controls have been
defined to educate and train users.

defined to educate and train users.

ntrol #9] The process and tools to make sure an organization understands the technical skill gaps within its workforce, including an integrated plan to fill the gaps through policy, training, and awareness.

reness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
date the current:
ness and training policy every three years (or if there is a significant change); and
ness and training procedures at least annually.
1075] Data Warehouse Security Requirements Exhibit 10

raining
have a disclosure awareness training program in place that includes how FTI security requirements are communicated to end users. Training shall be user specific to ensure that all personnel receive appropriate training for a particular job, such as training required for administrators
implements a security awareness and training program for all members of its workforce, including management.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI. The CSO/SIB may accept the documentation of the comp
ss training from another agency. Accepting such documentation from another agency means that the accepting agency assumes the risk that the training may not meet a particular requirement or process required by federal, state, or local laws.
1075]
:
ecurity awareness training to information system users (including managers, senior executives, and contractors):
al training for new users;
d by information system changes; and
lly thereafter.
y awareness training on recognizing and reporting potential indicators of insider threat. (CE2) This section is closely coupled with Section 6.3, Disclosure Awareness Training, which provides the requirement for general FTI disclosure awareness training; however, this control is focused
rational security awareness. Insider threat training should bring awareness of the potential for individuals (e.g., employees, contractors, former employees) to use insider knowledge of sensitive agency information (e.g., security practices, systems that hold sensitive data) to perform m
uld include the unauthorized access or re-disclosure of FTI.

NIST 800-53 Rev.4 - AT-1

Critical Control 9: Security Skills Assessment and Appropriate
Training to Fill Gaps

Computer Security Act of 1987 – Public Law 100-235 (H.R. 145)
- Sec. 5
- V. Section 5
NIST 800-53 Rev.4 - AT-2 (2)

R0021 AWARENESS AND ROLE-BASED SECURITY AT-3 Protect -> Security

TRAINING TRAINING Awareness and
Training
Required Required

The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;





language Column O)
Does the institution or department implement Obtain Security awareness and training policy; procedures addressing security training implementation; NIST
security awareness, education, and training Special Publication 800-50; codes of federal regulations; security training curriculum; security training materials;
activities suitable and relevant to each person's security plan; other relevant documents or records and ascertain if
role, responsibilities, and skills? (I)the organization identifies personnel with significant information system security responsibilities and roles and
documents those roles and responsibilities.
(ii)the organization provides security training to personnel with identified information system security roles and
responsibilities before authorizing access to the system or performing assigned duties and when required by
system changes.
(iii)the security training materials address the procedures and activities necessary to fulfill the organization-
defined roles and responsibilities for information system security.
(iv)the security training is consistent with applicable regulations and NIST Special Publication 800-50;
(v)the organization defines in the security plan, explicitly or by reference, the frequency of refresher security
training;
(vi)the organization provides refresher security training in accordance with organization-defined frequency, at
least annually.

Failure to conduct suitable and relevant security

training, and to publish notifications to enhance
awareness of organizational policies and
procedures may expose the operational
environment to potential security breach by
employees, contractors and third parties.
8210 6.1.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP007; AP001]Controls
have been defined for the
management of IT human resources.

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.2.1 Awareness Topics
ber of topics can be mentioned and briefly discussed in any awareness session or campaign. To help further the development and implementation of individual agency security awareness training programs the following baseline guidance is provided.
nnel
he following topics shall be addressed as baseline security awareness training for all authorized personnel with access to CJI:
cribe responsibilities and expected behavior with regard to CJI usage.
noncompliance.
nse (Points of contact; Individual actions).
on.
and physical access to spaces—discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity.
ation subject to confidentiality concerns — hardcopy through destruction.
g and marking of CJI.
rabilities, and risks associated with handling of CJI.
and destruction.
l with Physical and Logical Access
.1.1 above, the following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:
cribe responsibilities and expected behavior with regard to information system usage.
e and management—including creation, frequency of changes, and protection.
m viruses, worms, Trojan horses, and other malicious code.
ail/attachments.
llowed versus prohibited; monitoring of user activity.
ring.
ty—increases in risks to systems and data.
on.
vice security issues—address both physical and wireless security issues.
ption and the transmission of sensitive/confidential information over the Internet—address agency policy, procedures, and technical contact for assistance.
ty—address both physical and information security issues.
wned equipment and software—state whether allowed or not (e.g., copyrights).
ol issues—address least privilege and separation of duties.
ountability—explain what this means in the agency.
wledgement statements—passwords, access to systems and data, personal use and gain.
rity—discuss use of screensavers, restricting visitors’ view of information on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems.
mation subject to confidentiality concerns—in systems, archived, on backup media, and until destroyed.

NIST 800-53 Rev.4 - AT-3


R0022 AWARENESS AND SECURITY TRAINING AT-4 Identify -> Control

TRAINING RECORDS Oversight and
Safeguard
Assurance
&
Protect -> Security
Awareness and
Required Required Training
R0023 AUDIT AND AUDIT AND AU-1 Identify -> Control

ACCOUNTABILITY ACCOUNTABILITY Oversight and
POLICY AND Safeguard
PROCEDURES Assurance
&
Detect-> Security
Monitoring and
Event Analysis
Required Required

The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific
information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
The organization:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].







language Column O)
Does the security awareness program require Obtain Security awareness and training policy; procedures addressing security training records; security
employees to acknowledge in writing or awareness and training records; other relevant documents or records and ascertain if the organization monitors
electronically at least annually that they have and documents basic security awareness training and specific information system security training.
read and must abide by the institution's
information security policy?
Is there a process in place to monitor compliance Obtain audit and accountability policy and procedures; other relevant documents or records and ascertain if
to security policies and requirements on a (I)the organization develops and documents audit and accountability policy and procedures;
scheduled basis (e.g., audits and assessments of (ii)the organization disseminates audit and accountability policy and procedures to appropriate elements within
controls, vulnerability assessments, etc.)? the organization;
(iii)responsible parties within the organization periodically review audit and accountability policy and procedures;
and
(iv)the organization updates audit and accountability policy and procedures when organizational review indicates
updates are required.
(v)the audit and accountability policy addresses purpose, scope, roles and responsibilities, management
commitment, coordination among organizational entities, and compliance;
(vi)the audit and accountability policy is consistent with the organization’s mission and functions and with
applicable laws, directives, policies, regulations, standards, and guidance; and
(vii)the audit and accountability procedures address all areas identified in the audit and accountability policy and
address achieving policy-compliant implementations of all associated audit and accountability controls.

Service Management objectives are not achieved

since personnel performing work within service
management have inappropriate education,
training, skills, and experience.
8210 6.3.1
Critical business processes and sensitive data are

compromised due to flawed audit process.
8120 6.2 8330 6.1 - 6.7

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP009]Controls have been
established for defining and
managing service levels.

Objective MEA02.01-02] Controls
have been defined to monitoring and
evaluating internal controls.

ming work within service management are competent on the basis of appropriate education, training, skills, and experience. [ISO 20000]
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Records of individual basic security awareness training and specific information system security training shall be documented, kept current, and maintained by the CSO/SIB/Compact Officer. Maintenance of training
local level.

monitor individual information system security training activities, including basic security awareness training and specific information system security training; and
ual training records for a period of five years.
ntrol Guidance

ccountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
date the current:
untability policy every three years; and
untability procedures at least annually.

NIST 800-53 Rev.4 - AT-4

NIST 800-53 Rev.4 - AU-1

R0024 AUDIT AND AUDIT EVENTS AU-2 Identify -> Control

ACCOUNTABILITY Oversight and
Safeguard
Assurance
&
Detect -> Security
Monitoring and
Event Analysis

The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to
help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the
subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
(3) AUDIT EVENTS | REVIEWS AND UPDATES
The organization reviews and updates the audited events [Assignment: organization-defined frequency].





language Column O)
Does the institution or department monitor the Obtain audit and accountability policy; procedures addressing auditable events; security plan; information
use of information systems, maintain security system configuration settings and associated documentation; information system audit records; list of
related system logs, and retain logs in organization-defined auditable events; list of privileged security functions; other relevant documents or records
accordance with the institution's records and ascertain if :
retention schedules? (I)the organization defines in the security plan, explicitly or by reference, information system auditable events;
(ii)the organization-defined auditable events include those deemed by the organization to be adequate to
support after-the-fact investigations of security incidents;
(iii)the information system generates audit records for the organization-defined auditable events;
(v)the organization decides, based upon a risk assessment, which events require auditing on a continuous basis
and which events require auditing in response to specific situations.
(vi)the organization periodically reviews and updates the list of organization-defined auditable events
(vii)the organization includes execution of privileged functions in the list of events to be audited by the
information system

Unauthorized access and activity is undetected

due to incomplete log information.
8330 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316


r PCI covered data, access to all audit trails is logged and monitored. Logging and monitoring is performed for invalid logical access attempts, the use of identification and authentication mechanisms, initialization of the audit logs, creation and deletion of system level objects, user ide
d time, success or failure indication for event, origination of event, and the identity or name of affected data or system or component or resource. Logs for external-facing technologies are written onto a log server on the internal LAN. Audit trail viewing is specifically limited to only th
dit trails are protected from unauthorized modification through access control mechanisms, physical segregation, and/or network segregation. Logs for all system components are reviewed at least daily. Log reviews must include those servers that perform security functions like intru
tication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note Log harvesting, parsing, and alerting tools may be used to meet compliance with this PCI requirement. Audit logs for PCI covered systems are available for at least one (1) year and processes ar
ore at least the last three months logs for immediate analysis (for example, online, archived, or restorable from back-up).
implements hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency’s information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the
cy shall periodically review and update the list of agency-defined auditable events. In the event an agency does not use an automated system, manual recording of activities shall still take place.
1075] Security-relevant events must enable the detection of unauthorized access to

g must be enabled to the greatest extent necessary to capture
tion, deletion, and movement of FTI by each unique user.
:
t the information system is capable, at a minimum, of auditing the following event types:
m;
em;
sword;
ministrator commands, while logged on as system administrator;
unts or running privileged actions from another account, (e.g., Linux/Unix SU or Windows RUNAS);
odification of super-user groups;
rity administrator commands, while logged on in the security administrator role;
em administrator commands, while logged on in the user role;
audit log file;
hutdown of audit functions;
fication and authentication mechanisms (e.g., user ID and password);
e or user permissions or privileges (e.g., use of SU-id/guid, shown, su);
ss outside of the corporate network communication channels (e.g., modems, dedicated VPN) and all dial-in access to the system;
e to an application or database by a batch file;
ritical record changes;


HIPAA Security Section - 45 CFR 164.308(a)(5)(ii)(c)
HIPAA Security Section - 45 CFR 164.312(b)
NIST 800-53 Rev.4 - AU-2 (3)
Security Audit Logs

R0025 AUDIT AND CONTENT OF AUDIT AU-3 Protect -> Audit

ACCOUNTABILITY RECORDS Logging and
Security Event
Management &
Media
R0026 AUDIT AND AUDIT STORAGE AU-4 Protect -> Audit

ACCOUNTABILITY CAPACITY Logging and
Security Event
Management &
Media
Required Required

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred,
where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the
event.
(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION
The information system generates audit records containing the following additional information: [Assignment: organization-defined additional,
more detailed information].
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].






language Column O)
Does the information system produce audit Obtain audit and accountability policy; procedures addressing content of audit records; information system
records that contain sufficient information and, design documentation; security plan; information system configuration settings and associated documentation;
at a minimum, establish: other relevant documents or records and ascertain if:
a. the type of event that occurred, (I)the information system audit records capture sufficient information to establish what events occurred;
b. the date and time the event occurred, (ii)the information system audit records capture sufficient information to establish the sources of the events; and
c. where the event occurred, (Specific system, (iii)the information system audit records capture sufficient information to establish the outcomes of the events.
etc.) (iv) the information system provides the capability to include additional, more detailed information in the audit
d. the source of the event, records for audit events identified by type, location, or subject.
e. outcome (success or failure) of the event, and
f. the identity of any user or subject associated
with the event?
Does the institution or department monitor the Obtain audit and accountability policy; procedures addressing audit storage capacity; information system design
storage capacity of its logging servers to prevent documentation; organization-defined audit record storage capacity for information system components that
data over-writing? store audit records; list of organization-defined auditable events; information system configuration settings and
associated documentation; information system audit records; other relevant documents or records and ascertain
if
(I)the organization allocates sufficient audit record storage capacity; and
(ii)the organization configures auditing to reduce the likelihood of audit record storage capacity being exceeded.

The lack of logging mechanisms to record and

store user activities, exceptions, and information
security events may result in unauthorized
access or activity going undetected.
8330 6.2, 6.2.1
Logging facilities and log information is

compromised and tampered with due to
inadequate data protection mechanisms.

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The following events shall be logged:
unsuccessful system log-on attempts.
unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resource.
unsuccessful attempts to change account passwords.
unsuccessful actions by privileged accounts.
unsuccessful attempts for users to access, modify, or destroy the audit log file.
ntent shall be included with every audited event:
of the event.
nt of the information system (e.g., software component, hardware component) where the event occurred.
dentity.
cess or failure) of the event.

t records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event; and
t records containing details to facilitate the reconstruction of events if unauthorized activity or a malfunction occurs or is suspected in the audit records for audit events identified by type, location, or subject. (CE1)
perational procedures to back up audit trail files to a centralized log server or media that is difficult to alter, have been established
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency’s information system shall provide alerts to appropriate agency officials in the event of an audit processing failure. Audit processing failures include, for example: software/hardware errors, failures in the
d audit storage capacity being reached or exceeded.
1075] The agency must allocate audit record storage capacity to retain audit records for the required audit retention period of seven years.

NIST 800-53 Rev.4 - AU-3(1)

Security Audit Logs

NIST 800-53 Rev.4 - AU-4
Security Audit Logs

R0027 AUDIT AND RESPONSE TO AUDIT AU-5 Protect -> Audit

ACCOUNTABILITY PROCESSING FAILURES Logging and
Security Event
Management &
Media
Required Required
R0028 AUDIT AND AUDIT REVIEW, AU-6 Protect -> Audit

ACCOUNTABILITY ANALYSIS, AND Logging and
REPORTING Security Event
Management &
Media


a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite
oldest audit records, stop generating audit records)].
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment:
organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].
(1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational
processes for investigation and response to suspicious activities.
(3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.






language Column O)
Does the institution or department log all user Obtain audit and accountability policy; procedures addressing response to audit processing failures; information
access to confidential data (e.g., card holder system design documentation; security plan; information system configuration settings and associated
data, ePHI, PII) and enable audit trails to uniquely documentation; list of personnel to be notified in case of an audit processing failure; information system audit
log each user's activities records; other relevant documents or records. And ascertain if
(I)the organization defines in the security plan, explicitly or by reference, actions to be taken in the event of an
audit processing failure;
(ii)the organization defines in the security plan, explicitly or by reference, personnel to be notified in case of an
audit processing failure; and
(iii)the information system alerts appropriate organizational officials and takes any additional organization-
defined actions in the event of an audit failure, to include audit storage capacity being reached or exceeded.
Are information system audit records reviewed Obtain audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; threat
and analyzed on a daily basis for indications of information documentation from law enforcement, intelligence community, or other sources; information
inappropriate or unusual activity, findings system configuration settings and associated documentation; information system audit records; reports of audit
reported to designated organizational officials, findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or
and corrective action plans implemented for records and ascertain if :
identified issues? (I)the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity;
[e.g., logs from different system correlated in (ii)the organization investigates suspicious activity or suspected violations;
order to effectively detect potential security (iii)the organization reports findings of inappropriate/unusual activities, suspicious behavior, or suspected
issues; specific use cases for alerts been defined violations to appropriate officials; and
in order to identify critical security events; there (iv)the organization takes necessary actions in response to the reviews/analyses of audit records
are knowledgeable resources that exist and are
responsible for responding to alerts; such
process is tied to the incident response process]

Unauthorized system activities are undetected

because of inconsistent audit log monitoring.
8330 6.2.3
Audit findings are not effectively communicated

or resolved by management.
8330 6.5

A.R.S. § 44-7500 A.R.S. § 13-2316



dividual accesses are logged to track and monitor access to information resources. A process exists for linking all access to system components (especially access made with administrative privileges such as root) to each individual user. Automated audit trails are implemented on syste
dividual user access events (such as individual and administrator user access attempts, creation and deletion of system-level objects).

ed agency officials in the event of an audit processing failure;
m operational status using operating system or system audit logs and verify functions and performance of the system. Logs shall be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system admini
ing when allocated audit record storage volume reaches a maximum audit record storage capacity. (CE1)
ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.4.3 Audit Monitoring, Analysis, and Reporting
management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary
hall be conducted at a minimum once a week. The frequency of review/analysis should be increased when the volume of an agency’s processing indicates an elevated need for audit review. The agency shall increase the level of audit monitoring and analysis activity within the inform
s an indication of increased risk to agency operations, agency assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.

alyze information system audit records at least weekly or more frequently at the discretion of the information system owner for indications of unusual activity related to potential unauthorized FTI access; and
s according to the agency incident response policy. If the finding involves a potential unauthorized disclosure of FTI, the appropriate special agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA), and the IRS Office of Safeguards must be contacted, as described in
per Inspections or Disclosures. The Office of Safeguards recommends agencies identify events that may indicate a potential unauthorized access to FTI.

PCI DSS v2.0 - Sec 10

NIST 800-53 Rev.4 - AU-5
Security Audit Logs
NIST 800-53 Rev.4 - AU-6 (1) (3)

Security Audit Logs

R0029 AUDIT AND AUDIT REDUCTION AND AU-7 Respond -> Cyber-
ACCOUNTABILITY REPORT GENERATION Security Incident
Response
Required (1)
R0030 AUDIT AND TIME STAMPS AU-8 Protect -> Audit

ACCOUNTABILITY Logging and
Security Event
Management &
Media

The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records.
(1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit
fields within audit records].

a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets
[Assignment: organization-defined granularity of time measurement].
(1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined
authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-
defined time period].






language Column O)
Does the department have security incident Obtain audit and accountability policy; procedures addressing audit reduction and report generation; information
management policies and supporting procedures system design documentation; audit reduction, review, and reporting tools; and associated documentation ;other
in place that includes: relevant documents or records and ascertain if:
i) requirements for proper tuning of logs and (I) the information system provides audit reduction and report generation tools that support after-the-fact
alerts so as to focus on higher risk events / investigations of security incidents without altering original audit records.
exceptions (i.e., minimize the "noise") (ii)the information system provides the capability to automatically process audit records for events of interest
ii) proper handling and access controls to based upon selectable, event criteria.
maintain integrity of logs and other data that
support forensics and investigations
iii) have documented use cases that guide the
responders on how to manage incidents
reported or identified (e.g., classification and
next steps)
iv) clearly indicate who needs to be notified, by
when, and in what manner?
Is the information system configured to use Obtain audit and accountability policy; procedures addressing time stamp generation; information system design
internal system clocks to generate time stamps documentation; information system configuration settings and associated documentation; information system
for audit records? [Note: The ability to audit records; security plan; other relevant documents or records and ascertain if :
accurately monitor timestamps from logs could (I) the information system provides time stamps in audit records.
affect the incident response process.] (ii)the organization defines in the security plan, explicitly or by reference, the frequency of internal clock
synchronization for the information system; and
(iii)the organization synchronizes internal information system clocks periodically in accordance with organization-
defined frequency.

Information security events are not reported.
8330 6.6
The lack of operational control to synchronize

system clocks with an authoritative time source
may hinder the ability to accurately monitor
timestamps from logs which could affect the
incident response process.
8330 6.7

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective DS8 is deleted from COBIT
as it does not cover Service Desk
Process] Controls have been defined
for management of the service desk
and incidents.


Information security events are reported through appropriate management channels as quickly as possible.[PCI DSS v2.0] Alerts from intrusion detection, intrusion-prevention, and file-integrity monitoring systems are monitored.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.4.6 Audit Record Retention
retain audit records for at least 365 days. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example,
dit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions.
1075] The information system must provide an audit reduction and report generation capability that:
emand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
the original content or time ordering of audit records.
ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency’s information system shall provide time stamps for use in audit record generation. The time stamps shall include the date and time values generated by the internal system clocks in the audit records. The
nal information system clocks on an annual basis.

stem clocks to generate time stamps for audit records;
amps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT); and
ynchronize the internal information system clocks to approved authoritative time sources (e.g., NIST, Naval Observatory). (CE1)


NIST 800-53 Rev.4 - AU-7(1)
NIST 800-53 Rev.4 - AU-8(1)

Security Audit Logs

R0031 AUDIT AND PROTECTION OF AUDIT AU-9 Protect -> Audit

ACCOUNTABILITY INFORMATION Logging and
Security Event
Management &
Media
R0032 AUDIT AND AUDIT RECORD AU-11 Protect -> Data Loss
ACCOUNTABILITY RETENTION Prevention
Required Required

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
The information system backs up audit records [Assignment: organization-defined frequency] onto
a physically different system or system component than the system or component being audited. (4) PROTECTION
OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of users ].
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide
support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.







language Column O)
Is access to log data directories adequately Obtain audit and accountability policy; procedures addressing protection of audit information; access control
controlled? policy and procedures; information system design documentation; information system configuration settings and
associated documentation; information system audit records; audit tools; other relevant documents or records
and ascertain if the information system protects audit information and audit tools from unauthorized access,
modification, and deletion.
Are audit records retained to provide support for Obtain audit and accountability policy; procedures addressing audit record retention; organization-defined
after-the-fact investigations of security incidents retention period for audit records; information system audit records; other relevant documents or records and
in accordance with regulatory requirements and ascertain if :
institutional records retention requirements? (I)the organization defines the retention period for audit records generated by the information system; and
(ii)the organization retains information system audit records for the organization-defined time period to provide
support for after-the-fact investigations of security incidents and to meet regulatory and organizational
information retention requirements.

Failure to restrict access to logging facilities and

log information may result in unauthorized
access, log information tampering and loss of
user activity evidence.
8330 6.8
Laws and regulations are violated due to data

not being retained for the required duration of
time or inappropriate data being stored.
8330 6.9

A.R.S. § 44-7500 A.R.S. § 13-2316


compliance.

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency’s information system shall protect audit information and audit tools from modification, deletion and unauthorized access.
1075] The information system must protect audit information and audit tools from unauthorized access, modification, and deletion. The agency must authorize access to manage audit functionality only to designated security administrator(s) or staff other than the system and networ
ork administrators must not have the ability to modify or delete audit log entries. (CE4)
1075] The information system must protect audit information and audit tools from unauthorized access, modification, and deletion. The agency must authorize access to manage audit functionality only to designated security administrator(s) or staff other than the system and networ
ork administrators must not have the ability to modify or delete audit og entries. (CE4)
erally Accepted Privacy Principles, Public Law 93-579] Procedures are in place to address records management requirements.
velop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. Mask PAN when displayed (the first six and last four digits are the maximum num
otes: This requirement does not apply to employees and other parties with a legitimate business need to see the full PAN. This requirement does not supersede stricter requirements in place for displays of cardholder data-for example, for point-of sale (POS) receipts. [MA.201.CMR.17
tained to that which is reasonably necessary.
The organization will implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications for records management, and maintain a written (it may be electronic) record of the action, activity or assessment.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.4.6 Audit Record Retention
retain audit records for at least 365 days. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example,
dit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions.
C and III Transactions
intained for a minimum of one (1) year on all NCIC and III transactions. The III portion of the log shall clearly identify both the operator and the authorized receiving agency. III logs shall also clearly identify the requester and the secondary recipient. The identification on the log shall ta
er that shall remain unique to the individual requester and to the secondary recipient throughout the minimum one year retention period.
1075] The agency must retain audit records for seven years to provide support for after-the fact investigations of security incidents and to meet regulatory and agency information retention requirements.

NIST 800-53 Rev.4 - AU-9 (4)

Security Audit Logs
HIPAA Security Section - 45 CFR 164.316(b)(1)

HIPAA Security Section - 45 CFR 164.316(b)(2)(i)
Public Law 93-579 - Sec 552a.(c)
Public Law 93-579 - Sec 552a.(e)(5)
NIST 800-53 Rev.4 - AU-11

R0033 AUDIT AND AUDIT GENERATION AU-12 Protect -> Audit

ACCOUNTABILITY Logging and
Security Event
Management &
Media
Required Required


a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information
system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the
information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.




language Column O)
Does the institution or department have a Obtain audit and accountability policy; procedures addressing audit record generation; security plan; information
documented logging standard that defines the system design documentation; information system configuration settings and associated documentation;
minimum requirements for logging (e.g., fields to information system audit records; other relevant documents or records and ascertain if :
log, type of events, log protection requirements, (I) the organization defines the information system components that provide audit record generation capability
retention requirements, etc.)? for the list of auditable events defined in AU-2;
(ii) the information system provides audit record generation capability, at organization-defined information
system components, for the list of auditable events defined in AU-2;
(iii) the information system allows designated organizational personnel to select which auditable events are to be
audited by specific components of the system; and
(iv) the information system generates audit records for the list of audited events defined in AU-2 with the
content as defined in AU-3.

Failure to plan and execute IT audit activities

may result in potential compromise of critical
business processes and sensitive data to go
undetected.
8330 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.4.1 Auditable Events and Content (Information Systems)
rmation system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The agency shall specify which information system components carry out auditi
can affect information system performance and this issue must be considered as a separate factor during the acquisition of information systems.
rmation system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. The agency shall periodically review and update the list of ag
In the event an agency does not use an automated system, manual recording of activities shall still take place.
ents shall be logged:

unsuccessful system log-on attempts.
unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resource.
unsuccessful attempts to change account passwords.
unsuccessful actions by privileged accounts.
unsuccessful attempts for users to access, modify, or destroy the audit log file.
t
ntent shall be included with every audited event:
of the event.
nt of the information system (e.g., software component, hardware component) where the event occurred.
dentity.
cess or failure) of the event.
1075]The information system must:

ecord generation capability for the auditable events defined in Section 9.3.3.2, Audit Events (AU-2);
ed agency officials to select which auditable events are to be audited by specific components of the information system; and
t records for the events with the content defined in Section 9.3.3.4, Content of Audit Records (AU-3).

NIST 800-53 Rev.4 - AU-12

Security Audit Logs

R0034 SECURITY SECURITY ASSESSMENT CA-1 Identify -> Security

ASSESSMENT AND AND AUTHORIZATION Assessment and
AUTHORIZATION POLICY AND Authorization /
PROCEDURES Technology Risk
Assessments
Required Required

The organization:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and
authorization controls; and
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency].




language Column O)
Has the institution or department published a Obtain security assessment and certification and accreditation policies and procedures; other relevant
policy or other directives related to information documents or records and ascertain if :
security expectations for communicating to (I)the organization develops and documents security assessment and certification and accreditation policies and
faculty, staff, business, IT, and other users about procedures.
expectations and their role concerning (ii)the organization disseminates security assessment and certification and accreditation policies and procedures
information security? to appropriate elements within the organization.
(iii)responsible parties within the organization periodically review policy and procedures.
(iv)the organization updates security assessment and certification and accreditation policies and procedures
when organizational review indicates updates are required.
(iv)the security assessment and certification and accreditation policies address purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
(v)the security assessment and certification and accreditation policies are consistent with the organization’s
mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.
(vi)the security assessment and certification and accreditation procedures address all areas identified in the
security assessment and certification and accreditation policies and address achieving policy-compliant
implementations of all associated security assessment and certification and accreditation controls.

Management does not set a clear policy

direction in line with business objectives and
demonstrate support for, and commitment to,
information security.
8120 6.2

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective EDM03; AP001] Controls
have been defined to communicate
management aims and direction
through providing accurate,
understandable and approved
policies, procedures, guidelines and
other documentation to
stakeholders, embedded in an IT
control framework.

e security policy includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. Ensure that the security policy and procedures clearly define information security responsibilities for all personnel and includes a review at least annually and
changes. The policy is published and disseminated to all relevant personnel (including vendors, contractors, and business partners).

ssment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
date the current:
ment and authorization policy every three years; and
ment and authorization procedures at least annually.


NIST 800-53 Rev.4 - CA-1

R0035 SECURITY SECURITY ASSESSMENTS CA-2 Identify -> Security

ASSESSMENT AND Assessment and
AUTHORIZATION Authorization /
Technology Risk
Assessments
Required (1) Required (1,2,3)

The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to
determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect
to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
(1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security
control assessments. (2)
SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS
The organization includes as part of security control assessments, [Assignment: organizationdefined
frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth
monitoring; vulnerability scanning; malicious user testing; insider threat assessment;
performance/load testing; [Assignment: organization-defined other forms of security assessment]].
(3) SECURITY ASSESSMENTS | EXTERNAL ORGANIZATIONS
The organization accepts the results of an assessment of [Assignment: organization-defined
information system] performed by [Assignment: organization-defined external organization] when
the assessment meets [Assignment: organization-defined requirements].





language Column O)
Does the institution or department have a Obtain security assessment policy; procedures addressing security assessments; security plan; security
defined information security program that assessment plan; security assessment report; assessment evidence; security authorization package (including
includes: security plan, security assessment report, plan of action and milestones, authorization statement); other relevant
i) developing a plan and executing periodic documents or records and ascertain if :
assessments of security control effectiveness; (I)the organization defines in the security plan, explicitly or by reference, the frequency of security control
ii) identifying objective and qualified assessors; assessments and the frequency is at least annually
and (ii)the organization conducts an assessment of the security controls in the information system at an organization-
iiI) reporting results of such assessment(s) to the defined frequency.
appropriate stakeholders? (iii)the organization employs an independent assessor or assessment team to conduct an assessment of the
security controls in the information system.

Independent reviews of information security are

not regularly performed to ensure the continuing
suitability, adequacy, and effectiveness of the
organization's information security program.
8120 6.5.1

A.R.S. § 44-7500 A.R.S. § 13-2316



urity assessment plan that describes the scope of the assessment, including:
ols and control enhancements under assessment;
ocedures to be used to determine security control effectiveness; and
vironment, assessment team, and assessment roles and responsibilities;
urity controls in the information system and its environment at a minimum on an annual basis to determine the extent to which the controls are

NIST 800-53 Rev.4 - CA-2(1)

Critical Control 20: Penetration Tests and Red Team Exercises

R0036 SECURITY SYSTEM CA-3 Identify -> Security

ASSESSMENT AND INTERCONNECTIONS Assessment and
AUTHORIZATION Authorization /
Technology Risk
Assessments
&
Identify -> External
Vendors and Third
Party Providers
Identify -> Privacy
Required Required (3,5) & Confidentiality
R0037 SECURITY PLAN OF ACTION AND CA-5 Detect ->

ASSESSMENT AND MILESTONES Vulnerability
AUTHORIZATION Assessment
Required Required

The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated;
and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
(3) SYSTEM INTERCONNECTIONS | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS
The organization prohibits the direct connection of an [Assignment: organization-defined
unclassified, non-national security system] to an external network without the use of [Assignment;
organization-defined boundary protection device]. (5) SYSTEM
INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-
defined information systems] to connect to external information systems.
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct
weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system;
and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls
assessments, security impact analyses, and continuous monitoring activities.






language Column O)
Does the institution or department have Obtain access control policy; procedures addressing information system connections; NIST Special Publication
requirements defined and perform monitoring of 800-47; system and communications protection policy; personnel security policy; information system connection
those requirements for systems that connect to agreements; security plan; information system design documentation; information system configuration
other systems outside of its immediate control? management and control documentation; security assessment report; plan of action and milestones; other
relevant documents or records and ascertain if:
(I)the organization identifies all connections to external information systems (i.e., information systems outside of
the accreditation boundary).
(ii)the organization authorizes all connections from the information system to external information systems
through the use of system connection agreements.
(iii)the organization monitors/controls the system interconnections on an ongoing basis.
1) Is there a defined process for recording, Obtain certification and accreditation policy; procedures addressing plan of action and milestones; security plan;
assigning ownership, and remediating issues security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other
identified in security assessment(s) such as relevant documents or records and ascertain if :
audits, vulnerability assessments, risk (I)the organization develops a plan of action and milestones for the information system.
assessments, and/or security incidents? (ii)the plan of action and milestones documents the planned, implemented, and evaluated remedial actions by
2) Is there a defined and documented risk the organization to correct deficiencies noted during the assessment of the security controls and to reduce or
acceptance process which includes sign-off from eliminate known vulnerabilities in the system.
an appropriate level of management? (iii)the organization defines in the security plan, explicitly or by reference, the frequency of plan of action and
milestone updates.
(iv)the organization updates the plan of action and milestones at an organization-defined frequency.

Security breaches occur due to risks related to

external parties not being identified and
controlled.
8120 6.5.4
Identified risks are not accepted, mitigated or

responded to with actionable plans and
decisions.
8120 6.5.5

A.R.S. § 44-7500 A.R.S. § 13-2316

agreements.

Objective EDM03; AP001;
AP012]Controls have been defined to
assess and manage IT risks.

ntrol Guidance

nections from the information system to other information systems through the use of Interconnection Security Agreements;
each interconnection, the interface characteristics, security requirements, and the nature of the information communicated;
date the system interconnection on an annual basis; and
ll and allow-by-exception policy for allowing systems that receive, process, store, or transmit FTI to connect to external information systems. (CE5)
implements policies and procedures to prevent, detect, contain, and correct security violations.
conducts an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.

&M for the information system to document the agency’s planned
to correct weaknesses or deficiencies noted during the
e security controls and to reduce or eliminate known
the system; and
sting POA&M on a quarterly basis, at a minimum, based on the
urity controls assessments, security impact analyses, and
toring activities.
t comprise of an all-inclusive tool or document for the
ulnerabilities identified by the self-assessments, internal
rnal audits and any other vulnerabilities identified for
ems that receive, process, store, or transmit FTI.

NIST 800-53 Rev.4 - CA-3 (5)


HIPAA Security Section - 45 CFR 164.308(a)(1)(ii)(C )
NIST 800-53 Rev.4 - CA-5

R0038 SECURITY SECURITY CA-6 Identify -> Control

ASSESSMENT AND AUTHORIZATION Oversight and
AUTHORIZATION Safeguard
Assurance
&
Protect -> Change
Management
Required Required
R0039 SECURITY CONTINUOUS CA-7 Identify-> Control

ASSESSMENT AND MONITORING Oversight and
Assurance &
Security
Compliance and
Regulatory
Requirements
Management

The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for
assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment:
organization-defined frequency].
(1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security
controls in the information system on an ongoing basis.






language Column O)
1) Does the institution or department follow a Obtain certification and accreditation policy; procedures addressing security accreditation; NIST Special
defined process for approving new information Publication 800-37; security accreditation package (including security plan; security assessment report; plan of
systems for production use based upon approval action and milestones; authorization statement); other relevant documents or records and ascertain if :
from appropriate stakeholders, including (I)the organization defines in the security plan, explicitly or by reference, the frequency of authorization updates,
information security (e.g., approval from ISO)? not to exceed three years;
2) For existing systems, does the department (ii)the organization authorizes (i.e., accredits) the information system for processing before operations and
require appropriate approvals from relevant updates the authorization at an organization-defined frequency or when there is a significant change to the
stakeholders, including information security (e.g., information system;
approval from ISO) when major changes are (iii)a senior organizational official signs and approves the security accreditation; and
made to information systems and/or related (iv)the security accreditation process employed by the organization is consistent with NIST Special Publications
processes? 800-37.
Has the institution or department implemented a Obtain certification and accreditation policy; procedures addressing continuous monitoring of information
continuous monitoring program that includes system security controls; NIST Special Publications 800-37 and 800-53A; security plan; security assessment
configuration management, ongoing security report; plan of action and milestones; information system monitoring records; security impact analyses; status
control assessments, and reporting on the reports; security plan; other relevant documents or records and ascertain if:
information system and its constituent (I)the organization monitors the security controls in the information system on an ongoing basis.
components? (ii)the organization employs a security control monitoring process consistent with NIST Special Publications 800-
37 and 800-53A.
(iii)the organization conducts security impact analyses on changes to the information system.
(iv)the organization documents and reports changes to or deficiencies in the security controls employed in the
information system.

Responsibility for the IT program has not been

defined.
8120 6.5.6
Known violations of security policy are not

properly mitigated due to ineffective compliance
and/or self-assessment activities.
8120 6.5.7

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance

-level executive or manager as the authorizing official for the information system;
e authorizing official authorizes the information system for processing before commencing operations; and
urity authorization whenever there is a significant change to the system, or every three years, whichever occurs first.
Manual or automated technical compliance reviews are performed on information systems on a recurring basis
r environments with PCI covered data,, a test for the presence of wireless access points by using a wireless analyzer is performed at least quarterly or a wireless IDS/IPS is deployed to identify all wireless devices in use.
ntrol #20] The process and tools used to simulate attacks against a network to validate the overall security of an organization.
1075] The agency must develop a continuous monitoring strategy and implement a continuous monitoring program that includes:
of agency-defined metrics to be monitored annually, at a minimum;
ity control assessments in accordance with the agency continuous
egy; and
ty status monitoring of agency-defined metrics in accordance with
nuous monitoring strategy.

NIST 800-53 Rev.4 - CA-6
HIPAA Security Section - 45 CFR 164.308(a)(1)(ii)(D)

NIST 800-53 Rev.4 - CA-7 (1)

R0040 SECURITY PENETRATION TESTING CA-8 Identify-> Control

ASSESSMENT AND Oversight and
Assurance &
Security
Compliance and
Regulatory
Requirements
Required (1) Management
R0041 SECURITY INTERNAL SYSTEM CA-9 Information

ASSESSMENT AND CONNECTIONS Security Operations
AUTHORIZATION -> Media
&
Identify -> Security
Assessment and
Authorization /
Technology Risk
Assessments
Required Required

The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information
systems or system components]. (1) PENETRATION TESTING |
INDEPENDENT PENETRATION AGENT OR TEAM
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or
system components.
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information
communicated.





language Column O)
1. Does the institution or department conduct Obtain certification and accreditation policy; procedures addressing Information Security Testing and Assessment
penetration testing on defined information ; NIST Special Publications 800-115
systems or system comonents
2, Does your institution or department employs
an independent penetration agent or
penetration team to perform penetration testing
on the information system or system
components.
Does the institution or department have Obtain procedures addressing internal connections between organization-defined information system
processes to authorize internal connections components (such as system connections with mobile devices, notebook/desktop computers, printers, copiers,
between organization-defined information facsimile machines, scanners, sensors, and servers) and ascertain if:
system components? (i) the internal connections are authorized;
[Note: example of internal system connections (ii) the documentation contains interface characteristics, security requirements and the nature of information
include, system connections with mobile devices, communicated.
notebook/desktop computers, printers, copiers,
facsimile machines, scanners, sensors, and
servers]

Do not conduct penetration testing or employ

independent penetration testing
8120 6.5.8
Failure to establish formal authorization

processes for restricting user access to internal
system connections may result in unauthorized
or unsecure connections to the network
exposing sensitive or critical business
applications.
8120 6.5.9

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance

NIST 800-53 Rev.4 - CA-9

R0042 CONFIGURATION CONFIGURATION CM-1 Protect -> Secure

MANAGEMENT MANAGEMENT POLICY Configuration
AND PROCEDURES Management &
Change
Management
Required Required

The organization:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency].





language Column O)
Does the institution or department have Obtain configuration management policy and procedures; other relevant documents or records and ascertain if:
documented policies, standards, and procedures (I)the organization develops and documents configuration management policy and procedures.
in place to establish, communicate, and monitor (ii)the organization disseminates configuration management policy and procedures to appropriate elements
minimum information security configurations for within the organization.
all information system types accessing (iii)responsible parties within the organization periodically review configuration management policy and
institutional networks? procedures.
(iv)the organization updates configuration management policy and procedures when organizational review
(v)the configuration management policy addresses purpose, scope, roles and responsibilities, management
commitment, coordination among organizational entities, and compliance;
(vi)the configuration management policy is consistent with the organization’s mission and functions and with
(vii)the configuration management procedures address all areas identified in the configuration management
policy and address achieving policy-compliant implementations of all associated configuration management
controls.

The change management process in place does

not adequately protect the environment from
disruptive changes in production.
8120 6.2 8220 6.1 - 6.1.8

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI06]Controls have been
defined to manage changes to
information systems in order to
minimize the likelihood of disruption,
unauthorized alterations and errors.

network diagram with all connections to cardholder data including any wireless networks is established.
ntrol #2] The processes and tools organizations use to track/control/prevent/correct installation and execution of software on computers based on an asset inventory of approved software.
ntrol #3] The processes and tools organizations use to track/control/prevent/correct security weaknesses in the configurations of the hardware and software of mobile devices, laptops, workstations, and servers based on a formal configuration management and change control proce

n management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the configuration management policy and associated configuration management controls; and
date the current:
management policy every three years; and
management procedures at least annually.


NIST 800-53 Rev.4 - CM-1
Critical Control 2: Inventory of Authorized and Unauthorized
Software.
Critical Control 3: Secure Configurations for Hardware and
Software.

R0043 CONFIGURATION BASELINE CM-2 Protect -> Secure

MANAGEMENT CONFIGURATION Configuration
Management &
Change
Management
Identify -> Critical

Information Asset
Inventory
Required Required (1,2,3,7)

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
(1) BASELINE CONFIGURATION | REVIEWS AND UPDATES
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. (2) LEAST
FUNCTIONALITY | PREVENT PROGRAM EXECUTION
The information system prevents program execution in accordance with [Selection (one or more):
[Assignment: organization-defined policies regarding software program usage and restrictions];
rules authorizing the terms and conditions of software program usage].
(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support
rollback.
(7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined
configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.




language Column O)
Has the institution or department established Obtain configuration management policy; procedures addressing the baseline configuration of the information
and communicated minimum baseline security system; configuration management plan; Federal Enterprise Architecture documentation; information system
configuration standards for information systems design documentation; information system architecture and configuration documentation; historical copies of
accessing institutional networks? If yes, are the baseline configurations; list of software programs not authorized to execute on the information system; other
baseline security standards based on some relevant documents or records and ascertain if:
recognized or industry guidance (e.g., vendor (I)the organization develops and documents a baseline configuration of the information system that is consistent
documentation, CIS (Center for Internet with the Federal Enterprise Architecture, shows relationships among information system components, and
Security), NIST, etc.)? provides a well-defined and documented specification to which the information system is built.
(ii)the organization maintains the baseline configuration.
(iii)the organization documents deviations from the baseline configuration, in support of mission
needs/objectives.
(iv) the organization develops and maintains a list of software programs not authorized to execute on the
information system.

Changes to systems and applications are

executed inconsistently in the production
environment due to ill-defined procedures.
8220 6.1.2

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance
1075 The agency must develop, document, and maintain under configuration control, a current baseline configuration of the information system. The agency must review and update the baseline configuration of the information system: (CE1)
annually;
d due to system upgrades, patches, or other significant changes; and
part of information system component installations and upgrades.
eguards recommends using SCSEMs provided on the
rds website for developing an information system
ation.

PCI DSS v2.0 - 1.1.2

NIST 800-53 Rev.4 - CM-2 (1) (3) (7)
Software.
Software.


MANAGEMENT CHANGE CONTROL Configuration
Management &
Change
Management
Required
R0045 CONFIGURATION SECURITY IMPACT CM-4 Protect -> Secure

MANAGEMENT ANALYSIS Configuration
Management &
Change
Management
Required Required

The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit
consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change
control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment:
organization-defined configuration change conditions]].
(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.






language Column O)
Are changes to baseline security configuration Obtain configuration management policy; procedures addressing information system configuration change
standards managed, tested, and approved by a control; configuration management plan; information system design documentation; information system
formally defined change management function architecture and configuration documentation; change control records; information system audit records; other
that includes representation from appropriate relevant documents or records and ascertain if :
stakeholders? (I)the organization employs automated mechanisms to document proposed changes to the information system;
(ii)the organization employs automated mechanisms to notify appropriate approval authorities;
(iii)the organization employs automated mechanisms to highlight approvals that have not been received in a
timely manner;
(iv)the organization employs automated mechanisms to inhibit change until necessary approvals are received;
and
(v)the organization employs automated mechanisms to document completed changes to the information system.
(vi)if the organization tests, validates, and documents changes to the information system before implementing
the changes on the operational system
Are changes to information systems (including Obtain configuration management policy; procedures addressing the monitoring of configuration changes to the
those related to procedures, processes, system information system; information system architecture and configuration documentation; change control records;
and service parameters) logged, assessed and information system audit records; other relevant documents or records and ascertain if :
authorized prior to implementation and (I)the organization monitors changes to the information system by verifying that the organization:
reviewed against planned outcomes following -prior to change implementation and as part of the change approval process, conducts security impact analyses
implementation (including impact from an to assess the effects of the system changes;
information security perspective)? -after the system is changed (including upgrades and modifications), checks the security features to confirm that
the features are still functioning properly; and
-audits activities associated with configuration changes to the information system.

Changes to the production environment that are

inadequately tested disrupt production
environment. Management does not approve
changes to the operating environment prior to
implementation into production.
8220 6.1.3
Effects from changes to systems or applications

are undetected in the production environment.
8220 6.1.4

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI06] Controls have been


ntrol guidance
1075]The agency must:

types of changes to the information system that are configuration controlled;
ed configuration-controlled changes to the information system and approve or disapprove such changes with explicit consideration for security impact analyses;
figuration change decisions associated with the information system;
proved configuration-controlled changes to the information system;
of configuration-controlled changes to the information system for the life of the system;
w activities associated with configuration-controlled changes to the information system;
d provide oversight for configuration change control activities through a Configuration Control Board that convenes when configuration changes occur; and
and document changes to the information system before implementing the changes on the operational system. (CE2)
ntrol Guidance
1075] The agency must analyze changes to the information system to determine potential security impacts prior to change implementation.

NIST 800-53 Rev.4 - CM-3 (2)

Software.
Software.
NIST 800-53 Rev.4 - CM-4

R0046 CONFIGURATION ACCESS RESTRICTIONS CM-5 Protect -> Secure

MANAGEMENT FOR CHANGE Configuration
Management &
Change
Management
Identify - Critical
Information Asset
Inventory
Required (1,3,5)

MANAGEMENT SETTINGS Configuration
Management &
Change
Management

Information Asset
Inventory

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information
system.
Control Enhancements:
(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING
The information system enforces access restrictions and supports auditing of the enforcement
actions.
Supplemental Guidance: Related controls: AU-2, AU-12, AU-6, CM-3, CM-6.
(3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS
The information system prevents the installation of [Assignment: organization-defined software
and firmware components] without verification that the component has been digitally signed using
a certificate that is recognized and approved by the organization.
(5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES
The organization:
(a) Limits privileges to change information system components and system-related information
within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using
[Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational
requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information
system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION
The organization employs automated mechanisms to centrally manage, apply, and verify
configuration settings for [Assignment: organization-defined information system components]








language Column O)
Do the institution or department's configuration Obtain configuration management policy; procedures addressing access restrictions for changes to the
management procedures include tracking, information system; information system architecture and configuration documentation; change control records;
documenting, and controlling access to creating, information system audit records; other relevant documents or records and ascertain if :
editing, and deleting configuration changes? (I)the organization approves individual access privileges and enforces physical and logical access restrictions
associated with changes to the information system, including upgrades, and modifications.
[For example, in application and database (ii)the organization generates, retains, and reviews records reflecting all such changes to the information system.
changes, access is restricted from developers;
access to administrative type privileges (and/or
accounts that can apply changes & updates to
systems) is restricted to appropriate individuals].
Does the institution or department have Obtain configuration management policy; procedures addressing configuration settings for the information
processes in place to monitor and control system; information system configuration settings and associated documentation; NIST Special Publication 800-
changes to the baseline configuration settings of 70; other relevant documents or records and ascertain if:
information systems in accordance with (I)the organization establishes mandatory configuration settings for information technology products employed
organizational policies and procedures? within the information system.
(ii)the organization configures the security settings of information technology products to the most restrictive
mode consistent with operational requirements.
(iii)the organization documents the configuration settings.
(iv)the organization enforces the configuration settings in all components of the information system.

Operations handle emergency situations that

require a change to the production environment
consistently.
8220 6.1.5
Changes to the production environment are not

operating as expected disrupt the production
environment.
8220 6.1.6

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified
s to information system components for purposes of initiating changes, including upgrades, and modifications. Section 5.5, Access Control, describes agency requirements for control of privileges and restrictions.
1075] The agency must define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
ormal process for approving and testing all network connections and changes to the firewall and router configurations exist.

document configuration settings for IT products that receive, process, store, or transmit FTI using Office of Safeguards–approved compliance requirements (e.g., SCSEMs, assessment tools) that reflect the most restrictive mode consistent with operational requirements;
e configuration settings;
ment, and approve any deviations from established configuration settings for information systems that receive, process, store, or transmit FTI; and
ontrol changes to the configuration settings in accordance with agency policies and procedures.

NIST 800-53 Rev.4 - CM-5

Software
Software
such as Firewalls, Routers, and Switches

NIST 800-53 Rev.4 - CM-6 (3)
Software.
Critical Control 11: Limitation and Control of Network Ports,
Protocols, and Services

R0048 CONFIGURATION LEAST FUNCTIONALITY CM-7 Protect -> Secure

MANAGEMENT Configuration
Management &
Change
Management
Protect -> Network

Access and
Perimeter Controls
Required Required (1,2,5)

The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or
restricted functions, ports, protocols, and/or services].
(1) LEAST FUNCTIONALITY | PERIODIC REVIEW
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or non-secure functions, ports,
protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary
and/or non-secure].
(2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies
regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
(5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE / WHITELISTING
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the
information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software
programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organizationdefined
frequency]





language Column O)
Do the institution or department's configuration Obtain configuration management policy; procedures addressing least functionality in the information system;
management procedures include processes for security plan; information system configuration settings and associated documentation and ascertain if:
providing only essential functionality and restrict (I)the organization defines in the security plan, explicitly or by reference, prohibited or restricted functions, ports,
the use of functionality, ports, protocols, and/or protocols, and services for the information system.
services based on risk? (ii)the organization configures the information system to provide only essential capabilities.
(iii)the organization configures the information system to specifically prohibit and/or restrict the use of
organization-defined functions, ports, protocols, and/or services.
(iv)the organization defines in the security plan, explicitly or by reference, the frequency of the information
system reviews to identify and eliminate unnecessary functions, ports, protocols, and services; and
(v)the organization reviews the information system to identify and eliminate unnecessary functions, ports,
protocols, and/or services in accordance with organization-defined frequency.

Configuration standards do not exist for systems

being implemented.

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI10; BAI10; DSS02]
Controls have been defined to
manage the configuration of IT
hardware and software.

scription of groups, roles, and responsibilities for logical management of network components are defined. [PCI DSS v2.0] Guidelines are documented which provide recommended standards for the configuration of computing platforms.[PCI DSS v2.0] For systems subject to PCI requi
red within configuration standards: standards for routers, periodic review of firewall/router rule sets, a list of company-approved products, system security parameters to prevent misuse, removal of all unnecessary functionality, such as scripts, drivers, features, subsystems, file syste
servers), and addressing all known security vulnerabilities and industry best practices.[PCI DSS v2.0] For systems subject to PCI requirements, always change vendor-supplied defaults before installing the system on the network-for example, include passwords, simple network manag
ity strings, and elimination of unnecessary accounts. [PCI DSS v2.0] Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.[PCI DSS v2.0
quirements, implement only one primary function per server.[PCI DSS v2.0] For systems subject to PCI requirements, disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function).[PCI DSS v2.0].For sy
nts, Configure system security parameters to prevent misuse.[PCI DSS v2.0] Guidelines are documented which provide recommended standards for the configuration of computing platforms [PCI DSS v2.0] For systems subject to PCI requirements, the following is required within confi
ards for routers, periodic review of firewall/router rule sets, a list of company-approved products, system security parameters to prevent misuse, removal of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems (e.g., unnecessary web servers), and a
ulnerabilities and industry best practices [PCI DSS v2.0] For systems subject to PCI requirements, encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access.
ntrol #6] The processes and tools organizations use to detect/prevent/correct security weaknesses in the development and acquisition of software applications.
ntrol #11] The processes and tools used to track/control/prevent/correct use of ports, protocols, and services on networked devices.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.7.1.1 Least Functionality
configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services.

nformation system to provide only essential capabilities; and
trict the use of the functions, ports, protocols, or services as
of Safeguards–approved compliance requirements (e.g.,
ent tools).
ormation system as part of vulnerability assessments to identify
on-secure functions, ports, protocols, and services (see Section
bility Scanning (RA-5)); and
d functions, ports, protocols, and services within the information
o be unnecessary or non-secure.


NIST 800-53 Rev.4 - CM-7 (1) (2) (4)
Software.
Software.
Critical Control 6: Application Software Security.
Protocols, and Services

R0049 CONFIGURATION INFORMATION SYSTEM CM-8 Identify -> Data

MANAGEMENT COMPONENT Classification
INVENTORY
Information Asset
Inventory

The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability];
and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
(1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS
The organization updates the inventory of information system components as an integral part of component installations, removals, and
information system updates.
(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software,
and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such
components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].
(5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other
information system inventories.




language Column O)
1) Does the institution or department assign Obtain configuration management policy; procedures addressing information system component inventory;
owner and custodian to all information and IT information system inventory records; security plan; component installation records; other relevant documents
assets, and is there an approved document or records and ascertain if :
which describes and distinguishes the roles and (I)the organization develops and documents an inventory of the components of the information system:
responsibilities of an owner, custodian, and user? -that is at the level of granularity deemed appropriate by the organization for the components included in the
2) Is there a current and accurate inventory of inventory that are subject to tracking and reporting.
systems, that provides details such as associated -that includes any information determined to be necessary by the organization to achieve effective property
owners, location, security requirements, data accountability.
classification, etc., for the department? -that is consistent with the accreditation boundary of the system.
(ii)the organization maintains the inventory of the components of the information system to reflect the current
state of the system.
(iii)the organization updates the inventory of information system components as an integral part of component
installations.

Information and assets associated with

information processing facilities are not owned
by a designated part of the organization.
8220 6.1.7

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective
DSS01;DSS04;DSS05;DSS06]Controls
have been defined to manage data by
maintaining the completeness,
accuracy, availability and protection
of data.

nd assets associated with information processing facilities should be owned by a designated part of the organization . Clear distinctions among owner, custodian, and user responsibilities guide determination of these roles.
establishes procedures to maintain a record of the movements of hardware, and electronic media and any person responsible with therefore.
ntrol #1] The processes and tools used to track/control/prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network.

ocument an inventory of information system components that:
ects the current information system;
mponents that store, process, or transmit FTI;
of granularity deemed necessary for tracking and reporting; and
mation deemed necessary to achieve effective information
nt accountability; and
date the information system component inventory through periodic
y checks or a network monitoring tool that automatically maintains the inventory; and
entory of information system components as an integral part of
llations, removals, and information system updates. (CE1)

HIPAA Security Section - 45 CFR 164.310(d)(2)(iii)

NIST 800-53 Rev.4 - CM-8 (1) (3) (5)
Devices
Software


MANAGEMENT MANAGEMENT PLAN Configuration
Management

Information Asset
Inventory
Required

The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of
the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.




language Column O)
Does the institution or department have Obtain Configuration management policy; configuration management plan; procedures addressing configuration
procedures in place to implement and manage management planning; security plan; other relevant documents or records and ascertain if:
proper security configuration of information (I)the organization develops, documents, and implements a configuration management plan for the information
systems, including: system that:
i) review and update of configuration -addresses roles, responsibilities, and configuration management processes and procedures;
management standards, and procedures at -defines the configuration items for the information system and when in the system development life cycle the
defined intervals or when significant changes configuration items are placed under configuration management; and
occur to the institution's security posture (e.g., -establishes the means for identifying configuration items throughout the system development life cycle and a
new information system type, or changes process for managing the configuration of the configuration items.
required due to a new risk or incident, etc.)?
ii) properly restricting configuration standards for
information systems to authorized
administrators?

IT assets and configurations are managed

ineffectively due to the lack of a configuration
management process.
8220 6.1.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI10; BAI10; DSS02]

trol guidance
1075]
develop, document, and implement a configuration management plan
on system that:
s, responsibilities, and configuration management processes and
rocess for identifying configuration items throughout the system

cycle (SDLC) and for managing the configuration of the
ms;
nfiguration items for the information system and places the
ms under configuration management; and
onfiguration management plan from unauthorized disclosure and

NIST 800-53 Rev.4 - CM-9

Software

R0051 CONFIGURATION SOFTWARE USAGE CM-10 Protect-> Secure

MANAGEMENT RESTRICTIONS Configuration
Management
Identify-> Data
Classification

The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized
distribution, display, performance, or reproduction of copyrighted work.
(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE
The organization establishes the following restrict





language Column O)
Does the institution or department have Obtain procedures relating to use of software and peer-to-peer file sharing technology and ascertain if:
processes in place to monitor software usage in (i) the software is used in accordance with contract agreements and copyright laws;
accordance with contractual agreements (e.g., (ii) the use of software is tracked and protected by quantity licenses to control copying and distribution; and
abiding by copyright laws, license agreements, (iii) the use of peer to peer software is controlled and protected against unauthorized distribution, display,
etc.)? performance, or reproduction of copyrighted work.

Improper use of information or assets occurs

inside an information processing facility.
8220 6.1.8

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective DSS01;DSS04;DSS05;DSS06]
manage data by maintaining the
completeness, accuracy, availability
and protection of data.

r PCI covered data, proper usage policies for critical technologies are defined for employees and contractors.
et Protection Act] Procedures are established for schools with internet safety policies and technology protection measures to attain certification of compliance, during each annual program application cycle.
et Protection Act] Procedures are established for schools without internet safety policies, to take measures to attain certification of compliance.
et Protection Act] Internet safety Policy that enforces the operation technology protection measure is established
et Protection Act] Procedures are established for schools with internet safety policies and technology protection measures to attain certification of compliance, during each annual program application cycle.
et Protection Act] Procedures are established for schools and libraries without internet safety policies, to take measures to attain certification of compliance.
et Protection Act] Procedures are established for a school or library, to adopt and implement an Internet safety policy and determine the matter that is inappropriate for minors.

nd associated documentation in accordance with contract agreements and copyright laws;
of software and associated documentation protected by quantity licenses to control copying and distribution; and
cument the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
establish restrictions on the use of open source software. Open source software must: (CE1)
sed;
he agency IT department; and
cure configuration baseline checklist from the U.S. Government or industry.


PCI DSS v2.0 - Sec 12.3.10
Children's Internet Protection Act - SEC. 3601(a)(1)
Children's Internet Protection Act - SEC. 3601(a)(2) -b
Children's Internet Protection Act - SEC. 3601(a)(2) -c
Children's Internet Protection Act - SEC. 1712 (b)(1)
Children's Internet Protection Act - SEC. 1712 (b)(4) -b
Children's Internet Protection Act - SEC. 1712 (b)(4) -c
Children's Internet Protection Act - SEC. 1721(a)(1) -a (1)
Children's Internet Protection Act - SEC. 1721(a)(1) -e (2)
Children's Internet Protection Act - SEC. 1721(a)(1) -e (3)
Children's Internet Protection Act - SEC. 1721(b)(1) -a (1)
Children's Internet Protection Act - SEC. 1721(b)(1) -e (2)
Children's Internet Protection Act - SEC. 1721(b)(1) -e (3)
Children's Internet Protection Act - SEC. 1732
NIST 800-53 Rev.4 - CM-10

R0052 CONFIGURATION USER-INSTALLED CM-11 Protect -> Secure

MANAGEMENT SOFTWARE Configuration
Management
Required Required
R0053 CONTINGENCY CONTINGENCY CP-1 Protect ->

PLANNING PLANNING POLICY AND Contingency
PROCEDURES Planning
Required Required

The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
The organization:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].






language Column O)
Does the institution or department have Obtain procedures addressing software installation requirements and ascertain if:
documented policies and supporting processes (i) the policies are enforced through relevant methods; and
to minimize risk of users installing software on (ii) policy compliance is monitored at an appropriate frequency.
institution owned information systems (e.g.,
desktops and laptops) and to reduce security
exposure from malware and unapproved
software?
[Note: supporting process examples could
include restrictions of admin access on endpoints
from general users, and/or monitoring for
unauthorized software installed on systems].
1) Has the institution or department defined Obtain Contingency planning policy and procedures; other relevant documents or records and ascertain if:
contingency plan(s) for the information systems (I)the organization develops and documents contingency planning policy and procedures.
that takes into account the businesses' Recovery (ii)the organization disseminates contingency planning policy and procedures to appropriate elements within the
Time Objectives (RTO), Recover Point Objectives organization.
(RPO), dependencies, roles and responsibilities, (iii)responsible parties within the organization periodically review contingency planning policy and procedures.
and description of key tasks, checklists, and/or (iv)the organization updates contingency planning policy and procedures when organizational review indicates
procedures for recovery that are current? Have updates are required.
such contingency plan(s) been tested for (v)the contingency planning policy addresses purpose, scope, roles and responsibilities, management
effectiveness? commitment, coordination among organizational entities, and compliance.
2) Does the institution or department have (vi)the contingency planning policy is consistent with the organization’s mission and functions and with
appropriate processes to: i) keep Contingency applicable laws, directives, policies, regulations, standards, and guidance.
Plans current; ii) assign clear accountability on (vii)the contingency planning procedures address all areas identified in the contingency planning policy and
keeping plans pertinent; and iii) align with other address achieving policy-compliant implementations of all associated contingency planning controls.
related processes (e.g., business continuity, crisis
management, and incident management)?

Users expose information systems by not

correctly executing their access control
responsibilities.
The BCM Program is ineffective since the

Business Continuity documentation has not been
created and maintained.
8120 6.2 8230 6.1 - 6.10.1

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective DSS04]Controls have been
defined to ensure continuous service
by building resilience into automated
solutions and developing, maintaining
and testing IT continuity plans.

ntrol Guidance

es governing the installation of software by users;
are installation policies through automated methods; and
compliance on a continual basis.
A managed process is developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organizations business continuity

planning policy that addresses purpose, scope, roles,
management commitment, coordination among agency
pliance; and
facilitate the implementation of the contingency planning
ated contingency planning controls; and
date the current:
anning policy every three years; and
anning procedures at least annually.

NIST 800-53 Rev.4 - CM-11

NIST 800-53 Rev.4 - CP-1

R0054 CONTINGENCY CONTINGENCY PLAN CP-2 Protect ->

PLANNING Contingency
Planning

The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;
and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role)
and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems
encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role)
and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
(1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS
The organization coordinates contingency plan development with organizational elements responsible for related plans.
(2) CONTINGENCY PLAN | CAPACITY PLANNING
The organization conducts capacity planning so that necessary capacity for information
processing, telecommunications, and environmental support exists during contingency
operations.
(3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of
contingency plan activation.
(8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS
The organization identifies critical information system assets supporting essential missions and business functions.





language Column O)
Does the institution or department have proper Obtain contingency planning policy; procedures addressing contingency operations for the information system;
contingency plans that provide enough NIST Special Publication 800-34; contingency plan; other related plans; other relevant documents or records and
information for effective recovery? ascertain if :
(I)the organization develops and documents a contingency plan for the information system.
[Please note that recovery plans should typically (ii)the contingency plan is consistent with NIST Special Publication 800-34.
include, but not limited to: (iii)the contingency plan addresses contingency roles, responsibilities, assigned individuals with contact
i) description of mission and essential business information, and activities associated with restoring the information system after a disruption or failure.
function (iv)the contingency plan is reviewed and approved by designated organizational officials.
ii) Scope (v)the organization disseminates the contingency plan to key contingency personnel.
iii) Plan Activation / Invocation process and (vi)the organization coordinates the contingency plan with other related plans (e.g., Business Continuity Plan,
authorities Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan,
iv) Contingency Team structure and Emergency Action Plan).
responsibilities
v) Strategies for each business
process/information system(s)
vi) Recovery Profile
vii) Communications Plan
viii) Response Actions – Immediate, maintaining
critical processes, actions by roles, actions in
response to specific threat scenarios
ix) Return to Normal]

Critical activities are not recovered rapidly at the

time of a disruption since the organization has
not categorized its activities according to their
priority for recovery.
8230 6.1, 6.2, 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316


U. T. System Information Security Program Elements]A disaster recovery management process has been established to ensure disaster recovery plans are documented, kept up to date, and address all applicable areas of the IT to reduce disruption caused by disasters and/or security
Disaster recovery plans are documented. The DR Plan must identify the required actions to undertake following interruption to, or failure of, critical IT systems.
The organization has conducted a Risk assessment using a approach, suitable and appropriate to address all of the organization's requirements specifically in respect of the organization's business continuity requirements .Events that can cause interruptions to business processes sho
with the probability and impact of such interruptions and their consequences for information security.

tingency plan for the information system that:
ntial missions and business functions and associated contingency requirements;
ery objectives, restoration priorities, and metrics;
tingency roles, responsibilities, and assigned individuals with contact information;
ntaining essential missions and business functions despite an information system disruption, compromise, or failure;
ntual, full information system restoration without deterioration of the security safeguards originally planned and
d
d approved by designated agency officials;
es of the contingency plan to key contingency personnel;
ntingency planning activities with incident handling activities;
ntingency plan for the information system at least annually;
ntingency plan to address changes to the agency, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
contingency plan changes to key contingency personnel; and
ntingency plan from unauthorized disclosure and modification.

HIPAA Security Section - 45 CFR 164.308(a)(7)(ii)(C)

NIST 800-53 Rev.4 - CP-2 (1) (3) (8)

R0055 CONTINGENCY CONTINGENCY CP-3 Protect ->

PLANNING TRAINING Contingency
Planning
Required
R0056 CONTINGENCY CONTINGENCY PLAN CP-4 Protect->

PLANNING TESTING Contingency
Planning
R0057 CONTINGENCY ALTERNATE STORAGE CP-6 Protect ->

PLANNING SITE Contingency
Planning
Required (1,3)

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined
tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
(1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS
The organization coordinates contingency plan testing with organizational elements responsible for related plans.
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup
information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
(1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
(3) ALTERNATE STORAGE SITE | ACCESSIBILITY
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and
outlines explicit mitigation actions.








language Column O)
Does the institution or department train Obtain contingency planning policy; contingency plan; procedures addressing contingency training; contingency
personnel in their contingency roles and training curriculum; contingency training material; security plan; contingency training records; other relevant
responsibilities with respect to the information documents or records and ascertain if:
system and provide refresher training? (I)the organization provides contingency training to personnel with contingency roles and responsibilities.
(ii)the organization defines in the security plan, explicitly or by reference, the frequency of refresher contingency
training and the frequency is at least annually.
(iii)the organization provides initial training and refresher training in accordance with organization-defined
frequency.
(iv)the contingency training material addresses the procedures and activities necessary to fulfill identified
organizational contingency roles and responsibilities.
Are Disaster Recovery Plans tested, reassessed Obtain contingency planning policy; contingency plan, procedures addressing contingency plan testing and
and maintained regularly to ensure that they are exercises; security plan; contingency plan testing and/or exercise documentation; contingency plan test results;
up to date and effective? other relevant documents or records and ascertain if :
(I)the organization defines in the security plan, explicitly or by reference, the contingency plan tests and/or
exercises to be conducted.
(ii)the organization defines in the security plan, explicitly or by reference, the frequency of contingency plan tests
and/or exercises and the frequency is at least annually.
(iii)the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance
with organization-defined frequency.
(iv)the organization reviews the contingency plan test/exercise results and takes corrective actions.
(v)the contingency plan tests/exercises confirm the plan’s effectiveness.
1) Has the institution or department established Obtain contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate
procedures to perform and maintain backup storage site agreements; alternate storage site; other relevant documents or records and ascertain if :
copies of information in accordance with (I)the organization identifies an alternate storage site.
institution's business continuity and disaster (ii)the organization initiates necessary alternate storage site agreements to permit storage of information system
recovery requirements? backup information.
2) Does the institution or department store (iii)the organization identifies potential accessibility problems to the alternate storage site in the event of an
media back-ups in a secure location, preferably area-wide disruption or disaster.
at an off-site facility, such as an alternate or (iv)the organization defines explicit mitigation actions for potential accessibility problems.
back-up site, or a commercial storage facility?

An organization is unable to resume it's activities

following a disruption since it has not considered
strategic options for its critical activities and the
resources that each activity will require on its
resumption.
8230 6.4
Disaster recovery plans fail because they were

not tested, maintained or re-assessed.
8230 6.5
The organization has not devised Information

strategies which ensure that information vital to
the organization's operation is adequately
protected and recoverable at the time needed.
8230 6.6

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective DSS04] Controls have been


ntrol Guidance
1075] The agency must provide contingency training to information system users consistent
es and responsibilities:
ing a contingency role or responsibility;
after.
Disaster recovery plans are tested, reassessed and maintained regularly to ensure that they are up to date and effective.

gency plan for the information system, at a minimum annually, to
ffectiveness of the plan and the agency’s readiness to execute the plan;
ntingency plan test results; and
tive actions, if needed.
systems that contain PCI covered data, store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the locations security at least annually.
Plans are developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of critical business processes.

ternate storage site, including necessary agreements to permit the storage and retrieval of information system backup information; and
e alternate storage site provides information security safeguards that meet the minimum protection standards and the disclosure provisions of IRC 6103.

NIST 800-53 Rev.4 - CP-3

NIST 800-53 Rev.4 - CP-4(1)

HIPAA Security Section - 45 CFR 164.308(a)(7)(ii)(c )
HIPAA Security Section - 45 CFR 164.308(a)(7)(ii)(A)
HIPAA Security Section - 45 CFR 164.310(d)(2)(iv)
NIST 800-53 Rev.4 - CP-6 (1) (3)

R0058 CONTINGENCY ALTERNATE CP-7 Protect ->

PLANNING PROCESSING SITE Contingency
Planning
Required (1,2,3)
R0059 CONTINGENCY TELECOMMUNICATIONS CP-8 Protect ->

PLANNING SERVICES Contingency
Planning
Required (1,2)

The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-
defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent
with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are
in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
(1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same
threats.
(2) ALTERNATE PROCESSING SITE | ACCESSIBILITY
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and
outlines explicit mitigation actions.
(3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational
availability requirements (including recovery time objectives).
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment:
organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time
period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
(1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with
organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the
event that the primary and/or alternate telecommunications services are provided by a common carrier.
(2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary
telecommunications services.






language Column O)
1) Has the institution or department established Obtain contingency planning policy; contingency plan; procedures addressing alternate processing sites;
an alternate processing site and necessary alternate processing site agreements; security plan; other relevant documents or records and ascertain if :
agreements to permit the resumption of (I)the organization identifies an alternate processing site.
information system operations for essential (ii)the organization defines in the security plan, explicitly or by reference, the time period within which
missions and business functions within defined processing must be resumed at the alternate processing site.
time periods consistent with recovery time (iii)the organization initiates necessary alternate processing site agreements to permit the resumption of
objectives when the primary processing information system operations for critical mission/business functions within organization-defined time period.
capabilities are unavailable? (iv)the contingency plan identifies the primary processing site hazards; and
2) Are contracts in place to support delivery of (v)the alternate processing site is sufficiently separated from the primary processing site so as not to be
equipment and supplies required to resume susceptible to the same hazards identified at the primary site.
operations? (vi)the contingency plan identifies potential accessibility problems to the alternate processing site in the event of
an area-wide disruption or disaster.
(vii)the contingency plan defines explicit mitigation actions for potential accessibility problems.
Has the institution or department established Obtain contingency planning policy; contingency plan; procedures addressing alternate telecommunications
alternate telecommunications services and services; security plan; primary and alternate telecommunications service agreements; other relevant documents
necessary agreements to permit the resumption or records and ascertain if :
of information system operations for essential (I)the organization identifies primary and alternate telecommunications services to support the information
missions and business functions within a defined system.
time period when the primary (ii)the organization defines in the security plan, explicitly or by reference, the time period within which
telecommunications capabilities are unavailable? resumption of information system operations must take place.
(iii)the organization initiates necessary alternate telecommunications service agreements to permit the
resumption of telecommunications services for critical mission/business functions within the organization-
defined time period when the primary telecommunications capabilities are unavailable.
(iv)the organization develops primary and alternate telecommunications service agreements that contain
priority-of-service provisions in accordance with organizational availability requirements.

An organization is unable to recover it's

technology services since it has not devised a
technology strategy according to it's size, nature
and complexity of business.
8230 6.7
The agreed service continuity and availability

commitment to customers are not met in all
circumstances.
8230 6.8

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance

ternate processing site, including necessary agreements to permit the transfer and resumption of information system operations, in accordance with the agency’s contingency plan when the primary processing capabilities are unavailable;
uipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the agency-defined time period for transfer/resumption; and
e alternate storage site provides information security safeguards that meet the minimum protection standards and the disclosure provisions of IRC 6103.
der ensures that agreed service continuity and availability commitments to customers are met in all circumstances. [ISO 20000]

NIST 800-53 Rev.4 - CP-7 (1) (2) (3)
NIST 800-53 Rev.4 - CP-8 (1) (2)

R0060 CONTINGENCY INFORMATION SYSTEM CP-9 Protect ->

PLANNING BACKUP Contingency
Planning
R0061 CONTINGENCY INFORMATION SYSTEM CP-10 Protect ->

PLANNING RECOVERY AND Enterprise
RECONSTITUTION Architecture,
Roadmap &
Emerging
Technology
Recover -> Disaster
Recovery
Procedures

The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with
recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent
with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined
frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
(3)
INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION
The organization stores backup copies of [Assignment: organization-defined critical information
system software and other security-related information] in a separate facility or in a fire-rated
container that is not collocated with the operational system.
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or
failure.
(2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY
The information system implements transaction recovery for systems that are transaction-based.








language Column O)
Does the institution or department backup user- Obtain contingency planning policy; contingency plan; procedures addressing information system backup;
level and system-level information, system security plan; backup storage location(s);information system backup test results; other relevant documents or
documentation, and security-related records and ascertain if :
documentation consistent with recovery (I)the organization defines the frequency of information systems backups.
objectives and protect the confidentiality and (ii)the organization backs up user-level and system-level information (including system state information) in
integrity of backups? accordance with the organization-defined frequency.
(iii)the organization backs up information to alternate storage sites (if so designated) at a frequency and transfer
rate consistent with the organization’s recovery time objectives and recovery point objectives.
(iv)the organization protects backup information at the designated storage locations.
(v)the organization defines in the security plan, explicitly or by reference, the frequency of information system
backup testing.
(vi)the organization conducts information system backup testing in accordance with organization-defined
frequency.
(viii)testing results verify backup media reliability and information integrity.
Does the recovery strategy and its Obtain Contingency planning policy; contingency plan; procedures addressing information system recovery and
implementation include considerations for fault reconstitution; information system configuration settings and associated documentation; contingency plan test
tolerance and redundant architecture for procedures; security plan; information system design documentation; other relevant documents or records and
minimizing risk of information system downtime ascertain if
[taking into account risk tolerance and (I)the organization provides and applies mechanisms and procedures for recovery and reconstitution of the
importance of the system based on business information system to known secure state after disruption or failure.
requirements]? (ii) the organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit
recovery and reconstitution of the information system to a known state; and

Data is not recoverable due to inadequate or

undefined backup and restoration procedures.
8230 6.9
Information systems fail due to improper fault

tolerant or redundant architectures.
8230 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective BAI03; DSS02]Controls have
been defined for the acquisition and
maintenance of technology
infrastructure to ensure that the
platforms that support the business
applications are aligned with defined
IT architecture and technology
standards.

ntrol Guidance
ntrol #8] The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

ps of user-level information, system-level information, and
documentation consistent with the defined frequency in the
ency plan; and
nfidentiality of backup information at storage locations pursuant to
ments.
ntrol Guidance
ntrol #8] The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
1075] The agency must provide for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

NIST 800-53 Rev.4 - CP-9 (1)

Critical Control 8: Data Recovery Capability
NIST 800-53 Rev.4 - CP-10 (2)

Critical Control 8: Data Recovery Capability

R0062 IDENTIFICATION IDENTIFICATION AND IA-1 Protect ->

AND AUTHENTICATION Identification &
AUTHENTICATION POLICY AND Authentication
PROCEDURES
Required Required

The organization:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication
controls; and
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency].





language Column O)
Does the institution or the department have Obtain identification and authentication policy and procedures; other relevant documents or records and
documented policies, standards and procedures ascertain if:
that address: (I)the organization develops and documents identification and authentication policy and procedures.
i) process and requirements for user and system (ii)the organization disseminates identification and authentication policy and procedures to appropriate elements
identification (e.g., use of unique identifiers, within the organization.
validating user identity prior to providing system (iii)responsible parties within the organization periodically review identification and authentication policy and
credentials, etc.), and procedures.
ii) minimum level of authentication requirements (iv)the organization updates identification and authentication policy and procedures when organizational review
(e.g. password composition, encryption, indicates updates are required.
certificates, etc.) for users and systems? (iv)the identification and authentication policy addresses purpose, scope, roles and responsibilities, management
(v)the identification and authentication policy is consistent with the organization’s mission and functions and
with applicable laws, directives, policies, regulations, standards, and guidance.
(vi)the identification and authentication procedures address all areas identified in the identification and
authentication policy and address achieving policy-compliant implementations of all associated identification and
authentication controls.

The lack of adequate policies and procedures to

control access to information resources may
expose the information to unauthorized access.
8120 6.2 8340 6.1 - 6.7

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance

on and authentication policy that addresses purpose, scope,
ities, management commitment, coordination among
and compliance; and
facilitate the implementation of the identification and
olicy and associated identification and authentication
date the current:

and authentication policy every three years; and
and authentication procedures at least annually.

NIST 800-53 Rev.4 - IA-1


AUTHENTICATION (ORGANIZATIONAL Authentication
USERS)
Required (1,12) Required (1,2,3,5,8,11,12)

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
(1) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS
The information system implements multifactor authentication for network access to privileged accounts.
(2) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS
The information system implements multifactor authentication for network access to non-privileged accounts.
(3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS
The information system implements multifactor authentication for local access to privileged accounts.
(5) IDENTIFICATION AND AUTHENTICATION | GROUP AUTHENTICATION
The organization requires individuals to be authenticated with an individual authenticator when a
group authenticator is employed
(8) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
(11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS - SEPARATE DEVICE
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the
factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of
mechanism requirements].
(12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.





language Column O)
1) Is the information system configured to Obtain identification and authentication policy; NIST Special Publication 800-63; procedures addressing user
uniquely identify and authenticate information identification and authentication; information system design documentation; e-authentication risk assessment
system users (or processes acting on behalf of results; information system configuration settings and associated documentation; information system audit
users - e.g., service and system accounts)? records; security plan; other relevant documents or records and ascertain if:
(I)the information system uniquely identifies and authenticates users (or processes acting on behalf of users).
2) Are strong authentication controls (e.g., two- (ii)the information system employs multifactor authentication for remote system access that is NIST Special
factor authentication and proper encryption of Publication 800-63 compliant in accordance with the organizational selection of level 3, level 3 using a hardware
credentials) in place for administrative type authentication device, or level 4.
access to information system(s)? (iii)the organization defines in the security plan, explicitly or by reference, the NIST Special Publication 800-63
authentication levels for the information system.

Failure to assign unique user identification and a

relevant authentication mechanisms to confirm
the claimed identity of an user may result in
potential fraud and/or falsification of user
identities.
8340 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance
ntrol #13] The processes and tools used to detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.6.1 Identification Policy and Procedures
is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of
erial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be
s and disabling and/or deleting former users.
iginating Agency Identifiers in Transactions and Information Exchanges
d originating agency identifier (ORI) shall be used in each transaction on CJIS systems in order to identify the sending agency and to ensure the proper level of access for each transaction. The original identifier between the requesting agency and the CSA/SIB/Channeler shall be the OR
s, such as user identification or personal identifier, an access device mnemonic, or the Internet Protocol (IP) address.
as a servicing agency and perform transactions on behalf of authorized agencies requesting the service. Servicing agencies performing inquiry transactions on behalf of another agency may do so using the requesting agency’s ORI. Servicing agencies may also use their own ORI to per
ehalf of a requesting agency if the means and procedures are in place to provide an audit trail for the current specified retention period. Because the agency performing the transaction may not necessarily be the same as the agency requesting the transaction, the CSA/SIB/Channeler
each transaction can be traced, via audit trail, to the specific agency which is requesting the transaction.
e used to identify the requesting agency if there is a reason to inquire into the details surrounding why an agency ran an inquiry on a subject. Agencies assigned a P (limited access) ORI shall not use the full access ORI of another agency to conduct an inquiry transaction.
1075]
n system must:
tify and authenticate agency users (or processes acting on
users).
lti-factor authentication for all remote network access to
n-privileged accounts for information systems that
store, or transmit FTI. (CE1, CE2)
lti-factor authentication for remote access to privileged and
counts such that one of the factors is provided by a
rom the system gaining access. NIST SP 800-63 allows
re tokens. (CE11)

NIST 800-53 Rev.4 - IA-2 (1) (2) (3) (8) (11) (12)

R0064 IDENTIFICATION DEVICE IDENTIFICATION IA-3 Protect ->

AND AND AUTHENTICATION Identification &
AUTHENTICATION Authentication
Required
R0065 IDENTIFICATION IDENTIFIER IA-4 Protect ->

AND MANAGEMENT Identification &

The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before
establishing a [Selection (one or more): local; remote; network] connection.
The organization manages information system identifiers by:

a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
(4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS

The organization manages individual identifiers by uniquely identifying each individual as
[Assignment: organization-defined characteristic identifying individual status].






language Column O)
Does the institution or department require Obtain identification and authentication policy; procedures addressing device identification and authentication;
device authentication before establishing a information system design documentation; device connection reports; information system configuration settings
connection to any production network and associated documentation; other relevant documents or records and ascertain if:
segments? [Note: Examples include NAC, (I)the organization defines the devices for which identification and authentication is required before establishing
Certificates (PKI), etc.]. connections to the information system.
(ii)the information system uniquely identifies and authenticates the devices defined by the organization before
establishing connections to the information system.
Does the institution or department manage Obtain identification and authentication policy; procedures addressing identifier management; security plan;
information system identifiers for users and information system design documentation; information system configuration settings and associated
devices by receiving authorization from a documentation; list of information system accounts; other relevant documents or records and ascertain if :
designated official to assign a unique user (I)the organization manages user identifiers by uniquely identifying each user.
identifier (user-id), preventing reuse of user-ids, (ii)the organization manages user identifiers by verifying the identity of each user.
and disabling user-ids to information resources (iii)the organization manages user identifiers by receiving authorization to issue a user identifier from an
and data under their authority? appropriate organization official.
(iv)the organization manages user identifiers by issuing the identifier to the intended party.
(v)the organization defines in the security plan, explicitly or by reference, the time period of inactivity after which
a user identifier is to be disabled.

Unidentified equipment is allowed to gain access

to the network.
8340 6.2
Unauthorized users are able to gain access to

information systems by claiming to be an
authorized user.
8340 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316


A.R.S 13-2316 (A)

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Access controls shall be in place and operational for all IT systems to: Ensure that only authorized personnel can add, change, or remove component devices, dial-up connections, and remove or alter programs.
1075]
system must uniquely identify and authenticate devices before
nnection.
and Abuse Act of 1986 (US) 18 USC 1034. All users are assigned a unique identifier (user ID) for their personal use only, and a suitable authentication technique is chosen to substantiate the claimed identity of a user.
PCI covered data, in addition to unique identifier, users are authenticated using password or phase phrase, two factor authentication, token devices, biometrics or public keys. Authenticate all access to any database containing cardholder data. This includes access by applications, ad
rs.
implements procedures to assign a unique name and/or number for identifying and tracking user identity.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.6.3.1 Identifier Management
ge user identifiers, agencies shall:
tify each user.
tity of each user.
rization to issue a user identifier from an appropriate agency official.
identifier to the intended party.
er identifier after a specified period of inactivity.
entifiers.
1075] The agency must manage information system identifiers by:

orization from designated agency officials to assign an individual, group, role, or device identifier;
entifier that identifies an individual, group, role, or device;
dentifier to the intended individual, group, role, or device;
se of identifiers; and
dentifier after 120 days.

NIST 800-53 Rev.4 - IA-3


Section 1030. a) 4
HIPAA Security Section - 45 CFR 164.312(d)
NIST 800-53 Rev.4 - IA-4

R0066 IDENTIFICATION AUTHENTICATOR IA-5 Protect ->

AND MANAGEMENT Identification &
Required (1,11) Required (1,2,3,4,6,7,11)

The organization manages information system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged
authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix
of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined
number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum,
lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status
information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via
the network.
(3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be
conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by
[Assignment: organization-defined personnel or roles].





language Column O)
1) Has the institution or department established, Obtain identification and authentication policy; password policy; list of authenticators that require in-person
documented, and implemented administrative registration; authenticator registration documentation; security plan; procedures addressing authenticator
procedures to manage information system management; information system design documentation; information system configuration settings and
authenticators such as passwords, key fobs, associated documentation; list of information system accounts; other relevant documents or records and
certificates, etc., for users and information ascertain if :
systems, and ensure user identity when issuing (I)the organization manages information system authenticators by defining initial authenticator content.
or resetting them? [e.g., establishing and (ii)the organization manages information system authenticators by establishing administrative procedures for
implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking
initial authenticator distribution; changing authenticators.
default content of authenticators upon (iii)the organization manages information system authenticators by changing default authenticators upon
information system installation, etc., as per information system installation.
institution requirement]. (iv)the organization manages information system authenticators by changing/refreshing authenticators
periodically.
2) Are information system authenticators (v) the organization defines the minimum password complexity requirements to be enforced for case sensitivity,
configured in a manner to reduce risk of "bad the number of characters, and the mix of upper-case letters, lower-case letters, numbers, and special characters
actors" from guessing passwords, brute forcing, including minimum requirements for each type;
and/or replaying authenticated sessions? [e.g., if (vi) the organization defines the minimum number of characters that must be changed when new passwords are
passwords are used, are passwords configured created;
with a reasonable minimum password length (vii) the organization defines the restrictions to be enforced for password minimum lifetime and password
with complexity requirements, periodic maximum lifetime parameters;
expiration, encrypted, etc.] (iv) the organization defines the number of generations for which password reuse is prohibited; and
(ix) the information system, for password-based authentication:
enforces the minimum password complexity standards that meet the organization-defined requirements;
-enforces the organization-defined minimum number of characters that must be changed when new passwords
are created;
-encrypts passwords in storage and in transmission;
-enforces the organization-defined restrictions for password minimum lifetime and ---password maximum
lifetime parameters;
-prohibits password reuse for the organization-defined number of generations.

Unauthorized users gain access through user

accounts based on a password that was
disclosed during communication to the
authorized users.
8340 6.4

A.R.S. § 44-7500 A.R.S. § 13-2316


AA Security] A formal management process for allocation of passwords and other means of validating a user's identity to access an information system or service must be established. A user's identity must be validate when performing password resets. First-time passwords are set to
d changed immediately after the first use.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.6.3.2 Authenticator Management
ge information system authenticators, agencies shall:
uthenticator content.
nistrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.
t authenticators upon information system installation.
h authenticators periodically.
em authenticators include, for example, tokens, user-based PKI certificates, biometrics, passwords, and key cards. Users shall take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loaning or sharing authenticato
reporting lost or compromised authenticators.
1075] 9.3.7.5 Authenticator Management (IA-5) The agency must manage information system authenticators by:
art of the initial authenticator distribution, the identity of the
, role, or device receiving the authenticator;
tial authenticator content for authenticators defined by the agency;
uthenticators have sufficient strength of mechanism for their
nd implementing administrative procedures for initial authenticator

ost/compromised or damaged authenticators, and for revoking
ult content of authenticators prior to information system
nimum and maximum lifetime restrictions and reuse conditions for
eshing authenticators;
henticator content from unauthorized disclosure and modification;
duals to take, and having devices implement, specific security
otect authenticators; and
enticators for group/role accounts when membership to those
s.
system must, for password-based authentication:
um password complexity of:
rs;
umeric and at least one special character;


NIST 800-53 Rev.4 - IA-5 (1) (2) (3) (11)

R0067 IDENTIFICATION AUTHENTICATOR IA-6 Protect ->

AND FEEDBACK Identification &
Required Required
R0068 IDENTIFICATION CRYPTOGRAPHIC IA-7 Information

AND MODULE Security Operations
AUTHENTICATION AUTHENTICATION -> Advanced
Authentication
Identify -> Security

Compliance and
Regulatory
Requirements
Management
Required Required

The information system obscures feedback of authentication information during the authentication process to protect the information from
possible exploitation/use by unauthorized individuals.
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal
laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.






language Column O)
Are information system authentication Obtain identification and authentication policy; procedures addressing authenticator feedback; information
mechanism(s) configured in a manner to reduce system design documentation; information system configuration settings and associated documentation; other
the risk of malicious users intercepting relevant documents or records and ascertain if the information system obscures feedback of authentication
authentication information (e.g., passwords), information during the authentication process to protect the information from possible exploitation/use by
brute forcing, and/or replaying authenticated unauthorized individuals.
sessions?
Has the institution or department defined, Obtain Identification and authentication policy; FIPS 140-2 (as amended); procedures addressing cryptographic
documented, and implemented mechanisms and module authentication; information system design documentation; information system configuration settings
processes to protect encryption keys [i.e., and associated documentation; other relevant documents or records and ascertain if the information system
cryptographic modules employed]? employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives,
policies, regulations, standards, and guidance for authentication to a cryptographic module (for non-national
security systems, the cryptographic requirements are defined by FIPS 140-2, as amended).

Lack of controls to obscure feedback of

authentication information may expose the
authentication information to possible
exploitation.
8340 6.5
Laws and regulations are inadvertently violated

due to illegal use of cryptographic controls.
8340 6.6

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective MEA03]Controls have been
compliance.

ntrol Guidance
1075] The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Encryption. Encrypted information can only be decrypted, and therefore read, by those possessing the appropriate cryptographic key. While encryption can provide strong access control, it is accompanied by the ne
. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is Federal Information Processing Standards (FIPS) 140-2 (as amended) compliant (see section 5.10.1.2 for encryption requirements).
. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level to provide increased information security for the agency.
1075] The information system must implement mechanisms for authentication to a cryptographic module that meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Validation provides as
plements cryptography to protect FTI, the encryption functions have been examined in detail and will operate as intended. All electronic transmissions of FTI must be encrypted using FIPS 140-2 validated cryptographic modules. A product does not meet the FIPS 140-2 requirements b
approved security function. Only modules tested and validated to FIPS 140-2 meet the applicability requirements for cryptographic modules to protect sensitive information. NIST maintains a list of validated cryptographic modules on its website http://csrc.nist.gov/.

NIST 800-53 Rev.4 - IA-6
NIST 800-53 Rev.4 - IA-7



AUTHENTICATION (NON-ORGANIZATIONAL Authentication
USERS)
Required (1,2,3,4) Required (1,2,3,4)

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational
users).
(1) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
(2) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRD-PARTY CREDENTIALS
The information system accepts only FICAM-approved third-party credentials.
(3) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PRODUCTS
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to
accept third-party credentials.
(4) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILES
The information system conforms to FICAM-issued profiles.




language Column O)
Does the institution’s or department's access Obtain identification and authentication policy; procedures addressing user identification and authentication;
management procedures include procedures for information system design documentation; information system configuration settings and associated
establishing conditions under which remote or documentation; information system audit records; list of information system accounts; other relevant documents
wireless access to institutional information or records and ascertain if:
resources is permitted, and requirements for (I)the information system uniquely identifies and authenticates non-organizational users (or processes acting on
securing and encrypting connections (e.g., behalf of non-organizational users.
Virtual Private Network VPN) from the Internet
and open segments of the institution network
(e.g., use of VPN for access, SFTP for data
transfers, encrypted wireless, etc.)?

Unauthenticated and/or unauthorized users

access networks by exploiting vulnerabilities in
external connections.
8340 6.7

A.R.S. § 44-7500 A.R.S. § 13-2316


r systems subject to PCI requirements, use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Remote user accounts used for
activated during the time period needed.
implements procedures to determine that the access of a workforce member to access electronic protected health information is appropriate.
ntrol #13] The processes and tools used to detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy]

is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of
erial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be
s and disabling and/or deleting former users.
efers to mechanisms or processes that verify users are valid once they are uniquely identified. The CSA/SIB may develop an authentication strategy which centralizes oversight but decentralizes the establishment and daily administration of the security measures for access to CJI.
identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency’s audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish
d interactive sessions with FBI CJIS Services. The FBI CJIS Division shall authenticate the ORI of all message-based sessions between the FBI CJIS Division and its customer agencies but will not further authenticate the user nor capture the unique identifier for the originating operator be
med at the local agency, CSA, SIB or Channeler level.
1075] The information system must uniquely identify and authenticate non-agency users (or
on behalf of non-agency users).


HIPAA Security Section - 45 CFR 164.312(d)
NIST 800-53 Rev.4 - IA-8 (1) (2) (3) (4)

R0070 INCIDENT RESPONSE INCIDENT RESPONSE IR-1 Respond -> Cyber-

POLICY AND Security Incident
PROCEDURES Response
Required Required
R0071 INCIDENT RESPONSE INCIDENT RESPONSE IR-2 Protect -> Security

TRAINING Awareness and
Training
Respond - > Cyber-

Security Incident
Response
Required Required

The organization:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;






language Column O)
Does the institution or department have Obtain incident response policy and procedures; other relevant documents or records and ascertain if :
documented policies and procedures and trained (I)the organization develops and documents incident response policy and procedures.
personnel to identify, prioritize, report, and (ii)the organization disseminates incident response policy and procedures to appropriate elements within the
resolve information security incidents as organization.
required by federal and state rules? (iii)responsible parties within the organization periodically review incident response policy and procedures.
(iv)the organization updates incident response policy and procedures when organizational review indicates
(v)the incident response policy addresses purpose, scope, roles and responsibilities, management commitment,
coordination among organizational entities, and compliance.
(vi)the incident response policy is consistent with the organization’s mission and functions and with applicable
laws, directives, policies, regulations, standards, and guidance.
(vii)the incident response procedures address all areas identified in the incident response policy and address
achieving policy-compliant implementations of all associated incident response controls.
Has the institution or department implemented Obtain incident response policy; procedures addressing incident response training; incident response training
incident management training that is suitable material; security plan; incident response training records; other relevant documents or records and ascertain if :
and relevant to the individual's role, (I)the organization identifies and documents personnel with incident response roles and responsibilities.
responsibilities and skills? (ii)the organization provides incident response training to personnel with incident response roles and
responsibilities.
(iii)incident response training material addresses the procedures and activities necessary to fulfill identified
organizational incident response roles and responsibilities
(iv)the organization defines in the security plan, explicitly or by reference, the frequency of refresher incident
response training and the frequency is at least annually.
(v)the organization provides refresher incident response training in accordance with organization-defined
frequency.

Information security incidents are not responded

to in a quick, effective and orderly manner.
8120 6.2 8240 6.1 - 6.8
Failure to train personnel on the incident

response roles and responsibilities may result in
inadequately coordinated processes in response
to a security incident.
8240 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective Deleted—ITIL 3 does not
refer to Service Desk as a process.]
Controls have been defined for
management of the service desk and
incidents.

refer to Service Desk as a
process.]Controls have been defined
and incidents.

ecific personnel are available on a 24/7 basis to respond to alerts and training is giving to staff with security breach response responsibilities.
implements policies and procedures to address security incidents.
implements measures to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the organization; and document security incidents and their outcomes.
ntrol #18] The process and tools to make sure an organization has a properly tested plan with appropriate trained resources for dealing with any adverse events or threats of adverse events
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Agencies shall: (i) establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; (ii)
eport incidents to appropriate agency officials and/or authorities. Responsibilities and procedures shall be in place to handle information security events and weaknesses effectively once they have been reported.

sponse policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the incident response policy and associated incident response controls; and
date the current:
nse policy every three years; and
nse procedures at least annually.
ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall ensure general incident response roles responsibilities are included as part of required security awareness training.
1075] Agencies must train personnel with access to FTI, including contractors and consolidated data center employees if applicable, in their incident response roles on the information system and FTI. The agency must provide incident response training to information system users con
d responsibilities:
ing an incident response role or responsibility;
after.


NIST 800-53 Rev.4 - IR-1
Critical Control 18: Incident Response Capability
NIST 800-53 Rev.4 - IR-2



TESTING Security Incident
Response
Required (2)
R0073 INCIDENT RESPONSE INCIDENT HANDLING IR-4 Respond -> Cyber-

Security Incident
Response

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using
[Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
(2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
The organization coordinates incident response testing with organizational elements responsible for related plans.
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication,
and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and
implements the resulting changes accordingly.
(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
The organization employs automated mechanisms to support the incident handling process.






language Column O)
Does the institution or department have a Obtain incident response policy; procedures addressing incident response testing and exercises; security plan;
process in place to test and update the incident incident response testing material; incident response test results; other relevant documents or records and
response process at least annually? ascertain if :
(I)the organization defines in the security plan, explicitly or by reference, incident response tests/exercises.
(ii)the organization defines in the security plan, explicitly or by reference, the frequency of incident response
tests/exercises and the frequency is at least annually.
(iii)the organization tests/exercises the incident response capability for the information system using
organization-defined tests/exercises in accordance with organization-defined frequency.
(iv)the organization documents the results of incident response tests/exercises.
(v)the organization determines the effectiveness of the incident response capability.
Does the department review the incident Obtain incident response policy; procedures addressing incident handling; NIST Special Publication 800-
response plan and procedures at defined 61;automated mechanisms supporting incident handling; other relevant documents or records and ascertain if :
intervals taking into account lessons learned, (I)the organization implements an incident handling capability for security incidents that includes preparation,
industry best practices, and alignment with other detection and analysis, containment, eradication, and recovery.
processes, as applicable (e.g., breach (ii)the organization incorporates the lessons learned from ongoing incident handling activities into the incident
notifications, crisis management, etc.)? response procedures and implements the procedures accordingly.
(iii)the organization employs automated mechanisms to support the incident handling process.

Incidents are mishandled due to lack of defined

and tested incident management plans.
8240 6.2
Security incidents continue to occur due to lack

of learning from past security incidents.
8240 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316

incidents.

and incidents.

incident response plan is implemented in the event of system breach.
1075] Agencies entrusted with FTI must test the incident response capability for the information system at least annually.
perform tabletop exercises using scenarios that include a breach
test the agency’s incident response policies and procedures.
and contractors with significant FTI incident response capabilities,
al personnel responsible for maintaining consolidated data
te storage, must be included in tabletop exercises.
exercise must produce an after-action report to improve existing
dures, and policies.
Incident Response Procedures, for specific instructions on incident
ments where FTI is involved.
process exists to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments
ntrol #19] The process and tools used to build, update, and validate a network infrastructure that can properly withstand attacks from advanced threats.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Agencies shall: (i) establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; (ii)
eport incidents to appropriate agency officials and/or authorities. The agency shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Wherever feasible, the agency shall employ a
upport the incident handling process.
nformation can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The agency should incorporate the lessons learned from ongoing incident handling activities into the
ures and implements the procedures accordingly.

incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
ident handling activities with contingency planning activities; and
sons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implement the resulting changes accordingly.


NIST 800-53 Rev.4 - IR-3 (2)

NIST 800-53 Rev.4 - IR-4(1)
Critical Control 18: Incident Response Capability.
Critical Control 19: Secure Network Engineering

R0074 INCIDENT RESPONSE INCIDENT MONITORING IR-5 Protect -> Data Loss
Prevention
Respond -> Cyber-

Security Incident
Response
Required Required
R0075 INCIDENT RESPONSE INCIDENT REPORTING IR-6 Respond -> Cyber-

Security Incident
Response

The organization tracks and documents information system security incidents.
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-
defined time period]; and
b. Reports security incident information to [Assignment: organization-defined authorities].
(1) INCIDENT REPORTING | AUTOMATED REPORTING
The organization employs automated mechanisms to assist in the reporting of security incidents.








language Column O)
Does the institution or department have a Obtain incident response policy; procedures addressing incident monitoring; information system design
process in place to document details of each documentation; information system configuration settings and associated documentation; automated
incident to support forensics and trend analysis? mechanisms supporting incident monitoring; other relevant documents or records and ascertain if the
[e.g., maintaining records about each incident, organization employs automated mechanisms to assist in the tracking of security incidents and in the collection
status of the incident, and other pertinent and analysis of incident information.
information necessary for forensics, etc.]
Does the institution or department have policies Obtain Incident response policy; procedures addressing incident reporting; NIST Special Publication 800-61;
and effective communications in place that automated mechanisms supporting incident reporting; incident reporting records and documentation; other
require and inform employees, contractors and relevant documents or records and ascertain if :
third party users of information systems and (I)the organization promptly reports incident information to appropriate authorities.
services that they must promptly report any (ii)Incident reporting is consistent with NIST Special Publication 800-61;
observed or suspected security weaknesses in (iii)weaknesses and vulnerabilities in the information system are reported to appropriate organizational officials
systems or incident (e.g., inappropriate in a timely manner to prevent security incidents.
disclosure of institutional data, in digital or paper
format) to their supervisors, Information Security
Officer, and/or institution’s compliance hotline?

Rules for evidence handling are not followed by

when evidence is collected, retained, or
presented.
8240 6.5
Security events and weaknesses are not

detected and corrected due to lack of users
reporting the events or weaknesses.
8240 6.6

A.R.S. § 44-7500 A.R.S. § 13-2316

and incidents.

and incidents.

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall track and document information system security incidents on an ongoing basis. The CSA ISO shall maintain completed security incident reporting forms until the subsequent FBI triennial audit or unti
mplete; whichever time-frame is greater.
1075] The agency must track and document all physical and information system security incidents potentially affecting the confidentiality of FTI.
implements procedures, where, a business associate shall, following the discovery of a breach of unsecured protected health information, notify the organization of such breach.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall promptly report incident information to appropriate authorities. Information security events and weaknesses associated with information systems shall be communicated in a manner allowing time
n. Formal event reporting and escalation procedures shall be in place. Wherever feasible, the agency shall employ automated mechanisms to assist in the reporting of security incidents. All employees, contractors and third party users shall be made aware of the procedures for repor
event and weakness that might have an impact on the security of agency assets and are required to report any information security events and weaknesses as quickly as possible to the designated point of contact.
1075] 9.3.8.6 Incident Reporting (IR-6) The agency must:

nnel to report suspected security incidents to internal agency incident response resources upon discovery of the incident; and
propriate special agent-in-charge, TIGTA, and the IRS Office of Safeguards immediately but no later than 24 hours after identification of a possible issue involving FTI.
1075] 10.4 Incident Response Notification to Impacted Individuals

mpacted individuals regarding an unauthorized disclosure or data breach incident is based upon the agency’s internal incident response policy because the FTI is within the agency’s possession or control.
ency must inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals. In addition, the agency must inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution.

NIST 800-53 Rev.4 - IR-5


NIST 800-53 Rev.4 - IR-6(1)

R0076 INCIDENT RESPONSE INCIDENT RESPONSE IR-7 Respond-> Cyber-

ASSISTANCE Security Incident
Response

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and
assistance to users of the information system for the handling and reporting of security incidents.
(1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT
The organization employs automated mechanisms to increase the availability of incident response-related information and support.
(2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS
The organization:
(a) Establishes a direct, cooperative relationship between its incident response capability and
external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers




language Column O)
Does the institution or department have access, Obtain Incident response policy; procedures addressing incident response assistance; automated mechanisms
or means of obtaining access quickly, to skilled supporting incident response support and assistance; other relevant documents or records and ascertain if :
incident response support (e.g., to perform (I)the organization provides an incident response support resource that offers advice and assistance to users of
forensics) during an incident? the information system for the handling and reporting of security incidents.
[Note: examples may include forensic specialists (ii)the incident response support resource is an integral part of the organization’s incident response capability.
in other parts of the institution or executed (iii)the organization employs automated mechanisms to increase the availability of incident response-related
contracts in place with third-parties that provide information and support for incident response support.
such capability]

Lack of a Security Incident Response Program

may result in improper identification and
handling of security events.
8240 6.8

A.R.S. § 44-7500 A.R.S. § 13-2316

incidents.

n place for the design and implementation of an incident response program to handle information security events and weaknesses. [SR 05-23: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice]
1075] The agency must provide an incident response support resource, integral to the agency incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

NIST 800-53 Rev.4 - IR-7 (1)


PLAN Security Incident
Response
Required Required

The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or
by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation,
execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or
by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification.




language Column O)
Does the institution or department maintain an Obtain Incident response policy; procedures addressing incident response assistance; incident response plan;
effective security Incident Management process, other relevant documents or records and ascertain if:
that includes: (I)the organization develops an incident response plan that:
i) roles and responsibilities, and oversight; -provides the organization with a roadmap for implementing its incident response capability;
ii) a documented plan for addressing capability -describes the structure and organization of the incident response capability;
gaps that has been approved by management; -provides a high-level approach for how the incident response capability fits into the overall organization;
iii) a process for ensuring that copies of the -meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
incident response plan are distributed and made -defines reportable incidents;
available to incident response personnel; and -provides metrics for measuring the incident response capability within the organization;
iv) requirements for updating the incident -defines the resources and management support needed to effectively maintain and -mature an incident
response process and applicable scenarios? response capability; and
-is reviewed and approved by designated officials within the organization

The organization is unable to manage the initial

phase of an incident since the plan is not well
designed and documented.
8240 6.7

A.R.S. § 44-7500 A.R.S. § 13-2316

incidents.

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Responsibilities and procedures shall be in place to handle information security events and weaknesses effectively once they have been reported.
1075] 9.3.8.8 Incident Response Plan (IR-8) The agency must:

ident response plan that:
gency with a roadmap for implementing its incident response capability;
structure of the incident response capability;
h-level approach for how the incident response capability fits into the overall agency;
que requirements of the agency, which relate to mission, size, structure, and functions;
able incidents;
cs for measuring the incident response capability within the agency;
sources and management support needed to effectively maintain and mature an incident response capability; and
d approved by designated agency officials.
es of the incident response plan to authorized incident response personnel;
ident response plan at a minimum on an annual basis or as an after-action review;
ident response plan to address system/agency changes or problems encountered during plan implementation, execution, or testing;
incident response plan changes to authorized incident response personnel; and
dent response plan from unauthorized disclosure and modification.
1075] 10.3 Incident Response Procedures

not wait to conduct an internal investigation to determine if FTI was involved in an unauthorized disclosure or data breach. If FTI may have been involved, the agency must contact TIGTA and the IRS immediately. The agency will cooperate with TIGTA and Office of Safeguards investig
as needed to determine the facts and circumstances of the incident.
e policies and procedures required in Section 9.3.8, Incident Response, must be used when responding to an identified unauthorized disclosure or data breach
eguards will coordinate with the agency regarding appropriate follow-up actions required to be taken by the agency to ensure continued protection of FTI. Once the incident has been addressed, the agency will conduct a post-incident review to ensure the incident response policies a
e guidance. Any identified deficiencies in the incident response policies and procedures should be resolved immediately. Additional training on any changes to the incident response policies and procedures should be provided to all employees, including contractors and consolidated d
ediately.

NIST 800-53 Rev.4 - IR-8


R0078 INCIDENT RESPONSE NFORMATION IR-9

SPILLAGE
RESPONSE
Required (1,2,3,4)

The organization responds to information spills by:

a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with
the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions].
(1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL
The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.
(2) INFORMATION SPILLAGE RESPONSE | TRAINING
The organization provides information spillage response training [Assignment: organization- defined frequency].
(3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information
spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
(4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned
access authorizations.
Supplemental Guidance: Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws,
directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information.




language Column O)
Does the institution or department have policies Obtain Incident response policy; procedures addressing incident response assistance; incident response plan; for
and processes in place to report when either information spillage
classified or sensitive
information is not inadvertently placed on
information systems that are not authorized to
process such
information?

The organization does not have have staff or

resources responsible for responding to
information spillage

A.R.S. § 44-7500 A.R.S. § 13-2316



R0079 MAINTENANCE SYSTEM MAINTENANCE MA-1 Identify->

POLICY AND Enterprise Security
PROCEDURES Policy, Standards
and Guidelines
Required Required
R0080 MAINTENANCE CONTROLLED MA-2 Protect -> Physical

MAINTENANCE and Environmental
Protection
Required Required

The organization:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency].
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with
manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or
removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system
components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or
repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair
actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.







language Column O)
Does the institution or department have policies Obtain information system maintenance policy and procedures; other relevant documents or records and
and processes in place to maintain systems in a ascertain if :
manner so that security exposure is minimized (I)the organization develops and documents information system maintenance policy and procedures.
from outdated information systems (e.g., (ii)the organization disseminates information system maintenance policy and procedures to appropriate
keeping up system patches as well as information elements within the organization.
systems that are still maintained by the vendor)? (iii)responsible parties within the organization periodically review information system maintenance policy and
procedures.
(iv)the organization updates information system maintenance policy and procedures when organizational review
(v)the information system maintenance policy addresses purpose, scope, roles and responsibilities, management
commitment, coordination among organizational entities, and compliance
(vi)the information system maintenance policy is consistent with the organization’s mission and functions and
with applicable laws, directives, policies, regulations, standards, and guidance; and
(vii)the information system maintenance procedures address all areas identified in the system maintenance
policy and address achieving policy-compliant implementations of all associated system maintenance controls.
Does the institution or department have Obtain information system maintenance policy; procedures addressing controlled maintenance for the
documented and implemented policies and information system; maintenance records; manufacturer/vendor maintenance specifications; other relevant
practices for maintaining proper security of documents or records and ascertain if:
information system hardware (e.g., hard drives (I)the organization schedules, performs, documents, and reviews records of routine preventative and regular
removed from servers, printers, fax machines, maintenance (including repairs) on the components of the information system in accordance with manufacturer
etc.) as well as physical facilities such as doors, or vendor specifications and/or organizational requirements.
locks, etc., during maintenance, whether on-site (ii)the organization maintains maintenance records for the information system that include: (I) the date and time
or when removed and taken off-site? of maintenance; (ii) name of the individual performing the maintenance; (iii) name of escort, if necessary; (iv) a
description of the maintenance performed; and (v) a list of equipment removed or replaced (including
identification numbers, if applicable).

Commercial software is not supported by a

vendor and introduces errors into the
information system processing environment.
8120 6.2 8220 6.2 - 6.2.4
Unforeseen hardware failures occur due to lack

of up to date maintenance records.
8220 6.2.1

A.R.S. § 44-7500 A.R.S. § 13-2316

standards.

Objective DSS01; DSS05] Controls
have been defined to manage the
physical environment to protect IT
assets from access, damage or theft.

ols have been defined for the acquisition and maintenance of technology infrastructure to ensure that the platforms that support the business applications are aligned with defined IT architecture and technology standards.

tenance policy that addresses purpose, scope, roles,
management commitment, coordination among agency
pliance; and
facilitate the implementation of the system maintenance
ated system maintenance controls; and
date the current:
nance policy every three years; and
nance procedures at least annually.
Policies and procedures for repairs and modifications to the security-related physical components (e.g., hardware, walls, doors, locks) of the facility are defined.

orm, document, and review records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and agency requirements;
monitor all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
esignated agency officials explicitly approve the removal of the information system or system components from agency facilities for off-site maintenance or repairs;
ment to remove all FTI from associated media prior to removal from agency facilities for off-site maintenance or repairs; and
ntially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions and update agency maintenance records accordingly.

NIST 800-53 Rev.4 - MA-1
HIPAA Security Section - 45 CFR 164.310(a)(2)(iv)

NIST 800-53 Rev.4 - MA-2

R0081 MAINTENANCE MAINTENANCE TOOLS MA-3 Protect -> Physical

and Environmental
Protection
Required (1,2,3)

The organization approves, controls, and monitors information system maintenance tools.
(1) MAINTENANCE TOOLS | INSPECT TOOLS
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
(2) MAINTENANCE TOOLS | INSPECT MEDIA
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
(3)
MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL
The organization prevents the unauthorized removal of maintenance equipment containing
organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly
authorizing removal of the equipment from the facility.





language Column O)
Does the institution or department have Obtain information system maintenance policy; information system maintenance tools and associated
documented and implemented policies and documentation; procedures addressing information system maintenance tools; maintenance records;
processes for limiting security risk exposure information system media containing maintenance programs (including diagnostic and test programs); other
through maintenance or diagnostic tools (e.g., an relevant documents or records and ascertain if :
unpatched and unsecure device or appliance (i)the organization maintains maintenance tools on an ongoing basis.
connected to the network etc.) introduced into (ii)the organization inspects all maintenance tools (e.g., diagnostic and test equipment) carried into a facility by
the institution by third-parties? maintenance personnel for obvious improper modifications.
(iii)the organization checks all media containing diagnostic test programs (e.g., software or firmware used for
information system maintenance or diagnostics) for malicious code before the media are used in the information
system.

Equipment is not available due to improper

maintenance.
8220 6.2.2

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective DSS01; DSS05]Controls

ntrol Guidance
1075] The agency must approve, control, and monitor information system maintenance tools.

NIST 800-53 Rev.4 - MA-3 (1) (2)

R0082 MAINTENANCE NONLOCAL MA-4 Protect -> Network

MAINTENANCE Access and
Perimeter Controls

The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan
for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
(2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of
nonlocal maintenance and diagnostic connections.




language Column O)
Does the institution or department have Obtain information system maintenance policy; procedures addressing remote maintenance for the information
documented and implemented policies and system; information system design documentation; information system configuration settings and associated
practices to control security exposure from documentation; maintenance records; audit records; security plan; other relevant documents or records and
institutional vendors who provide remote ascertain if :
support or maintenance to information (I)the organization authorizes, monitors, and controls the execution of maintenance and diagnostic activities
system(s), through: conducted remotely by individuals communicating through an external, non-organization-controlled network
i) enabling strong identification and (e.g., the Internet), if employed.
authentication; (ii)the organization documents in the security plan, the remote maintenance and diagnostic tools to be
ii) limiting to ports, services, and access levels employed.
needed for business purpose; (iii)the organization maintains records for all remote maintenance and diagnostic activities.
iii) having appropriate logging enabled for (iv)the organization (or information system in certain cases) terminates all sessions and remote connections
monitoring vendor actions; and invoked in the performance of remote maintenance and diagnostic activity when the remote maintenance or
iv) session termination of sessions and network diagnostics is completed.
connections when remote maintenance is (v)the organization changes the passwords following each remote maintenance and diagnostic activity if
completed? password-based authentication is used to accomplish remote maintenance.
(vi)the organization audits all remote maintenance and diagnostic sessions.
(vii)appropriate organizational personnel (as deemed by the organization) review the maintenance records of
remote sessions.
(viii)the organization addresses the installation and use of remote maintenance and diagnostic links in the
security plan for the information system.

Unauthorized access is gained through diagnostic

and configuration network ports.
8220 6.2.3

A.R.S. § 44-7500 A.R.S. § 13-2316


ntrol Guidance

monitor non-local maintenance and diagnostic activities;
of non-local maintenance and diagnostic tools only as consistent
y and documented in the security plan for the information
actor authenticator in the establishment of non-local maintenance

ssions;
ds for non-local maintenance and diagnostic activities;
ssion and network connections when non-local maintenance is
icies and procedures for the establishment and use of non-local

d diagnostic connections. (CE2)

NIST 800-53 Rev.4 - MA-4 (2)

R0083 MAINTENANCE MAINTENANCE MA-5 Protect -> Network

PERSONNEL Access and
Perimeter Controls
R0084 MAINTENANCE TIMELY MAINTENANCE MA-6 Protect - Network

Access and
Perimeter Controls
Required

The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of
personnel who do not possess the required access authorizations. Control
Enhancements:
(1) NONLOCAL MAINTENANCE | AUDITING AND REVIEW
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined
audit events]; and
(b) Reviews the records of the maintenance and diagnostic sessions.
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within
[Assignment: organization-defined time period] of failure.







language Column O)
Does the institution or department have Obtain Information system maintenance policy; procedures addressing maintenance personnel; service provider
documented policies and practices for contracts and/or service level agreements; list of authorized personnel; maintenance records; other relevant
preventing visitors from physically accessing documents or records and ascertain if :
sensitive areas of the institution through: (I)the organization allows only authorized personnel to perform maintenance on the information system.
i) use of physical controls such as locked doors; (ii)the organization supervises authorized maintenance personnel who do not have needed access authorizations
ii) requiring management authorization for non- to the information system during the performance of maintenance activities on the system using organizational
employees or visitors to enter facilities; personnel with appropriate access authorizations.
iii) issuance of a physical token (e.g., badge or
access device) that expires and that identifies the
individual as a non-employee;
iv) use of sign-in sheets or automated visitor
logging;
v) maintenance of records of visits based on
institutional records retention schedules?
Does the institution or department have current Obtain information system maintenance policy; procedures addressing timely maintenance for the information
maintenance support and/or spare parts for its system; service provider contracts and/or service level agreements; inventory and availability of spare parts;
defined list of security-critical information security plan; other relevant documents or records and ascertain if :
system components and/or key information (I)the organization defines in the security plan, explicitly or by reference, key information system components.
technology components to enable recovery (ii)the organization defines in the security plan, explicitly or by reference, the time period within which support
within a defined time period of failure? [Note: and spare parts must be obtained after a failure.
example of security-critical information system (iii)the organization obtains maintenance support and spare parts for the organization-defined list of key
components can include threat management information system components within the organization-defined time period of failure.
systems like firewalls and anti-virus systems,
badge control systems, etc.].

Unauthorized visitors gain physical access to

facilities due to insufficient physical entry
controls.
8220 6.2.4
The lack of processes for system maintenance

and support may result in compromise of system
security due to latest updates not being made to
systems in a timely manner.

A.R.S. § 44-7500 A.R.S. § 13-2316


standards.

visitors are authorized before entering areas where PCI covered data is process or maintained. They are given a physical token (e.g. badge or access device) that expires and that identifies the visitors as a non-employee. They are asked to surrender the physical token before leaving th
ation. Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitors name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.

cess for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
n-escorted personnel performing maintenance on the information system have required access authorizations; and
ncy personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
ntrol Guidance


NIST 800-53 Rev.4 - MA-5
NIST 800-53 Rev.4 - MA-6

R0085 MEDIA PROTECTION MEDIA PROTECTION MP-1 Protect -> Media

POLICY AND
PROCEDURES
Required Required
R0086 MEDIA PROTECTION MEDIA ACCESS MP-2 Protect -> Media
Required Required

The organization:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency].
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-
defined personnel or roles].






language Column O)
Does the institution or department have Obtain media protection policy and procedures; other relevant documents or records and ascertain if :
documented and implemented policies and (I)the organization develops and documents media protection policy and procedures.
practices for protecting confidential data residing (ii)the organization disseminates media protection policy and procedures to appropriate elements within the
on removable media (e.g., hard-drives, CDs, USB organization.
drives, backup tapes, etc.)? (iii)responsible parties within the organization periodically review media protection policy and procedures.
[Note: protection requirements include storage (iv)the organization updates media protection policy and procedures when organizational review indicates
of media, sanitization requirements upon updates are required.
transfer or disposal of media, use of encryption, (v)the media protection policy addresses purpose, scope, roles and responsibilities, management commitment,
etc.]. coordination among organizational entities, and compliance.
(vi)the media protection policy is consistent with the organization’s mission and functions and with applicable
(vii)the media protection procedures address all areas identified in the media protection policy and address
achieving policy-compliant implementations of all associated media protection controls.
Does the institution or department have Obtain Information system media protection policy; procedures addressing media access; access control policy
administrative, physical, and technical controls in and procedures; physical and environmental protection policy and procedures; media storage facilities; access
place to manage access to media containing control records; access control records; audit records; other relevant documents or records and ascertain if :
confidential information? (I)the organization restricts access to information system media to authorized users.
(ii)the organization employs automated mechanisms to restrict access to media storage areas.
(iii)the organization employs automated mechanisms to audit access attempts and access granted.

Media (e.g., documents, computer media (e.g.

tapes, disks), input/output data, system
documentation) is compromised by
unauthorized parties due to ineffective handling
procedures.
8120 6.2 8250 6.1 - 6.7.2
Data stored on removable computer media is

damaged or disclosed due to ineffective handling
procedures.
8250 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective
of data.

Objective
of data.

ocedures exist for handling, processing, storing, and communicating information consistent with its classification
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.8 Policy Area 8: Media Protection
n policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.
1075] 9.3.10.1 Media Protection Policy and Procedures (MP-1) The agency must:
ction policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the media protection policy and associated media protection controls; and
date the current:
on policy every three years; and
on procedures at least annually.
1075] 4.5 Physical Security of Computers, Electronic, and Removable Media Computers and electronic media that receive, process, store, or transmit FTI must be in a secure area with restricted access. In situations when requirements of a secure area with restricted access cannot be m
rk sites, remote terminals or other office work sites, the equipment must receive the highest level of protection practical, including full disk encryption. All computers and mobile devices that contain FTI and are resident in an alternate work site must employ encryption mechanisms t
t be accessed, if the computer is lost or stolen (see OMB Memo M-06-16).
quirements must be met, such as keeping FTI locked up when not in use. When removable media contains FTI, it must be labeled as FTI.
ectronic media, and removable media containing FTI, must be kept in a secured area under the immediate protection and control of an authorized employee or
not in use, the media must be promptly returned to a proper storage area/container.
s of electronic media must be maintained and reviewed semi-annually for control and accountability.
Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
PAA Security] Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals). Maintain strict control over the storage and accessibility of media that contains cardholder data.
ntrol #17] The processes and tools used to track/control/prevent/correct data transmission and storage, based on the data's content and associated classification.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall securely store electronic and physical media within physically secure locations or controlled areas. The agency shall restrict access to electronic and physical media to authorized individuals. If physic
tions are not feasible then the data shall be encrypted per section 5.10.1.2.
075] The agency must restrict access to digital and non-digital media containing FTI to authorized individuals.


NIST 800-53 Rev.4 - MP-1
HIPAA Security Section - 45 CFR 164.310(d)(1)

NIST 800-53 Rev.4 - MP-2

R0087 MEDIA PROTECTION MEDIA MARKING MP-3 Identify -> Data

Classification
Required
R0088 MEDIA PROTECTION MEDIA STORAGE MP-4 Identify -> Data

Classification
Protect -> Media
Required

The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the
information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment:
organization-defined controlled areas].
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment:
organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.








language Column O)
Has the institution or department implemented Obtain information system media protection policy; procedures addressing media labeling; physical and
procedures to label and handle media containing environmental protection policy and procedures; security plan; removable storage media and information system
departmental data in accordance with output; other relevant documents or records and ascertain if :
institutional data classification policy and (I)the organization defines in the security plan, explicitly or by reference, its protected environment for media
procedures? labeling requirements.
(ii)the organization defines in the security plan, explicitly or by reference, media types and hardware components
that are exempted from external labeling requirements.
(iii)the organization affixes external labels to removable information storage media and information system
output not otherwise exempted from this labeling requirement, indicating the distribution limitations, handling
caveats, and applicable security markings (if any) of the information.
Does the institution or department's media Obtain information system media protection policy; procedures addressing media storage; physical and
handling procedures address: environmental protection policy and procedures; access control policy and procedures; security plan; information
i) proper storage and physical security of digital system media; other relevant documents or records and ascertain if :
and non-digital media (e.g., backup tapes, (I)the organization selects and documents the media and associated information contained on that media
student & patient records, etc.); requiring physical protection in accordance with an organizational assessment of risk.
ii) destruction or sanitization of media using (ii)the organization defines the specific measures used to protect the selected media and information contained
approved equipment, techniques, and on that media.
procedures; and (iii)the organization physically controls and securely stores information system media within controlled areas.
iii) other requirements for media handling based (iv)the organization protects information system media commensurate with the FIPS 199 security categorization
on any institution or department's data of the information contained on the media.
classification scheme?

Information is disclosed due to mislabeled,

unlabeled or mishandled physical or electronic
media.
8250 6.2
The lack of formal procedures for handling,

processing, storing and communicating
information consistent with its classification
scheme, may result in potential mishandling or
misuse of information by unauthorized parties.
8250 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective
of data.

Objective
of data.

An appropriate set of procedures for information labeling and handling is developed and implemented in accordance with the classification scheme adopted by the organization.
1075] The agency must label information system media containing FTI to indicate the distribution limitations and handling caveats.
label removable media (CDs, DVDs, diskettes, magnetic
ard drives and flash drives) and information system
g FTI (reports, documents, data files, back-up tapes)
al Tax Information”. Notice 129-A and Notice 129-B IRS
an be used for this purpose.
ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall securely store electronic and physical media within physically secure locations or controlled areas. The agency shall restrict access to electronic and physical media to authorized individuals. If physic
tions are not feasible then the data shall be encrypted per section 5.10.1.2.

rol and securely store media containing FTI; and
ation system media until the media is destroyed or sanitized using
ment, techniques, and procedures.
Secure Storage—IRC 6103(p)(4)(B), on additional secure storage


NIST 800-53 Rev.4 - MP-3
Know
NIST 800-53 Rev.4 - MP-4


R0089 MEDIA PROTECTION MEDIA TRANSPORT MP-5 Protect -> Media
Required (4)

The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using
[Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel.
(4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media
during transport outside of controlled areas.




language Column O)
Has the institution or department implemented Obtain information system media protection policy; procedures addressing media transport; physical and
procedures to protect media in transit which environmental protection policy and procedures; audit records; access control policy and procedures; security
include logging and monitoring media transfers, plan; list of organization-defined personnel authorized to transport information system media outside of
encryption of confidential data, and use of controlled areas; information system media; information system media transport records; information system
secured couriers? audit records; other relevant documents or records and ascertain if :
[Note: a common example of media in transit (I)the organization identifies personnel authorized to transport information system media outside of controlled
can include backup tapes, mobile devices like areas.
laptops and PDAs]. (ii)the organization documents, in policy and procedures, the media requiring protection during transport and the
specific measures taken to protect such transported media.
(iii)the organization protects and controls information system media during transport outside of controlled areas.
(iv)the organization restricts the activities associated with transport of information system media to authorized
personnel.
(v)the organization defines in the security plan, explicitly or by reference, a system of records for documenting
activities associated with the transport of information system media.
(vi)the organization documents, where appropriate, activities associated with the transport of information
system media using the organization-defined system of records.
(vii)the organization employs cryptographic mechanisms to protect the confidentiality and integrity of
information stored on digital media during transport outside of controlled areas.

Information stored in physical media may be

disclosed to or altered by unauthorized parties
while being physically transported.
8250 6.5

A.R.S. § 44-7500 A.R.S. § 13-2316


aintain strict control over the internal or external distribution of any kind of media, including the following: Classify the media so it can be identified as confidential. Verify that all media sent outside the facility is logged and authorized by management and sent via secured courier or o
be tracked. Verify that all media sent outside the facility is logged and authorized by management and sent via secured courier or other delivery method that can be tracked.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall protect and control electronic and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel. The control
document also apply to CJI in physical (printed documents, printed imagery, etc.) form. Physical media shall be protected at the same level as the information would be protected in electronic form.

ntrol digital (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, CDs, DVDs) and non-digital (e.g., paper) media
outside of controlled areas;
untability for information system media during transport outside of controlled areas;
vities associated with the transport of information system media—the agency must use transmittals or an equivalent tracking method to ensure FTI reaches its intended destination; and
tivities associated with the transport of information system media to authorized personnel.
system must implement cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. (CE4)


NIST 800-53 Rev.4 - MP-5(4)

R0090 MEDIA PROTECTION MEDIA SANITIZATION MP-6 Protect -> Media

The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for
reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational
standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
(2) MAINTENANCE PERSONNEL | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS
The organization ensures that personnel performing maintenance and diagnostic activities on an
information system processing, storing, or transmitting classified information possess security
clearances and formal access approvals for at least the highest classification level and for all
compartments of information on the system.





language Column O)
Has the institution or department implemented Obtain information system media protection policy; procedures addressing media sanitization and disposal; NIST
procedures to dispose of media containing Special Publication 800-88; media sanitization records; audit records; other relevant documents or records and
departmental data in a manner that adequately ascertain if :
protects the confidentiality of the data and (I)the organization identifies information system media requiring sanitization and the appropriate sanitization
renders it unrecoverable (e.g., as overwriting or techniques and procedures to be used in the process.
modifying the electronic media to make it (ii)the organization sanitizes identified information system media, both paper and digital, prior to disposal or
unreadable or indecipherable or otherwise release for reuse.
physically destroying the electronic media), and (iii)information system media sanitation is consistent with NIST Special Publication 800-88.
in accordance with institutional records retention
schedules?

Data stored on disposed-of media is

inappropriately disclosed to unauthorized parties
due to ineffective data disposal procedures.
8250 6.6

A.R.S. § 44-7500 A.R.S. § 13-2316


I covered cardholder data on electronic media is rendered unrecoverable so that cardholder data cannot be reconstructed.
r PCI covered data, media containing cardholder data is destroyed when it is no longer needed for business or legal reasons. PCI covered data is shred, incinerated, or pulped hardcopy materials so that cardholder data cannot be reconstructed.
implements policies and procedures to address the final disposition of electronic protected health information, and/or hardware or electronic media on which it is stored.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals. Inoperable electronic media shall be destroyed (cut up, s
maintain written documentation of the steps taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel.
hall be securely disposed of when no longer required, using formal procedures. Formal procedures for the secure disposal or destruction of physical media shall minimize the risk of sensitive information compromise by unauthorized individuals. Physical media shall be destroyed by sh
ncies shall ensure the disposal or destruction is witnessed or carried out by authorized personnel.
implements procedures for permanent removal of electronic protected health information from electronic media before the media are made available for re-use.

containing FTI prior to disposal, release out of agency control, or release for reuse using IRS-approved sanitization techniques in accordance with
l and agency standards and policies;
ation mechanisms with the strength and integrity commensurate with the security category or classification of the information; and
ve, track, document, and verify media sanitization and disposal actions. (CE1)
view and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the med
ate and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Agencies verify that the sanitization of the media was effective prior to disposal (see Section
tion Handling and Retention (SI-12)).
restrict the use of information system media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, CDs, DVDs) on information systems that receive, process, store, or transmit FTI using physical or automated controls.
ements for protecting FTI during media sanitization are provided in Section 9.3.10.6, Media Sanitization (MP-6); Section 9.4.7, Media Sanitization; and Exhibit 10, Data Warehouse Security Requirements.


HIPAA Security Section - 45 CFR 164.310(d)(2)(i)
HIPAA Security Section - 45 CFR 164.310(d)(2)(ii)
NIST 800-53 Rev.4 - MP-6

R0091 MEDIA PROTECTION MEDIA USE MP-7 Protect -> Media
R0092 PHYSICAL AND PHYSICAL AND PE-1 Protect -> Physical

ENVIRONMENTAL ENVIRONMENTAL and Environmental
PROTECTION PROTECTION POLICY Protection
AND PROCEDURES
Required Required

The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment:
organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
(1) MEDIA USE | PROHIBIT USE WITHOUT OWNER
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable
owner.
The organization:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental
protection controls; and
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency].







language Column O)
Does the institution or department have Obtain procedures relating to media use and ascertain if:
documented policies and supporting processes (i) security safeguards ensure that prohibited or restricted media are not used on information systems; and
to restrict unauthorized information system (ii) portable storage devices with no identifiable owner are not used on information systems.
media within its environment?
Does the institution or department have in place Obtain physical and environmental protection policy and procedures and ascertain if :
documented policies and supporting procedures (I)the organization develops and documents physical and environmental protection policy and procedures.
to protect institutional facilities based on their (ii)the organization disseminates physical and environmental protection policy and procedures to appropriate
criticality, and implement physical access elements within the organization.
safeguards to ensure appropriate granting, (iii)responsible parties within the organization periodically review physical and environmental protection policy
controlling, and monitoring of physical access to and procedures.
institutional facilities? (iv)the organization updates physical and environmental protection policy and procedures when organizational
review indicates updates are required.
(v)the physical and environmental protection policy addresses purpose, scope, roles and responsibilities,
management commitment, coordination among organizational entities, and compliance
(vi)the physical and environmental protection policy is consistent with the organization’s mission and functions
and with applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the physical and environmental protection procedures address all areas identified in the physical and
environmental protection policy and address achieving policy-compliant implementations of all associated
physical and environmental protection controls.

Inadequate procedures for handling media

(disclosure, modification, removal, and
destruction) may result in potential compromise
of information by unauthorized parties.
8250 6.7
Unauthorized parties have access to facilities due

to security flaws in physical layout.
8120 6.2 8260 6.1 - 6.13

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective
of data.


ntrol Guidance
Facility security plans are documented and current for the period. The Plan must identify the required actions to undertake to ensure facilities are secure.
r PCI covered data, physically secure all paper and electronic media that contain cardholder data. [MA.201.CMR.17] Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical ac
ed; and storage of such records and data in locked facilities, storage areas or containers.

environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
date the current:
nvironmental protection policy every three years; and
nvironmental protection procedures at least annually.

NIST 800-53 Rev.4 - MP-7 (1)

NIST 800-53 Rev.4 - PE-1

R0093 PHYSICAL AND PHYSICAL ACCESS PE-2 Protect -> Physical

ENVIRONMENTAL AUTHORIZATIONS and Environmental
PROTECTION Protection
Required Required

The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required.





language Column O)
Has the institution or department established Obtain physical and environmental protection policy; procedures addressing physical access authorizations;
roles and does it enforce associated access authorized personnel access list; authorization credentials; other relevant documents or records and ascertain if :
requirements of institutional facilities that house (I)the organization identifies areas within the facility that are publicly accessible.
systems and confidential data based on business (ii)the organization defines in the security plan, explicitly or by reference, the frequency of review and approval
requirements or function? (e.g., where student for the physical access list and authorization credentials for the facility and the frequency is at least annually.
or patient records are maintained) based on (iii)the organization develops and keeps current lists of personnel with authorized access to the facility where the
business requirements or function? information system resides (except for those areas within the facility officially designated as publicly accessible)
[Note: this is about formally defining and (iv)the organization issues appropriate authorization credentials (e.g., badges, identification cards, smart cards).
enforcing who can access a specific facility based (v)designated officials within the organization review and approve the access list and authorization credentials in
on business needs]. accordance with organization-defined frequency.

Unauthorized parties gain physical access to

facilities due to insufficient physical entry
controls.
8260 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316


cilities are protected by appropriate entry controls to ensure that only authorized personnel are allowed access and that access is monitored. For PCI covered data, a visitor log is retained for a minimum of three months, unless otherwise restricted by law.
implements policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.2 Physical Access Authorizations - The agency shall develop and keep current a list of personnel with authorized access to the physically secure location (except for those areas within the permanent facility offi
sible) or shall issue credentials to authorized personnel.
1075] 9.3.11.2 Physical Access Authorizations (PE-2)

:
ove, and maintain a list of individuals with authorized access to the facility where the information system resides;
ation credentials for facility access;
ess list detailing authorized facility access by individuals, at least annually; Remove individuals from the facility access list when access is no longer required; and
al access authorizations to the information system in addition to the physical access controls for the facility at spaces where FTI is received, processed, stored, or transmitted. (CE1)
1075] 4.3.1 Use of Authorized Access List To facilitate the entry of employees who have a frequent and continuing need to enter a restricted area, but who are not assigned to the area, an Authorized Access List (AAL) can be maintained so long as MPSs are enforced (see Section 4.2, M
ards).
es: The AAL must contain the following:
ual
rtment name
e number of agency POC
ncy POC
ess
cy employees must be updated at least annually or when employee access changes.
n-Agency Personnel: The AAL must contain the following information:
r/contractor/non-agency personnel
ne number of agency Point of Contact authorizing access
ess of vendor POC
dor/contractor
el of access
tors, and non-agency personnel AAL must be updated monthly.
ubt of the identity of the individual, the security monitor must verify the identity of the vendor/contractor individual against the AAL prior to allowing entry into
ea.


HIPAA Security Section - 45 CFR 164.310(a)(2)(iii)
NIST 800-53 Rev.4 - PE-2

R0094 PHYSICAL AND PHYSICAL ACCESS PE-3 Protect -> Physical

ENVIRONMENTAL CONTROL and Environmental
Protect -> Network

Access and
Perimeter Controls
Required Required
R0095 PHYSICAL AND ACCESS CONTROL FOR PE-4 Protect -> Physical
ENVIRONMENTAL TRANSMISSION and Environmental
PROTECTION MEDIUM Protection
Required

The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system
resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control
systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly
accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or
individuals are transferred or terminated.
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within
organizational facilities using [Assignment: organization-defined security safeguards].






language Column O)
Does the institution or department have Obtain physical and environmental protection policy; procedures addressing physical access control; physical
appropriate processes in place to control access control logs or records; maintenance records; records of key and lock combination changes; storage
designated entry/exit points of areas where locations for keys and access devices; FIPS 201; NIST Special Publications 800-73, 800-76, and 800-78;
confidential information or critical systems are information system design documentation; other relevant documents or records and ascertain if :
maintained through: (I)the organization controls all physical access points (including designated entry/exit points) to the facility where
i) a formal authorization process for providing the information system resides (except for those areas within the facility officially designated as publicly
access credentials (badge, key, code, etc.); accessible)
ii) a process to revoke access (e.g., due to (ii)the organization verifies individual access authorizations before granting access to the facility.
termination or change of job role) to the facility; (iii)the organization also controls access to areas officially designated as publicly accessible, as appropriate, in
iii) protecting the system that manages control accordance with the organization’s assessment of risk.
for entry/exit (e.g., restricting system access to (iv)the organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to
the badge system); and control entry to facilities containing information systems.
iv) monitoring for events that indicate potential (v)the organization secures and regularly inventories keys, combinations, and other access devices.
unauthorized access attempts to the facility (e.g., (vi)the organization changes combinations and keys periodically; and when keys are lost, combinations are
unsuccessful badge attempts, loss of physical compromised, or individuals are transferred or terminated
key, etc.)? (vii)the access control system is consistent with FIPS 201 and NIST Special Publication 800-73 (where the federal
Personal Identity Verification (PIV) credential is used as an identification token and token-based access control is
employed)
(viii)the access control system is consistent with NIST Special Publication 800-78 (where the token-based access
control function employs cryptographic verification); and
(ix)the access control system is consistent with NIST Special Publication 800-76 (where the token-based access
control function employs biometric verification).
Has the institution or department implemented Obtain physical and environmental protection policy; procedures addressing access control for transmission
appropriate physical controls to restrict access medium; information system design documentation; facility communications and wiring diagrams; other relevant
to, and prevent tampering of network jacks, documents or records and ascertain if the organization controls physical access to information system
wireless access points, and other means of distribution and transmission lines within organizational facilities.
access to the institutional network?


facilities due to insufficient physical perimeter
controls.
8260 6.2, 6.3
Physical equipment is compromised due to the

lack of protection from environmental threats
and hazards.
8260 6.6.1

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.3 Physical Access Control
control all physical access points (except for those areas within the facility officially designated as publicly accessible) and shall verify individual access authorizations before granting access.

al access authorizations at entry/exit points to facilities where the information systems that receive, process, store, or transmit FTI reside by:
dual access authorizations before granting access to the facility; and
ress/egress to the facility using physical access control systems/devices or guards.
cal access audit logs for entry/exit points;
y safeguards to control access to areas within the facility officially designated as publicly accessible;
and monitor visitor activity;
ombinations, and other physical access devices;
ical access devices; and
nations and keys when an employee who knows the combination retires, terminates employment, or transfers to another position or at least annually.
strict physical access to publicly accessible network jacks. Restrict physical access to wireless access points, gateways, and handheld devices.
implements measures to safeguard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.4 Access Control for Transmission Medium
control physical access to information system distribution and transmission lines within the physically secure location.
1075] The agency must control physical access within agency facilities.

NIST 800-53 Rev.4 - PE-3


HIPAA Security Section - 45 CFR 164.310(C )
NIST 800-53 Rev.4 - PE-4

R0096 PHYSICAL AND ACCESS CONTROL FOR PE-5 Protect -> Physical
ENVIRONMENTAL OUTPUT DEVICES and Environmental
Required

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.




language Column O)
Has the institution or department documented Obtain physical and environmental protection policy; procedures addressing access control for display medium;
and implemented physical safeguards to protect facility layout of information system components; actual displays from information system components; other
sensitive documents and/or output devices (e.g., relevant documents or records and ascertain if the organization controls physical access to information system
special forms, negotiable instruments, special- devices that display information to prevent unauthorized individuals from observing the display output.
purpose printers or security tokens)?

Appropriate physical safeguards have not been

established to protect sensitive documents
and/or output devices.
8260 6.6.3

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective DSS01; DSS05;
BAI09]Controls have been defined to
manage operations through
establishment of service levels for
scheduled data processing, protecting
sensitive output, and monitoring and
maintaining infrastructure.

ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.5 Access Control for Display Medium
control physical access to information system devices that display CJI and shall position information system devices in such a way as to prevent unauthorized individuals from accessing and viewing CJI.
1075] The agency must control physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
s, copiers, scanners, fax machines, and audio devices are examples of information system output devices.

NIST 800-53 Rev.4 - PE-5


R0097 PHYSICAL AND MONITORING PHYSICAL PE-6 Protect -> Physical

ENVIRONMENTAL ACCESS and Environmental

The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events
or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability.
(1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT
The organization monitors physical intrusion alarms and surveillance equipment.





language Column O)
Does the institution or department have in place Obtain physical and environmental protection policy; procedures addressing physical access monitoring; physical
documented standards and procedures to access logs or records; intrusion alarm/surveillance equipment logs or records and ascertain if :
monitor physical access to offices, rooms, data (I)the organization monitors physical access to the information system to detect and respond to physical security
centers, areas containing information systems, incidents.
and other facilities based on risk? (ii)the organization monitors real-time intrusion alarms and surveillance equipment.
[Note: monitoring includes review of logs and
alerts from physical security systems, monitoring
cameras, etc.].

Unauthorized parties have inappropriate physical

access to all rooms and offices of a facility.
8260 6.4

A.R.S. § 44-7500 A.R.S. § 13-2316


8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.6 Monitoring Physical Access
monitor physical access to the information system to detect and respond to physical security incidents.
1075] 9.3.11.6 Monitoring Physical Access (PE-6) The agency must:

cal access to the facility where the information system resides to detect and respond to physical security incidents;
al access logs annually;
ults of reviews and investigations with the agency incident response capability; and
cal intrusion alarms and surveillance equipment. (CE1)
1075] 4.5 Physical Security of Computers, Electronic, and Removable Media.

lectronic media that receive, process, store, or transmit FTI must be in a secure area with restricted access. In situations when requirements of a secure area with restricted access cannot be maintained, such as home work sites, remote terminals or other office work sites, the equipm
st level of protection practical, including full disk encryption. All computers and mobile devices that contain FTI and are resident in an alternate work site must employ encryption mechanisms to ensure that this data may not be accessed, if the computer is lost or stolen (see OMB Me
quirements must be met, such as keeping FTI locked up when not in use. When removable media contains FTI, it must be labeled as FTI.
ectronic media, and removable media containing FTI, must be kept in a secured area under the immediate protection and control of an authorized employee or locked up. When not in use, the media must be promptly returned to a proper storage area/container.
s of electronic media must be maintained and reviewed semi-annually for control and accountability. Section 3.0, Record Keeping Requirement, contains additional information. For additional guidance on log retention requirements
1075] 9.3.11.3 Physical Access Control (PE-3)

:
al access authorizations at entry/exit points to facilities where the information systems that receive, process, store, or transmit FTI reside by:
dual access authorizations before granting access to the facility; and
ress/egress to the facility using physical access control systems/devices or guards.
cal access audit logs for entry/exit points;
y safeguards to control access to areas within the facility officially designated as publicly accessible;
and monitor visitor activity;
ombinations, and other physical access devices;
ical access devices; and
nations and keys when an employee who knows the combination retires, terminates employment, or transfers to another position or at least

NIST 800-53 Rev.4 - PE-6(1)


R0098 PHYSICAL AND VISITOR ACCESS PE-8 Protect -> Physical

ENVIRONMENTAL RECORDS and Environmental
Protect -> Network

Access and
Perimeter Controls
Required Required
R0099 PHYSICAL AND POWER EQUIPMENT PE-9 Protect -> Physical

ENVIRONMENTAL AND CABLING and Environmental
Protect -> Network

Access and
Perimeter Controls
Required

The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency].
The organization protects power equipment and power cabling for the information system from damage and destruction.







language Column O)
Does the institution or department have in place Obtain physical and environmental protection policy; procedures addressing facility access records; security plan;
documented standards and procedures to log facility access control records; other relevant documents or records and ascertain if :
and document visits by guests, review visitor logs (I)the organization defines in the security plan, explicitly or by reference, the frequency of review for visitor
periodically, and retain logs in accordance with access records;
institutional records retention schedules? (ii)the organization maintains visitor access records to the facility where the information system resides (except
for those areas within the facility officially designated as publicly accessible) that includes:
-name and organization of the person visiting.
-signature of the visitor.
-form of identification.
-date of access.
-time of entry and departure.
-purpose of visit.
-name and organization of person visited .
(iii)designated officials within the organization review the visitor access logs in accordance with organization-
defined frequency.
Does the institution or department have policies Obtain physical and environmental protection policy; procedures addressing power equipment and cabling
and procedures for the physical security and protection; facility housing power equipment and cabling; other relevant documents or records and ascertain if
protection of information systems, power the organization protects power equipment and power cabling for the information system from damage and
equipment, and power cabling? destruction.

Failure to protect facilities through sufficient

physical entry controls may result in
unauthorized parties accessing the organization's
facilities.
8260 6.5
Unauthorized access to information resources is

obtained through tapping into inappropriately
exposed cabling infrastructure.
8260 6.6.5

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.8 Access Records
maintain visitor access records to the physically secure location (except for those areas officially designated as publicly accessible) that includes:
ncy of the visitor.
fication.
.
and departure.
t.
ncy of person visited.
s records shall be maintained for a minimum of one year. Designated officials within the agency shall review the visitor access records frequently for accuracy and completeness.

r access records to the facility where the information system resides; and
access records, at least annually.
4.3, Restricted Area Access, for visitor access (AAL) requirements.
ntrol Guidance

NIST 800-53 Rev.4 - PE-8

NIST 800-53 Rev.4 - PE-9

R0100 PHYSICAL AND EMERGENCY SHUTOFF PE-10 Protect -> Physical

ENVIRONMENTAL and Environmental
Protect -> Network

Access and
Perimeter Controls
Required Protect -> Business

Continuity Risks
R0101 PHYSICAL AND EMERGENCY POWER PE-11 Protect -> Physical

Protect -> Network

Access and
Perimeter Controls
Required

The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to
facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation.
The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the
information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.







language Column O)
1) Does the institution or department have in Obtain physical and environmental protection policy; procedures addressing power source emergency shutoff;
place procedures and controls to safely shutoff emergency shutoff controls or switches; other relevant documents or records and ascertain if :
the power to institutional data centers, server (I)the organization identifies the specific locations within a facility containing concentrations of information
rooms, and other areas containing information system resources (e.g., data centers, server rooms, mainframe rooms)
systems in case of an emergency? (ii)the organization provides, for specific locations within a facility containing concentrations of information
2) Are controls in place to ensure authorized system resources, the capability of shutting off power to any information system component that may be
access and activation? malfunctioning or threatened without endangering personnel by requiring them to approach the equipment.
1) Does the institution or department have Obtain physical and environmental protection policy; procedures addressing emergency power; uninterruptible
processes and mechanisms in place, to facilitate power supply documentation; other relevant documents or records and ascertain if the organization provides a
an orderly shutdown of the information system short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event
in the event of a primary power source loss? of a primary power source loss.
2) Have they been tested?

Utility outages disrupt business systems.
8260 6.7.1
The lack of adequate plans and operational

controls to support power contingency
mechanisms may lead to potential disruptions of
equipment supporting critical business
operations.
8260 6.7.2

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
ntrol Guidance

NIST 800-53 Rev.4 - PE-10
NIST 800-53 Rev.4 - PE-11

R0102 PHYSICAL AND EMERGENCY LIGHTING PE-12 Protect -> Physical

Required Required
R0103 PHYSICAL AND FIRE PROTECTION PE-13 Protect -> Physical


The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage
or disruption and that covers emergency exits and evacuation routes within the facility.
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an
independent energy source.
(2) FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS
The organization employs fire suppression devices/systems for the information system that
provide automatic notification of any activation to Assignment: organization-defined personnel or
roles] and [Assignment: organization-defined emergency responders]. (3) FIRE
PROTECTION | AUTOMATIC FIRE SUPPRESSION
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous
basis.








language Column O)
Does the institution or department have in place Obtain physical and environmental protection policy; procedures addressing emergency lighting; emergency
procedures and controls to ensure redundant lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant
power supply to institutional data centers, server documents or records and ascertain if :
rooms, and other areas containing information (I)the organization employs automatic emergency lighting that activates in the event of a power outage or
systems and to provide emergency lighting in the disruption.
event of an emergency or power outage? (ii)the organization employs automatic emergency lighting that covers emergency exits and evacuation routes.
(iii)the organization maintains the automatic emergency lighting.
1) Has the institution or department deployed Obtain physical and environmental protection policy; procedures addressing fire protection; fire suppression and
appropriate fire suppression equipment to detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire
protect institutional data centers, server rooms, suppression and detection devices/systems; facility housing the information system; alarm service level
and other areas containing information systems agreements; facility staffing plans; other relevant documents or records and ascertain if :
in the event of a fire? (I)the organization employs and maintains fire suppression and detection devices/systems that can be activated
2) Has staff received training in appropriate in the event of a fire.
response in case of emergencies and use of fire (ii)the organization employs fire detection devices/systems that, without manual intervention, notify the
suppression equipment? organization and emergency responders in the event of a fire.
(iii)the organization employs fire suppression devices/systems that provide automatic notification of any
activation to the organization and emergency responders.
(iv)the organization employs an automatic fire suppression capability in facilities that are not staffed on a
continuous basis.

The lack of automatic emergency lighting during

power outage or disruption may potentially
disrupt continuity of business functions.
8260 6.8
External and/or environmental threats (e.g., fire,

flood, earthquake, civil unrest) disrupt
operations due to inadequate physical security
controls.
8260 6.9

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
ntrol Guidance

NIST 800-53 Rev.4 - PE-12
NIST 800-53 Rev.4 - PE-13 (3)

R0104 PHYSICAL AND TEMPERATURE AND PE-14 Protect -> Physical

ENVIRONMENTAL HUMIDITY CONTROLS and Environmental
R0105 PHYSICAL AND WATER DAMAGE PE-15 Protect -> Physical

ENVIRONMENTAL PROTECTION and Environmental
Required Required

The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined
acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]..
(2) TEMPERATURE AND HUMIDITY CONTROLS | MONITORING WITH ALARMS / NOTIFICATIONS
The organization employs temperature and humidity monitoring that provides an alarm or
notification of changes potentially harmful to personnel or equipment.
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that
are accessible, working properly, and known to key personnel.






language Column O)
Does the institution or department have Obtain physical and environmental protection policy; procedures addressing temperature and humidity control;
temperature and humidity controls to monitor facility housing the information system; temperature and humidity controls; temperature and humidity controls
and maintain acceptable temperature and documentation; temperature and humidity records; other relevant documents or records and ascertain if:
humidity levels in environmental institutional (I)the organization regularly maintains, within acceptable levels, the temperature and humidity within the facility
data centers, server rooms, and other areas where the information system resides.
containing information systems? (ii)the organization regularly monitors the temperature and humidity within the facility where the information
system resides.
Does the institution or department have Obtain physical and environmental protection policy; procedures addressing water damage protection; facility
documented processes and mechanisms to: housing the information system; master shutoff values; list of key personnel with knowledge of location and
i) detect water leakage within institutional data activation procedures for master shutoff values for the plumbing system; master shutoff value documentation;
centers, server rooms, and other areas other relevant documents or records and ascertain if :
containing information systems; (I)the organization protects the information system from water damage resulting from broken plumbing lines or
ii) use water shutoff valves to prevent water other sources of water leakage by providing master shutoff valves that are accessible and working properly.
damage in institutional data centers, server (ii)key personnel within the organization have knowledge of the master water shutoff values.
rooms, and other areas containing information
systems in the event of water leakage; and
iii) perform periodic checks of the accessibility
and functioning of shutoff valves?

External and/or environmental threats (e.g., fire,

flood, earthquake, civil unrest) disrupt
operations due to inadequate physical security
controls.
8260 6.10
Information systems are compromised due to

the lack of protection from environmental
threats and hazards.
8260 6.11

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
ntrol Guidance

NIST 800-53 Rev.4 - PE-14
NIST 800-53 Rev.4 - PE-15

R0106 PHYSICAL AND DELIVERY AND PE-16 Protect -> Physical

ENVIRONMENTAL REMOVAL and Environmental
Required Required
R0107 PHYSICAL AND ALTERNATE WORK SITE PE-17 Protect ->

ENVIRONMENTAL Contingency
PROTECTION Planning
Required

The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and
exiting the facility and maintains records of those items.
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.






language Column O)
Has the institution or department assessed Obtain physical and environmental protection policy; procedures addressing delivery and removal of information
whether physical security to sensitive areas (e.g., system components from the facility; facility housing the information system; records of items entering and
data center, server room, student or patient exiting the facility; other relevant documents or records and ascertain if:
records room, etc.) can be circumvented? (I)the organization authorizes and controls information system-related items (i.e., hardware, firmware, software)
entering and exiting the facility.
(ii)the organization maintains appropriate records of items entering and exiting the facility.
Has the institution or department documented Obtain physical and environmental protection policy; procedures addressing alternate work sites for
and implemented policies for physical security organizational personnel; list of management, operational, and technical security controls required for alternate
requirements for alternative worksites (e.g., DR work sites; other relevant documents or records and ascertain if the organization employs appropriate
recovery site)? management, operational, and technical information system security controls at alternate work sites.


critical or sensitive information processing
facilities due to inadequate physical security
policies and standards.
8260 6.12

critical or sensitive information processing
facilities due to inadequate physical security
policies and standards.
8260 6.13

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective DSS04] Controls have been

8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.9.1.9 Delivery and Removal
authorize and control information system-related items entering and exiting the physically secure location.
1075] The agency must authorize, monitor, and control information system components entering and exiting the facility and maintain records of those items.
A BCM exercise program exists to provide objective assurance that the BCP will work as anticipated when required.

of Safeguards requirements at alternate work sites;
ible, the effectiveness of security controls at alternate work sites; and
ns for employees to communicate with information security personnel in case of security incidents or problems. Alternate work sites may include, for example, government facilities or private residences of employees (see Section 4.7, Telework Locations, for additional requirements).


NIST 800-53 Rev.4 - PE-16

NIST 800-53 Rev.4 - PE-17

R0108 PLANNING SECURITY PLANNING PL-1 Identify ->

POLICY AND Enterprise Security
PROCEDURES Policy, Standards
and Guidelines
Required Required

The organization:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].






language Column O)
Does the institution or department have a Obtain security planning policy and procedures; other relevant documents or records and ascertain if :
process in place to periodically identify and (I)the organization develops and documents security planning policy and procedures.
review information security mission, purpose, (ii)the organization disseminates security planning policy and procedures to appropriate elements within the
roles, scope, responsibilities, skills, key initiatives, organization.
etc.? (iii)responsible parties within the organization periodically review security planning policy and procedures.
(iv)the organization updates security planning policy and procedures when organizational review indicates
(v)the security planning policy addresses purpose, scope, roles and responsibilities, management commitment,
coordination among organizational entities, and compliance.
(vi)the security planning policy is consistent with the organization’s mission and functions and with applicable
(vii)the security planning procedures address all areas identified in the security planning policy and address
achieving policy-compliant implementations of all associated security planning controls.

Information security is not defined in a

framework within the organizational
environment.
8120 6.2

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective EDM03; AP001]Controls
control framework.

nal Rights and Privacy Act Regulations] If an educational agency or institution determines that it cannot comply with the Act or this part, due to a conflict with State or local law, procedures are established to notify the Office within 45 days, giving the text and citation of the conflicting
nal Rights and Privacy Act Regulations] Procedures are in place to give full access rights of students information to either parent, unless it has been provided with evidence that there is a court order, State statute, or legally binding document that specifically revokes these rights
nal Rights and Privacy Act Regulations] Process are in place to transfer rights from the parents to the student, when a student becomes an eligible student.
nal Rights and Privacy Act Regulations] Procedures are established to disclose student's education records, only after the parent or eligible student provides a signed and dated written consent and only after the removal of all personally identifiable information.
nal Rights and Privacy Act Regulations] Procedures are established to disclose personally identifiable information from an education record, only on the condition that the party to whom the information is disclosed, will not disclose the information to any other party, without the prio
student.
nal Rights and Privacy Act Regulations] Procedures are established to disclose education records to another educational agency or institution, only after notifying the parent or eligible student.
nal Rights and Privacy Act Regulations] Procedures are established to disclose education records to authorized representatives, in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal req
nal Rights and Privacy Act Regulations] Procedures are established to disclose personally identifiable information from an education record to appropriate parties, in connection with an emergency, only if knowledge of the information is necessary to protect the health or safety of the
nal Rights and Privacy Act Regulations] Procedures are established to disclose directory information, only after giving a public notice to parents of students in attendance and eligible students in attendance at the agency or institution.
nal Rights and Privacy Act Regulations] Procedures are established to disclose education records, only if reporting or disclosure is allowed by State statute concerns the juvenile justice system.
The mechanisms leveraged to communicate policy throughout the organization to users in a form that is relevant, accessible and understandable.
environment, the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment [PCI DSS v2.0].

ning policy that addresses purpose, scope, roles,
management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the security planning policy and associated security planning controls; and
date the current:
ng policy every three years; and
ng procedures at least annually.


Family Educational Rights and Privacy Act Regulations Sec - §
99.61
Family Educational Rights and Privacy Act Regulations Sec - §
99.8 (2)
HIPAA Security Section - 45 CFR 164.310(d)(2)(i)
HIPAA Security Section - 45 CFR 164.310(d)(2)(ii)
NIST 800-53 Rev.4 - PL-1

R0109 PLANNING SYSTEM SECURITY PLAN PL-2 Identify ->

Enterprise Security
Policy, Standards
and Guidelines

The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation
decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or
roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation
or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
(3) SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined
individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.




language Column O)
Does the institution or department develop and Obtain security planning policy; procedures addressing security plan development and implementation; NIST
maintain information security plan for the Special Publication 800-18; security plan for the information system; other relevant documents or records and
information system(s) that includes, but not ascertain if :
limited to: (I)the organization develops and implements a security plan for the information system.
i) Description of the system environment and (ii)the security plan provides an overview of the security requirements for the information system and a
business processes description of the security controls planned or in place for meeting the security requirements.
ii) Interfaces and data flow (iii)the organization defines in the security plan, explicitly or by reference, the values for all organization-defined
iii) System classification based on type of parameters (i.e., assignment and selection operations) in applicable security controls and control enhancements.
information and business process supported (iv)the security plan development is consistent with NIST Special Publication 800-18.
iv) Security controls designed, configured, and (v)the security plan is consistent with the organization’s information system architecture and information
implemented security architecture.
[Note: these may be maintained in an asset (vi)designated organizational officials review and approve the security plan.
register that has details of the information
system]

Management does not have a documented

security plan.
8120 6.1.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP001; AP001; AP007;

includes safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. [AICPA/CICA Generally Accepted Privacy Principles]
1075] An approved and accurate SSR satisfies the requirements for the SSP (see Section 7.0, Reporting Requirements—6103(p)(4)(E)).
:
R to include information systems that:
ith the agency’s safeguarding requirements;
es the information systems that receive, process, store, or transmit FTI;
operational context of the information system in terms of missions and business processes;
operational environment for the information system and relationships with or connections to other information systems;
erview of the security requirements for the system;
elevant overlays, if applicable;
security controls in place or planned for meeting those requirements, including a rationale for the tailoring and supplementation decisions; and
d approved by the authorizing official or designated representative prior to plan implementation.
es of the SSR and communicate subsequent changes to the SSR to designated agency officials and the Office of Safeguards;
R for the information system on an annual basis;
R to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
R from unauthorized disclosure and modification.


- Sec. 6(b)
- V. Section 6
NIST 800-53 Rev.4 - PL-2 (3)

R0110 PLANNING RULES OF BEHAVIOR PL-4 Identify-> Data

Classification
Protect -> Media
R0111 PLANNING INFORMATION PL-8 Protect ->

SECURITY Enterprise
ARCHITECTURE Architecture,
Roadmap &
Emerging
Technology
Required

The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities
and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of
behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are
revised/updated.
(1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational
information on public websites.
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and
availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise
architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations
(CONOPS), and organizational procurements/acquisitions.





language Column O)
1) Does the institution or department have a Obtain security planning policy; procedures addressing rules of behavior for information system users; NIST
documented acceptable use policy relating to Special Publication 800-18; rules of behavior; other relevant documents or records and ascertain if :
system usage and responsibilities for security (I)the organization establishes a set of rules that describe user responsibilities and expected behavior with regard
that includes specific considerations for certain to information and information system usage.
types of technologies such as PDAs, laptops, (ii)the organization makes the rules available to all information system users.
email, etc. and that is effectively communicated (iii)the rules of behavior for organizational personnel are consistent with NIST Special Publication 800-18.
to faculty, staff, and other users? (iv)the organization receives a signed acknowledgement from users indicating that they have read, understand,
2) Does the institution or department have a and agree to abide by the rules of behavior, before authorizing access to the information system and its resident
mechanism to validate whether acceptable use information.
policy has been read and acknowledged (e.g.,
signature from personnel confirming rules of
behavior)?
1) Does the institution or department have Obtain policies and procedures addressing information security architecture and ascertain if:
documented policies and procedures on (i) the documentation describes the requirements and approach to protect confidentiality, integrity and
information security architecture? availability of organizational information;
2) Does the institution or department reviews (ii) the documentation describes the integration with the enterprise architecture;
and updates the information security (iii) the documentation describes assumptions about and dependencies on external services;
architecture on a periodic basis and aligns it with (iv) the information security architecture is reviewed and updated at an appropriate frequency to reflect updates
the enterprise architecture? to enterprise architecture; and
(v) the changes in information security architecture are reflected in the security plan, CONOPS and organizational
procurements/acquisitions.

Improper use of information or assets occurs

inside an information processing facility.
8280 6.1 - 6.7.1 8120 6.2
The lack of establishing an enterprise

information model may result in application
development and decision-supporting activities
that are inconsistent with IT plans.
8120 6.1.2

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective
of data.

Objective AP001; AP007;

ect to PCI requirements, develop usage policies (for example, remote- access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), e-mail usage and Internet usage) and define proper use of these technologies. Ensur
he following:
al by authorized parties
for use of the technology
h devices and personnel with access
vices to determine owner, contact information and purpose
es of the technology
twork locations for the technologies
ny-approved products
sconnect of sessions for remote-access technologies after a specific period of inactivity
emote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use

make readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
ed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
date the rules of behavior;
duals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated; and
rules of behavior, explicit restrictions on the use of social media/networking sites and posting agency information on public websites—the Office of Safeguards prohibits sharing FTI using any social media/networking sites. (CE1)
ntrol Guidance


PCI DSS v2.0 - Sec 12.3.10
NIST 800-53 Rev.4 - PL-4 (1)
NIST 800-53 Rev.4 - PL-8

R0112 PERSONNEL PERSONNEL SECURITY PS-1 Protect ->

SECURITY POLICY AND Personnel Security
PROCEDURES
Required Required
R0113 PERSONNEL POSITION RISK PS-2 Protect ->

SECURITY DESIGNATION Personnel Security
Required Required

The organization:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency].
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency].






language Column O)
Does the institution or department have a Obtain personnel security policy and procedures, other relevant documents or records and ascertain if :
documented policy and supporting processes for (I)the organization develops and documents personnel security policy and procedures.
addressing staff background and other checks (ii)the organization disseminates personnel security policy and procedures to appropriate elements within the
needed based on the role of the individual at the organization.
institution? (iii)responsible parties within the organization periodically review personnel security policy and procedures.
(iv)the organization updates personnel security policy and procedures when organizational review indicates
(v)the personnel security policy addresses purpose, scope, roles and responsibilities, management commitment,
coordination among organizational entities, and compliance
(vi)the personnel security policy is consistent with the organization’s mission and functions and with applicable
(vii)the personnel security procedures address all areas identified in the personnel security policy and address
achieving policy-compliant implementations of all associated personnel security controls.
Has the institution or department identified and Obtain personnel security policy; procedures addressing position categorization; appropriate codes of federal
classified personnel positions based on risk regulations; OPM policy and guidance; list of risk designations for organizational positions; security plan; records
category? of risk designation reviews and updates; other relevant documents or records and ascertain if :
(I)the organization assigns a risk designations to all positions within the organization.
[Note: the context for classifying positions by risk (ii)the organization establishes a screening criteria for individuals filling organizational positions.
level is to identify and enforce background (iii)the risk designations for the organizational positions are consistent with 5 CFR 731.106(a) and OPM policy and
checks and other controls due to the higher risk guidance.
position, e.g., a security administrator with (iv)the organization defines in the security plan, explicitly or by reference, the frequency of risk designation
"keys" to the "kingdom" has a higher risk profile reviews and updates for organizational positions.
and may require higher due diligence than a (v)the organization reviews and revises position risk designations in accordance with the organization-defined
janitor for instance.] frequency.

Employees, contractors and third party users do

not maintain their security responsibilities.
8120 6.2 8270 6.1 - 6.9
Security roles and responsibilities are not defined

and clearly communicated to job candidates
during the pre-employment process.
8270 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective AP007; AP001] Controls


ols have been defined for the management of IT human resources.

curity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the personnel security policy and associated personnel security controls; and
date the current:
urity policy every three years; and
urity procedures at least annually.
] For MA 201 CMR 1700 covered personal data, one or more individuals have been designated to maintain a comprehensive information security program.
1075]
:
esignation to all agency positions;
ning criteria for individuals filling those positions; and
date position risk designations annually.

NIST 800-53 Rev.4 - PS-1

NIST 800-53 Rev.4 - PS-2

R0114 PERSONNEL PERSONNEL SCREENING PS-3 Protect ->

SECURITY Personnel Security
R0115 PERSONNEL PERSONNEL PS-4 Protect ->

SECURITY TERMINATION Personnel Security
Required Required
R0116 PERSONNEL PERSONNEL TRANSFER PS-5 Protect ->

Required Required

The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated,
the frequency of such rescreening].
(3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES
The organization ensures that individuals accessing an information system processing, storing, or
transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government
duties; and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria]
The organization, upon termination of individual employment:

a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when
individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following
the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].








language Column O)
1) Does the institution or department have Obtain personnel security policy; procedures addressing personnel screening; records of screened personnel;
implemented processes that require Human FIPS 201; NIST Special Publications 800-73, 800-76, and 800-78; other relevant documents or records and
Resources to screen potential employees and ascertain if :
contractors prior to being hired in order to (I)the organization screens individuals requiring access to organizational information and information systems
minimize the risk of attacks from internal prior to authorizing access.
sources? (ii)the personnel screening is consistent with 5 CFR 731.106, OPM policy, regulations, and guidance, FIPS 201 and
2) Do employees or contractors in high risk job NIST Special Publications 800-73, 800-76, and 800-78, and the criteria established for the risk designation for the
roles require periodic re-screening? assigned position.
Does the institution or department have Obtain personnel security policy; procedures addressing personnel termination; records of personnel termination
documented policies and supporting processes in actions; list of information system accounts; other relevant documents or records and ascertain if :
place to: (I)the organization terminates information system access upon termination of individual employment.
i) promptly revoke/disable access of employees, (ii)the organization conducts exit interviews of terminated personnel.
contractors, etc., upon termination; and (iii)the organization retrieves all organizational information system-related property from terminated personnel.
ii) retrieve all security-related institutional (iv)the organization retains access to official documents and records on organizational information systems
information and system-related property (e.g., created by terminated personnel.
institutionally provided laptops, PDAs, access
cards, keys, etc.)?
Does the institution or department have Obtain personnel security policy; procedures addressing personnel transfer; records of personnel transfer
processes in place to timely update access to actions; list of information system and facility access authorizations; other relevant documents or records and
information resources and facilities due to ascertain if :
changes in role of the employee or contractor? (I)the organization reviews information systems/facilities access authorizations when personnel are reassigned or
transferred to other positions within the organization.
(ii)the organization initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing
old accounts and establishing new accounts; and changing system access authorization) for personnel reassigned
or transferred within the organization.

Employees, contractors and third party users

breach security due to lack of management.
8270 6.3
Security breaches occur during employment

terminations or changes due to lack of defined
management responsibilities for these situations.
8270 6.4
Employee, contractor or third party user

terminations or change of responsibilities could
result in a security breach due to lack of a
defined management process for terminations or
changes in responsibilities.
8270 6.5

A.R.S. § 44-7500 A.R.S. § 13-2316




ols have been defined for the management of IT human resources.

uals prior to authorizing access to the information system; and
iduals according to agency-defined conditions requiring rescreening.
ntrol Guidance
1075] The agency, upon termination of individual employment must:

ation system access;
oke any authenticators/credentials associated with the individual;
terviews, as needed;
curity-related agency information system–related property;
o agency information and information systems formerly controlled by the terminated individual; and
personnel upon termination of the employee.
ntrol Guidance

nfirm ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the agency;
r or reassignment actions following the formal transfer action;
authorizations as needed to correspond with any changes in operational need due to reassignment or transfer; and
ted agency personnel, as required.


NIST 800-53 Rev.4 - PS-3
NIST 800-53 Rev.4 - PS-4
NIST 800-53 Rev.4 - PS-5

R0117 PERSONNEL ACCESS AGREEMENTS PS-6 Protect ->

Required Required
R0118 PERSONNEL THIRD-PARTY PS-7 Protect ->

SECURITY PERSONNEL SECURITY Personnel Security
Required Required

The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or
[Assignment: organization-defined frequency].
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of
third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment:
organization-defined time period]; and
e. Monitors provider compliance.







language Column O)
Does the institution or department ensure Obtain personnel security policy; procedures addressing access agreements for organizational information and
individuals requiring access to organizational information systems; security plan; access agreements; records of access agreement reviews and updates; other
information and information systems sign relevant documents or records and ascertain if :
appropriate access agreements prior to being (I)the organization requires appropriate access agreements for individuals requiring access to organizational
granted access and periodically review and information and information systems before authorizing access.
update those agreements? (ii)organizational personnel sign appropriate access agreements prior to receiving access.
(iii)the organization defines in the security plan, explicitly or by reference, the frequency of reviews/updates for
access agreements.
(iv)the organization reviews/updates the access agreements in accordance with the organization-defined
frequency.
Does the institution or department have Obtain personnel security policy; procedures addressing third-party personnel security; list of personnel security
documented personnel security requirements for requirements; acquisition documents; compliance monitoring process; other relevant documents or records and
third party providers (e.g., requirements on ascertain if :
background checks and other screening, training (I)the organization establishes personnel security requirements, including security roles and responsibilities, for
requirements, etc.), and are there processes in third-party providers (e.g., service bureaus, contractors, and other organizations providing information system
place to monitor their compliance to such development, information technology services, outsourced applications, network and security management).
requirements [e.g., sample checks by the (ii)the organization explicitly includes personnel security requirements in acquisition-related documents in
institution and / or third-party assessment accordance with NIST Special Publication 800-35.
reports]? (iii)the organization monitors third-party provider compliance with personnel security requirements.

Employees or contractors do not agree or sign

terms or conditions of employment.
8270 6.6 8280 6.1
Security is breached by employees, contractors

or third party users that leverage access given
after termination or change of their
employment, contract or agreement.
8270 6.7

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
1075] Before authorizing access to FTI, the agency must:

ocument access agreements for agency information systems;
date the access agreements, at least annually;
dividuals requiring access to agency information and information systems:
te access agreements prior to being granted access; and
agreements to maintain access to agency information systems when access agreements have been updated or at least annually.
1075] Before authorizing access to FTI, the agency must:

ocument access agreements for agency information systems;
date the access agreements, at least annually;
dividuals requiring access to agency information and information systems:
te access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to agency information systems when access agreements have been updated or at least annually.
access rights, both physical and logical, of all employees, contractors and third party users to information and information processing facilities are removed immediately upon termination of their employment, contract or agreement, or adjusted upon change.
The organization implements procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by the organization's determinations.

onnel security requirements, including security roles and responsibilities for third-party providers;
party providers to comply with personnel security policies and procedures established by the agency;
sonnel security requirements;
party providers to notify the agency of any personnel transfers or terminations of third-party personnel who possess agency credentials or badges or who have information system privileges; and
der compliance.

NIST 800-53 Rev.4 - PS-6

HIPAA Security Section - 45 CFR 164.308(a)(3)(ii)(C )
NIST 800-53 Rev.4 - PS-7

R0119 PERSONNEL PERSONNEL SANCTIONS PS-8 Protect ->

Required Required
R0120 RISK ASSESSMENT RISK ASSESSMENT RA-1 Identify -> Security

POLICY AND Assessment and
PROCEDURES Authorization /
Technology Risk
Assessments
Required Required

The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee
sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
The organization:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency].







language Column O)
Does the institution or department employ Obtain personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal
formal sanctions when personnel fail to comply sanctions; other relevant documents or records and ascertain if :
with established information security policies (I)the organization employs a formal sanctions process for personnel failing to comply with established
and procedures [e.g., reprimands to termination information security policies and procedures.
depending on the degree and situation of non- (ii)the personnel sanctions process is consistent with applicable laws, Executive Orders, directives, policies,
compliance]? regulations, standards, and guidance.
Does the institution or department develop, Obtain risk assessment policy and procedures; other relevant documents or records and ascertain if :
disseminate, and review/update a formal, (I)the organization develops and documents risk assessment policy and procedures.
documented risk assessment policy that (ii)the organization disseminates risk assessment policy and procedures to appropriate elements within the
addresses purpose, scope, roles, responsibilities, organization.
management commitment, coordination among (iii)responsible parties within the organization periodically review risk assessment policy and procedures.
organizational entities, and compliance as well as (iv)the organization updates risk assessment policy and procedures when organizational review indicates updates
procedures to implement the policy? are required.
(v)the risk assessment policy addresses purpose, scope, roles and responsibilities, management commitment,
coordination among organizational entities, and compliance
(vi)the risk assessment policy is consistent with the organization’s mission and functions and with applicable laws,
directives, policies, regulations, standards, and guidance.
(vii)the risk assessment procedures address all areas identified in the risk assessment policy and address
achieving policy-compliant implementations of all associated risk assessment controls.

Security breaches occur by employees due to

lack of formal disciplinary process.
8280 6.7
Management is unable to identify potential

events with negative impact and events
representing opportunities to be pursued which
may lead to unmanageable IT risks.
8120 6.2

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective EDM03; AP001;
AP012]Controls have been defined to
assess and manage IT risks

ntrol Guidance

al sanctions process for individuals failing to comply with established information security policies and procedures; and
ted agency personnel when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
ntrol Guidance

ent policy that addresses purpose, scope, roles,
management commitment, coordination among agency ntities, and compliance; and
facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
date the current:
nt policy every three years; and
nt procedures at least annually.

NIST 800-53 Rev.4 - PS-8
NIST 800-53 Rev.4 - RA-1

R0121 RISK ASSESSMENT SECURITY RA-2 Identify -> Data

CATEGORIZATION Classification
Required Required
R0122 RISK ASSESSMENT RISK ASSESSMENT RA-3 Identify -> Security

Assessment and
Authorization /
Technology Risk
Assessments
Required Required

The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies,
regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated
representative.
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption,
modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information
system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the
security state of the system.






language Column O)
1) Does the institution have a documented data Obtain risk assessment policy; procedures addressing security categorization of organizational information and
classification policy or standard that guides data information systems; security planning policy and procedures; FIPS 199; NIST Special Publication 800-60; security
owners on data categorization, and associated plan; other relevant documents or records and ascertain if :
security requirements of information systems (i)the organization conducts the security categorization of the information system as an organization-wide
where such information is maintained? exercise with the involvement of senior-level officials including, but not limited to, authorizing officials,
2) If yes, are information systems categorized information system owners, chief information officer, senior agency information security officer, and
according to the data classification policy or mission/information owners.
standard? (ii)the security categorization is consistent with FIPS 199 and considers the provisional impact levels and special
3) If yes, are information system security plans factors in NIST Special Publication 800-60.
aligned with the classification of the information (iii)the organization considers in the security categorization of the information system, potential impacts to other
system? organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential
Directives, potential national-level impacts.
(iv)the organization includes supporting rationale for impact-level decisions as part of the security categorization.
(v)designated, senior-level organizational officials review and approve the security categorizations.
1) Does the institution or department have Obtain risk assessment policy; security planning policy and procedures; procedures addressing organizational
policies and supporting processes that define assessments of risk; risk assessment; NIST Special Publication 800-30; other relevant documents or records and
triggers for when information security related ascertain if :
risk assessments should be conducted, as well as (I)the organization assesses the risk and magnitude of harm that could result from the unauthorized access, use,
the criteria for risk assessment (e.g., likelihood disclosure, disruption, modification, or destruction of information and information systems that support its
and impact)? operations and assets (including information and information systems managed/operated by external parties).
2) Are information security risk assessments (ii)the risk assessment is consistent with the NIST Special Publication 800-30.
conducted at least annually?

Information is disclosed due to lack of protection

based on the need, priorities and expected
degree of protection.
8110 6.2 8120 6.3.2
Information around risks and related control

options are not presented to management
before management decisions are made.
8120 6.3.4

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective
of data.

Objective EDM03; AP001; AP012]
Controls have been defined to assess
and manage IT risks.

ssified to indicate the need, priorities and expected degree of protection when handling the information.
are conducted to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization.
conducts an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.
assesses the relative criticality of specific applications and data in support of other contingency plan components.
ntrol #4] The processes and tools used to detect/prevent/correct security vulnerabilities in the configurations of devices that are listed and approved in the asset inventory database.

sessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or
e information system and the information it processes, stores, or transmits;
assessment results in a risk assessment report;
essment results at least annually;
sk assessment results to designated agency officials; and
k assessment report at least every three years or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities) or other conditions that may impact the security state of the system.

NIST 800-53 Rev.4 - RA-2

Know

NIST 800-53 Rev.4 - RA-3
Critical Control 4: Continuous Vulnerability Assessment and
Remediation.

R0123 RISK ASSESSMENT VULNERABILITY RA-5 Detect ->

SCANNING Vulnerability
Assessment
Required Required (1,2,3,5,6,8)

The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in
accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and
reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability
management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of
risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined
personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
(1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be
scanned.
(2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency];
prior to a new scan; when new vulnerabilities are identified and reported].
(5) VULNERABILITY SCANNING | PRIVILEGED ACCESS
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for
selected [Assignment: organization-defined vulnerability scanning activities].
(6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES
The organization employs automated mechanisms to compare the results of vulnerability scans
over time to determine trends in information system vulnerabilities.
(8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS
The organization reviews historic audit logs to determine if a vulnerability identified in the
information system has been previously exploited.





language Column O)
Does the institution or department have tools or Obtain risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan;
other capability (e.g., third-party service vulnerability scanning results; patch and vulnerability management records; vulnerability scanning tools and
providers), and processes in place for conducting techniques documentation; other relevant documents or records and ascertain if :
security vulnerability scanning that includes: (I)the organization defines in the security plan, explicitly or by reference, the frequency of vulnerability scans
i) executing scans on a scheduled basis for its within the information system.
information systems (e.g., servers, network (ii)the organization scans for vulnerabilities in the information system in accordance with the organization-
devices, databases, applications, workstations, defined frequency and/or random in accordance with organizational policy and assessment of risk, or when
wireless scans, etc.); significant new vulnerabilities potentially affecting the system are identified and reported.
ii) evaluating and reporting scan results to the (iii)the organization uses appropriate scanning tools and techniques to conduct the vulnerability scans.
appropriate stakeholders; (iv)the organization trains selected personnel in the use and maintenance of vulnerability scanning tools and
iii) remediating vulnerabilities based on risk; and techniques.
iv) sharing information obtained from the (v)the organization freely shares the information obtained from the vulnerability scanning process with
vulnerability scanning process and security appropriate personnel throughout the organization to help eliminate similar vulnerabilities in other information
control assessments with designated personnel systems.
throughout the institution to help eliminate (vi) the organization uses vulnerability scanning tools that have the capability to readily update the list of
similar vulnerabilities in other information information system vulnerabilities scanned.
systems, i.e., systemic weaknesses or
deficiencies?

Technical vulnerabilities are exploited to gain

inappropriate or unauthorized access to
information systems due to lack of controls for
those vulnerabilities.
8120 6.3.5

A.R.S. § 44-7500 A.R.S. § 13-2316


or PCI covered data, establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.
or PCI covered data, internal and external network vulnerability scans are run at least quarterly and after any significant change in the network. Review scan reports and verify that the scan process includes rescans until:
s, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS, and
s, a passing result is obtained or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
or PCI covered data, the vulnerability scans are performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV)
or PCI covered data, penetration testing is done on network infrastructure and applications at least once a year and after any significant infrastructure or application upgrade or modification.
anning includes network layer penetration tests, application layer penetration tests, and web application penetration testing. Specific vulnerabilities checked at a minimum include: Cross-site scripting, Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection fl
aws, Malicious file execution, Malicious file execution, Insecure direct object references, Cross-site request forgery (CSRF), Information leakage and improper error handling , Broken authentication and session management, Insecure cryptographic storage, Insecure communications, F
or public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulner
or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications.
ntrol #4] The processes and tools used to detect/prevent/correct security vulnerabilities in the configurations of devices that are listed and approved in the asset inventory database.

rabilities in the information system and hosted applications at a
thly for all systems and when new vulnerabilities potentially
em/applications are identified and reported;
ability scanning tools and techniques that facilitate interoperability
automate parts of the vulnerability management process by
or:
latforms, software flaws, and improper configurations;
ecklists and test procedures; and
nerability impact.
ability scan reports and results from security control assessments;
itimate vulnerabilities in accordance with an assessment of risk;
tion obtained from the vulnerability scanning process and security
nts with designated agency officials to help eliminate similar
other information systems (i.e., systemic weaknesses or


NIST 800-53 Rev.4 - RA-5(1)(2)(5)
Critical Control 4: Continuous Vulnerability Assessment and
Remediation.
Critical Control 20: Penetration Tests and Red Team Exercises.

R0124 SYSTEM AND SYSTEM AND SERVICES SA-1 Protect ->

SERVICES ACQUISITION POLICY Enterprise
ACQUISITION AND PROCEDURES Architecture,
Roadmap &
Emerging
Technology
Required Required
R0125 SYSTEM AND ALLOCATION OF SA-2 Protect ->

SERVICES RESOURCES Enterprise
ACQUISITION Architecture,
Roadmap &
Emerging
Technology
Required Required

The organization:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition
controls; and
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency].
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its
capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.






language Column O)
Does the institution or department have Obtain system and services acquisition policy and procedures; other relevant documents or records and ascertain
documented policies and supporting processes if:
for ensuring that systems and services (I)the organization develops and documents system and services acquisition policy and procedures.
acquisition, development, and deployment are in (ii)the organization disseminates system and services acquisition policy and procedures to appropriate elements
line with business requirements, including within the organization.
explicit information security considerations? (iii)responsible parties within the organization periodically review system and services acquisition policy and
procedures.
(iv)the organization updates system and services acquisition policy and procedures when organizational review
(v)the system and services acquisition policy addresses purpose, scope, roles and responsibilities, management
commitment, coordination among organizational entities, and compliance
(vi)the system and services acquisition policy is consistent with the organization’s mission and functions and with
(vii)the system and services acquisition procedures address all areas identified in the system and services
acquisition policy and address achieving policy-compliant implementations of all associated system and services
acquisition controls.
Does the institution or department have an Obtain system and services acquisition policy; procedures addressing the integration of information security into
explicit line entry for incorporating information the system development life cycle process; NIST Special Publication 800-64; information system development life
security resource requirements for planning and cycle documentation; other relevant documents or records and ascertain if :
implementing information systems? (I)the organization determines, documents, and allocates as part of its capital planning and investment control
process, the resources required to adequately protect the information system by verifying that the organization:
-defines security requirements for the information system in mission/business planning.
-establishes a discrete line item for information system security in the organization’s programming and budgeting
documentation.
-integrates information system security into the capital planning and investment control process in accordance
with the guidance in NIST Special Publication 800-65.

Acquiring resources for IT is done inconsistently

with unreasonable cost.
8120 6.2
Management has not aligned the information

technology architecture with corporate strategy.
8130 6.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI03.04; AP010]Controls
procurement of IT resources.

Objective AP001; AP007; AP011]
Controls have been established for
defining the IT processes,
organization and relationships to be
responsive to business strategy and
comply with governance
requirements.

erally Accepted Privacy Principles]Procedures are in place to: Govern the development, acquisition, implementation, and maintenance of information systems and the related technology used to collect, use, retain, disclose and destroy personal information.

ervices acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
date the current:
rvices acquisition policy every three years; and
rvices acquisition procedures at least annually.
ntrol Guidance

ormation security requirements for the information system or
em service in mission/business process planning;
cument, and allocate the resources required to protect the
em or information system service as part of its capital planning
ontrol process; and
rete line item for information security in agency programming and
mentation.

NIST 800-53 Rev.4 - SA-1

Software
NIST 800-53 Rev.4 - SA-2

R0126 SYSTEM AND SYSTEM DEVELOPMENT SA-3 Protect -> Secure

SERVICES LIFE CYCLE System Services,
ACQUISITION Acquisition and
Development
Required Required

The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information
security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.




language Column O)
Does the institution or department have a Obtain system and services acquisition policy; procedures addressing the integration of information security into
documented systems development lifecycle the system development life cycle process; NIST Special Publication 800-64; information system development life
(SDLC) policy and supporting processes that cycle documentation; other relevant documents or records and ascertain if :
explicitly account for information security, and (I)the organization manages the information system using a system development life cycle methodology that
defines roles and responsibilities for the SDLC includes information security considerations.
processes? (ii)the organization uses a system development life cycle that is consistent with NIST Special Publication 800-64.

Developed and implemented systems do not

consider the Design phase of the systems
development lifecycle.
8130 6.2

A.R.S. § 44-7500 A.R.S. § 13-2316

defined for the acquisition and
maintenance of application software
to ensure there is a timely and cost-
effective development process.

ntrol Guidance
1075]
:
formation system using an SDLC that incorporates information security considerations;
cument information security roles and responsibilities throughout the SDLC;
uals having information security roles and responsibilities; and
gency information security risk management process into SDLC activities.

NIST 800-53 Rev.4 - SA-3

Critical Control 6: Application Software Security

R0127 SYSTEM AND ACQUISITION PROCESS SA-4 Protect -> Secure

SERVICES System Services,
Development
Required (10) Required 1,2,8,9,10)

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the
information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives,
policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
(1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS
The organization requires the developer of the information system, system component, or information system service to provide a description of
the functional properties of the security controls to be employed.
(2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS
The organization requires the developer of the information system, system component, or information system service to provide design and
implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system
interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation
information]] at [Assignment: organization-defined level of detail]. (8) ACQUISITION PROCESS |
CONTINUOUS MONITORING PLAN
The organization requires the developer of the information system, system component, or
information system service to produce a plan for the continuous monitoring of security control
effectiveness that contains [Assignment: organization-defined level of detail]
(9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE
The organization requires the developer of the information system, system component, or information system service to identify early in the
system development life cycle, the functions, ports, protocols, and services intended for organizational use.
(10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS
The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV)
capability implemented within organizational information systems.





language Column O)
Does the institution or department have policies Obtain system and services acquisition policy; procedures addressing the integration of information security
and supporting processes to ensure that requirements and/or security specifications into the acquisition process; NIST Special Publications 800-23 and
information system contracts, based on risk level, 800-70; acquisition documentation; acquisition contracts for information systems or services; solicitation
account for: documents; other relevant documents or records and ascertain if :
i) information security risk assessment; (I)the organization includes in acquisition contracts for information systems, either explicitly or by reference,
ii) security functional requirements / security requirements and/or security specifications based on an assessment of risk and in accordance with
specifications; applicable laws, Executive Orders, directives, policies, regulations, and standards that describe required:
iii) security-related documentation requirements; -security capabilities.
and -design and development processes.
iv) developmental and evaluation-related -test and evaluation procedures.
assurance requirements. -documentation.
(ii)the organization includes in acquisition contracts, requirements for information system documentation
addressing user and systems administrator guidance and information regarding the implementation of the
security controls in the system and at a level of detail based on the FIPS 199 security category for the system.
(iii)the organization includes in acquisition contracts requirements for information system documentation that
includes security configuration settings and security implementation guidance.
(iv)the organization requires in solicitation documents that appropriate documentation be provided describing
the functional properties of the security controls employed within the information system with sufficient detail to
permit analysis and testing of the controls.
(v) the organization explicitly assigns each acquired information system component to an information system.
(Vi) the owner of the system acknowledges each assignment of information system components to the
information system.

The organization's interests are not protected in

IT acquisition contractual agreements.
8130 6.3

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI03.04; AP010] Controls
procurement of IT resources.

ntrol Guidance
1075] The agency must include the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, direc
dards, guidelines, and agency mission/business needs:
onal requirements;
gth requirements;
nce requirements;
d documentation requirements;
for protecting security-related documentation;
he information system development environment and environment in which the system is intended to operate; and
teria.
, the agency must require the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (CE1)

NIST 800-53 Rev.4 - SA-4 (1) (2) (9) (10)

Software.

R0128 SYSTEM AND INFORMATION SYSTEM SA-5 Protect -> Secure

SERVICES DOCUMENTATION System Services,
Development
Required Required
R0129 SYSTEM AND SECURITY ENGINEERING SA-8 Protect -> Secure

SERVICES PRINCIPLES System Services,
Development
Required

The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such
documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles].
The organization applies information system security engineering principles in the specification, design, development, implementation, and
modification of the information system.






language Column O)
Does the institution or department have Obtain system and services acquisition policy; procedures addressing information system documentation;
effective processes in place to ensure that information system documentation including administrator and user guides; other relevant documents or records
appropriate levels of information and training and ascertain if :
about information systems exist to configure (I)the organization obtains, protects as required, and makes available to authorized personnel, information
and manage systems securely (e.g., vendor system administrator and user guidance with information on:
documentation on default accounts and secure -configuring, installing, and operating the information system.
configuration specs, administration processes, -effectively using the system’s security features.
technical training, etc.)? (ii)the organization, when this information is either unavailable or non existent (e.g., due to the age of the system
or lack of support from the vendor/manufacturer), the organization documents attempts to obtain such
documentation and provides compensating security controls, if needed.
(iii)the organization includes, in addition to administrator and user guides, documentation, if available from the
vendor/manufacturer, describing the functional properties of the security controls employed within the
information system with sufficient detail to permit analysis and testing of the controls.
(iv) the organization obtains, protects as required, and makes available to authorized personnel,
vendor/manufacturer documentation that describes the high-level design of the information system in terms of
subsystems and implementation details of the security controls employed within the system with sufficient detail
to permit analysis and testing
Does the institution or department have system Obtain system and services acquisition policy; procedures addressing security engineering principles used in the
security engineering principles embedded into its development and implementation of the information system; NIST Special Publication 800-27; information
System Development Lifecycle (SDLC) to achieve system design documentation; security requirements and security specifications for the information system;
the goal of "secure by design" when building, other relevant documents or records and ascertain if :
customizing, and/or purchasing information (I)the organization designs and implements the information system using security engineering principles.
systems (e.g., applications, servers, etc.)? (ii)the organization considers the security design principles in NIST Special Publication 800-27 in the design,
[Note: example of engineering principles could development, and implementation of the information system.
include use of "Input Validation Library" for web
applications to reduce exposure from
vulnerabilities from input manipulation (e.g., SQL
injection)].

Sensitive system configuration information is

accessed by unauthorized parties due to
inadequate security of system documentation.
8130 6.4
Programming errors or misconfiguration leads to

vulnerabilities that can be exploited.
8130 6.5

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective BAI03; DSS02] Controls
have been defined for the acquisition
and maintenance of technology
standards.

ntrol Guidance

strator documentation for the information system, system component, or information system service that describes:
ration, installation, and operation of the system, component, or service;
nd maintenance of security functions/mechanisms; and
abilities regarding configuration and use of administrative (i.e., privileged) functions.
cumentation for the information system, system component, or information system service that describes:
e security functions/mechanisms and how to effectively use those security functions/mechanisms;
ser interaction, which enable individuals to use the system, component, or service in a more secure manner; and
ilities in maintaining the security of the system, component, or service.
mpts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;
entation, as required; and
umentation to designated agency officials.
view of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation.
1075] The agency must apply information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

NIST 800-53 Rev.4 - SA-5

NIST 800-53 Rev.4 - SA-8
Critical Control 19: Secure Network Engineering.

R0130 SYSTEM AND EXTERNAL SA-9 Identify -> External

SERVICES INFORMATION SYSTEM Vendors and Third
ACQUISITION SERVICES Party Providers
Identify -> Cloud

Usage and Security

The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ
[Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service
providers on an ongoing basis.
(1) EXTERNAL INFORMATION SYSTEMS | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of
dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is
approved by [Assignment: organization-defined personnel or roles]. (2)
EXTERNAL INFORMATION SYSTEMS | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES
The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports,
protocols, and other services required for the use of such services. (4) EXTERNAL
INFORMATION SYSTEMS | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS
The organization employs [Assignment: organization-defined security safeguards] to ensure that
the interests of [Assignment: organization-defined external service providers] are consistent with
and reflect organizational interests.
(5) EXTERNAL INFORMATION SYSTEMS | PROCESSING, STORAGE, AND SERVICE LOCATION
The organization restricts the location of [Selection (one or more): information processing;
information/data; information system services] to [Assignment: organization-defined locations]
based on [Assignment: organization-defined requirements or conditions].




language Column O)
Does the institution or department have policies Obtain system and services acquisition policy; procedures addressing external information system services;
and supporting processes in place to monitor acquisition contracts and service level agreements; organizational security requirements and security
information security risks from third-parties who specifications for external provider services; security control assessment evidence from external providers of
manage, process, and/or store confidential information system services; other relevant documents or records and ascertain if:
information on behalf of the institution or (I)the organization requires that providers of external information system services employ adequate security
department (e.g., outsourced data center, cloud controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards,
services, Application Service Providers, etc.)? guidance, and established service-level agreements.
[Note: Monitoring of third-parties can be risk (ii)the organization monitors security control compliance.
based and can take a number of forms such as
performing on-site assessments, reviewing third-
party audit reports like SSAE16, etc.].

Services, reports and records provided by a third

party are not consistently monitored and
reviewed by management.
8130 6.6

A.R.S. § 44-7500 A.R.S. § 13-2316

agreements.

r PCI DSS service providers, a program to monitor service providers PCI DSS compliance status is maintained.
hen cardholder data is shared with service providers, policies and procedures are maintained and implemented to manage service providers and ensure cardholder security.
Contracts between business associates and covered entities address administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information.

roviders of external information system services comply with agency information security requirements and employ to include (at a minimum) security requirements contained within this publication and applicable federal laws, Executive Orders, directives, policies, regulations, stand
ce-level agreements;
cument government oversight and user roles and responsibilities with regard to external information system services;
ty control compliance by external service providers on an ongoing basis; and
cation of information systems that receive, process, store, or transmit FTI to areas within the United States territories, embassies, or military installations. (CE5)
ohibit the use of non-agency-owned information systems, system components, or devices that receive, process, store, or transmit FTI unless explicitly approved by the Office of Safeguards. For notification requirements, refer to Section 7.4.5, Non-Agency-Owned Information Systems
the acquisition must contain Exhibit 7 language, as appropriate (see Section 9.3.15.4, Acquisition Process (SA-4), and Exhibit 7, Safeguarding Contract


HIPAA Security Section - 45 CFR 164.308(b)(1)-(3)
NIST 800-53 Rev.4 - SA-9(2)

R0131 SYSTEM AND DEVELOPER SA-10 Protect -> Change

SERVICES CONFIGURATION Management
ACQUISITION MANAGEMENT
Required (1)
R0132 SYSTEM AND DEVELOPER SECURITY SA-11 Protect -> Secure

SERVICES TESTING AND System Services,
ACQUISITION EVALUATION Acquisition and
Development
Required (1,2,8)

The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation;
operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration
management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined
personnel].
(1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION
information system service to enable integrity verification of software and firmware components.
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and
coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
(1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS
information system service to employ static code analysis tools to identify common flaws and
document the results of the analysis.
(2) DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY ANALYSES
information system service to perform threat and vulnerability analyses and subsequent
testing/evaluation of the as-built system, component, or service.
(8) DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS
information system service to employ dynamic code analysis tools to identify common flaws and
document the results of the analysis.






language Column O)
Does the institution or department have Obtain system and services acquisition policy; procedures addressing information system developer/integrator
documented change control procedures that: configuration management; acquisition contracts and service level agreements; information system
i) require approval for making changes; developer/integrator configuration management plan; security flaw tracking records; system change
ii) take into account impact on information authorization records; other relevant documents or records and ascertain if :
security and related configurations; (I)the organization requires that information system developers create and implement a configuration
iii) perform appropriate level of testing of management plan that controls changes to the system during development, tracks security flaws, requires
changes, including information security, as authorization of changes, and provides documentation of the plan and its implementation.
applicable;
iv) track defects and security flaws; and
v) require approval from appropriate level of
management for authorizing changes into
production?
Does the institution or department have policies Obtain system and services acquisition policy; procedures addressing information system developer/integrator
and supporting processes in place to explicitly security testing; acquisition contracts and service level agreements; information system developer/integrator
design and test for information security during: security test plans; records of developer/integrator security testing results for the information system; other
i) development of the information system and/or relevant documents or records and ascertain if :
its components (as part of SDLC) (I)the organization requires that information system developers (and systems integrators) create a security test
ii) during change management process when and evaluation plan, implement the plan, and document the results.
changes are made to the information system or
its component(s)?

Changes are made to production systems

without a formal change process.
8130 6.7
Systems are implemented which are not

developed according to internal security
standards.
8130 6.8

A.R.S. § 44-7500 A.R.S. § 13-2316


standards.

llow change control processes and procedures for all changes to system components.
ange control documentation includes customer impact, sign-off by authorized parties, testing of operational functionality, and back-out procedures.
1075] The agency must require the developer of the information system, system component, or information system service to:
uration management during system, component, or service
plementation, and operation;
nage, and control the integrity of changes to the system,
ervice;
y agency-approved changes to the system, component, or service;
roved changes to the system, component, or service and the
y impacts of such changes; and
flaws and flaw resolution within the system, component, or service
gs to designated agency officials.
r PCI covered data develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle.[PCI DSS v2.0] Production data (li
ng or development. [PCI DSS v2.0] Removal of test data and accounts before production systems become active. [PCI DSS v2.0] Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers. [PCI DSS v2.0] Custom a
s and/or passwords are removed before system goes into production or is released to customers. [PCI DSS v2.0] For PCI covered data, production data (real credit card numbers) is not used for testing or development, test data and accounts are removed before production systems b
cation accounts, usernames, and passwords are removed before applications become active or are released to customers. [PCI DSS v2.0] Business requirements documentation for new information systems, or enhancements to existing information systems specifies the requirements
v2.0] For PCI covered systems, develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application to ensure that web applications are not vulnerable to the following: Cross
aws, Malicious file execution, Insecure direct object references, Cross-site request forgery (CSRF), Information leakage and improper error handling, Broken authentication and session management, Insecure cryptographic storage, Insecure communications, Failure to restrict URL acce
1075] The agency must require the developer of the information system, system component, or information system service to:
plement a security assessment plan;
ty testing/evaluation;
nce of the execution of the security assessment plan and the results of the security testing/evaluation;
erifiable flaw remediation process; and
dentified during security testing/evaluation.


PCI DSS v2.0 - Sec 6.4.5.1
PCI DSS v2.0 - Sec 6.4.5.2
PCI DSS v2.0 - Sec 6.4.5.3
PCI DSS v2.0 - Sec 6.4.5.4
NIST 800-53 Rev.4 - SA-10

NIST 800-53 Rev.4 - SA-11

R0133 SYSTEM AND SYSTEM AND SC-1 Protect -> System

COMMUNICATIONS COMMUNICATIONS Communications
PROTECTION PROTECTION POLICY Protection
AND PROCEDURES
Required Required
R0134 SYSTEM AND APPLICATION SC-2 Protect -> System

COMMUNICATIONS PARTITIONING Communications
Required

The organization:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications
protection controls; and
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency].
The information system separates user functionality (including user interface services) from information system management functionality.






language Column O)
Does the institution or department have Obtain system and communications protection policy and procedures; other relevant documents or records and
documented policies and supporting processes ascertain if :
for defining and enforcing requirements to (I)the organization develops and documents system and communications protection policy and procedures.
protect data transmissions and system-to-system (ii)the organization disseminates system and communications protection policy and procedures to appropriate
communications, including validating the identity elements within the organization.
of communicators (for example, over the (iii)responsible parties within the organization periodically review system and communications protection policy
Internet, within the institution, private networks, and procedures.
etc.)? (iv)the organization updates system and communications protection policy and procedures when organizational
review indicates updates are required.
(v)the system and communications protection policy addresses purpose, scope, roles and responsibilities,
management commitment, coordination among organizational entities, and compliance.
(vi)the system and communications protection policy is consistent with the organization’s mission and functions
and with applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the system and communications protection procedures address all areas identified in the system and
communications protection policy and address achieving policy-compliant implementations of all associated
system and communications protection controls.
Does the institution or department have policies Obtain system and communications protection policy; procedures addressing application partitioning;
and supporting processes to segregate information system design documentation; information system configuration settings and associated
administrative / management tools and consoles documentation; other relevant documents or records and ascertain if :
from general user/application traffic? (I)the information system separates user functionality (including user interface services) from information system
[Note: examples include segmenting the management functionality.
network into security zones where administrative
interfaces and systems are separate from other
system areas; use of ACLs and stronger
authentication for accessing administrative
functions, etc.].

IT security procedures are not documented and

communicated.
8120 6.2 8350 6.1 - 6.3.11
The integrity of a business process is

compromised due to the lack of segregation of
duties (e.g., maker & checker).
8350 6.1.1

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective EDM03; AP001] Controls
control framework.

Objective AP001; AP007; AP011]
Controls have been established for
defining the IT processes,
organization and relationships to be
responsive to business strategy and
comply with governance
requirements.

PCI DSS v2.0] Information security procedures have been documented and communicated to appropriate personnel. [PCI DSS v2.0] For PCI covered environments, daily operational security procedures are developed that are consistent with PCI requirements (for example, user accou
log review procedures) and include administrative and technical procedures for each of the requirements. [PCI DSS v2.0] For PCI covered data, the security procedures clearly define information security responsibilities for all employees and contractors.

communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
date the current:
mmunications protection policy every three years; and
mmunications protection procedures at least annually.
of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The application, service, or information system shall separate user functionality (including user interface services) from information system management functionality.
service, or information system shall physically or logically separate user interface services (e.g. public web pages) from information storage and management services (e.g. database management). Separation may be accomplished through the use of one or more of the following:
puters.
al processing units.
nces of the operating system.
ork addresses.
s approved by the FBI CJIS ISO.
1075] The information system must separate user functionality (including user interface services) from information system management functionality.


HIPAA Security Section - 45 CFR 164.310(b)
NIST 800-53 Rev.4 - SC-1
NIST 800-53 Rev.4 - SC-2


R0135 SYSTEM AND INFORMATION IN SC-4 Protect -> System

COMMUNICATIONS SHARED RESOURCES Communications
Identify -> Cloud

Usage and Security
Required
R0136 SYSTEM AND DENIAL OF SERVICE SC-5 Protect -> System

COMMUNICATIONS PROTECTION Communications
Required Required

The information system prevents unauthorized and unintended information transfer via shared system resources.
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined
types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security
safeguards].





language Column O)
Does the institution or department have policies Obtain system and communications protection policy; procedures addressing information remnants; information
and supporting processes in place to reduce risk system design documentation; information system configuration settings and associated documentation; other
of exposure of confidential data through shared relevant documents or records and ascertain if :
system or multi-tenant (cloud) environments? (I)the information system prevents unauthorized and unintended information transfer via shared system
(For example, often a single instance of a resources.
database is used to support multiple applications
with different security risk profiles, and exposure
from one application may expose the data of the
other application)
Does the institution or department have controls Obtain system and communications protection policy; procedures addressing denial of service protection;
in place to minimize risk of denial of service information system design documentation; security plan; information system configuration settings and
attacks (internal and external) on critical associated documentation; other relevant documents or records and ascertain if :
information systems? (I)the organization defines in the security plan, explicitly or by reference, the types of denial of service attacks (or
[Note: examples could include use of tools and provides references to sources of current denial of service attacks) that can be addressed by the information
configuration settings at the network layer to system.
combat such attempts, and/or proactively (ii)the information system protects against or limits the effects of the organization-defined or referenced types of
monitoring for denial of service attempts so denial of service attacks.
timely steps can be taken to address the risk]

Sensitive systems co-located with less sensitive

systems are accessed by unauthorized parties.
8350 6.2
Inadequately managed and controlled networks

and supporting infrastructure expose systems
and applications.
8350 6.3.1

A.R.S. § 44-7500 A.R.S. § 13-2316



ity Act of 1987 – Public Law 100-235 (H.R. 145)]Federal agency identifies each computer system under the supervision of that agency, which contains sensitive information.
1075] The information system must prevent unauthorized and unintended information transfer via shared system resources.
or PCI covered data, firewall configurations deny all traffic from untrusted networks/hosts, except web protocols HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443),system administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN),other protocol
., ISO 8583). For PCI covered data, restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. For PCI covered data, firewall configuration restrict connections between untrusted networks and any system components in the cardholder data
data, Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. Fo
ect public access between the Internet and any system component in the cardholder data environment. For PCI covered data, secure and synchronize router configuration files. For PCI covered data, limit inbound Internet traffic to IP addresses within the DMZ. For PCI covered data, d
n inbound or outbound for traffic between the Internet and the cardholder data environment. For PCI covered data, do not allow internal addresses to pass from the Internet into the DMZ. For PCI covered data, restrict outbound traffic from the cardholder data environment to the In
can only access IP addresses within the DMZ. For PCI covered data, implement stateful inspection, also known as dynamic packet filtering. For PCI covered data, implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1
ork address translation (NAT) technologies-for example, port address translation (PAT). For PCI covered data, install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which
zations network. For PCI covered data, allow only explicitly authorized outbound traffic from the cardholder data environment to the Internet.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.10.1.3 Intrusion Detection Tools and Techniques
implement network-based and/or host-based intrusion detection tools.
, in addition:
nd and outbound communications for unusual or unauthorized activities.
l intrusion detection logs to a central logging facility where correlation and analysis will be accomplished as a system wide intrusion detection effort.
ated tools to support near-real-time analysis of events in support of detecting system-level attacks.
1075] The information system must protect against or limit the effects of denial of service attacks.


- Sec. 6(a)
- V. Section 6
NIST 800-53 Rev.4 - SC-4

NIST 800-53 Rev.4 - SC-5

R0137 SYSTEM AND BOUNDARY SC-7 Protect -> System

Required Required (3,4,5,7,8,12,13,18)


a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal
organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in
accordance with an organizational security architecture.
(3) BOUNDARY PROTECTION | ACCESS POINTS
The organization limits the number of external network connections to the information system.
(4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer
supported by an explicit mission/business need.
(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by
exception (i.e., deny all, permit by exception).
(7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with
the system and communicating via some other connection to resources in external networks. (8) BOUNDARY
PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS
The information system routes [Assignment: organization-defined internal communications traffic]
to [Assignment: organization-defined external networks] through authenticated proxy servers at
managed interfaces.
(12) BOUNDARY PROTECTION | HOST-BASED PROTECTION

The organization implements [Assignment: organization-defined host-based boundary protection
mechanisms] at [Assignment: organization-defined information system components].
Supplemental Guidance: Host-based boundary protection mechanisms include, for example,
host-based firewalls. Information system components employing host-based boundary
protection mechanisms include, for example, servers, workstations, and mobile devices.
(13) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS
The organization isolates [Assignment: organization-defined information security tools,





language Column O)
Does the institution or department have Obtain system and communications protection policy; procedures addressing boundary protection; list of key
effective mechanisms (i.e., tools and processes) internal boundaries of the information system; information system design documentation; boundary protection
in place for monitoring and controlling network hardware and software; information system configuration settings and associated documentation; information
traffic at the perimeter (either at the institution system hardware and software; information system architecture; list of mediation vehicles for allowing public
level and/or security zones within the institution access to the organization’s internal networks; other relevant documents or records and ascertain if:
or department)? (I)the organization defines key internal boundaries of the information system.
If Yes, do they include: (ii)the information system monitors and controls communications at the external boundary of the information
i) properly placed and configured firewalls, system and at key internal boundaries within the system.
proxies, and other security appliances; (iii)the organization physically allocates publicly accessible information system components to separate sub
ii) use of and gateways that inspect incoming networks with separate, physical network interfaces.
and outgoing network traffic; and (iv)the organization defines the mediation necessary for public access to the organization’s internal networks.
iii) security baselines for such devices and (v)the organization prevents public access into the organization’s internal networks except as appropriately
periodic review of configured rules? mediated.
(vi)the organization limits the number of access points to the information system to allow for better monitoring
of inbound and outbound network traffic.
(vii)the organization implements a managed interface (boundary protection devices in an effective security
architecture) with any external telecommunication service, implementing controls appropriate to the required
protection of the confidentiality and integrity of the information being transmitted.
(viii)the information system denies network traffic by default and allows network traffic by exception.
(ix)the information system prevents remote devices that have established a non-remote connection with the
system from communicating outside of that communications path with resources in external networks.

Computer connections and information flows

breach access control policy as a result of
inconsistencies with network routing
configurations.
8350 6.1.2,-6.14 8350 6.2.2 8350 6.3.3

A.R.S. § 44-7500 A.R.S. § 13-2316


r systems subject to PCI requirements, firewalls or comparable security devices are used between shared networks such that a DMZ is in place to filter and screen all traffic, to prohibit direct routes for inbound Internet traffic. Further, inbound traffic from payment card applications to
s restricted. Review firewall and router rule sets at least every six months . Implement a DMZ to limit inbound traffic to only protocols that are necessary for the cardholder data environment.
r systems subject to PCI requirements, a firewall is required at each Internet connection and between any DMZ and the Intranet .For PCI covered data, card data is not stored on any Internet facing systems.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.10.1.1 Boundary Protection
to networks processing CJI.

ontrol communications at the external boundary of the information system and at key internal boundaries within the system.
nnections to the Internet, other external networks, or information systems occur through controlled interfaces (e.g. proxies, gateways, routers, firewalls, encrypted tunnels). See Section 5.10.4.4 for guidance on personal firewalls.
nd techniques to monitor network events, detect attacks, and provide identification of unauthorized use.
erational failure of the boundary protection mechanisms do not result in any unauthorized release of information outside of the information system boundary (i.e. the device shall “fail closed” vs. “fail open”).
ly accessible information system components (e.g. public Web servers) to separate sub networks with separate, network interfaces. Publicly accessible information systems residing on a virtual host shall follow the guidance in section 5.10.3.2 to achieve separation.
ntrol #11] The processes and tools used to track/control/prevent/correct use of ports, protocols, and services on networked devices.

ontrol communications at the external boundary of the system and
oundaries within the system;
bnetworks for publicly accessible system components that are
gically separated from internal agency networks; and
ernal networks or information systems only through managed
ting of boundary protection devices arranged in accordance with
rchitecture requirements.
ces include, for example, gateways, routers, firewalls,
based malicious code analysis and virtualization systems,
nels implemented within the security architecture (e.g.,
g firewalls or application gateways residing on protected


NIST 800-53 Rev.4 - SC-7 (3) (4) (5) (7)
Protocols, and Services.
Critical Control 17: Data Loss Prevention.

R0138 SYSTEM AND TRANSMISSION SC-8 Protect -> System

COMMUNICATIONS CONFIDENTIALITY AND Communications
PROTECTION INTEGRITY Protection
Identify -> Privacy

& Confidentiality
Required (1)
R0139 SYSTEM AND NETWORK DISCONNECT SC-10 Protect -> System

COMMUNICATIONS Communications
Required

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
(1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information;
detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical
safeguards].
The information system terminates the network connection associated with a communications session at the end of the session or after
[Assignment: organization-defined time period] of inactivity.







language Column O)
1) Does the institution or department employ Obtain system and communications protection policy; procedures addressing transmission integrity; information
cryptographic mechanisms (e.g., digital system design documentation; information system configuration settings and associated documentation; other
signature) to recognize changes to information relevant documents or records and ascertain if:
during transmission unless otherwise protected (I)the information system protects the integrity of transmitted information.
by alternative physical measures? (ii)the information system employs cryptographic mechanisms to recognize changes to information during
2) Does the institution or department have transmission unless otherwise protected by alternative physical measures.
policies and supporting processes in place
i) specifying requirements, authorizations, and
approvals when transmitting or posting
confidential data within the institution and
outside the institution and
ii) encrypting confidential data transmitted over
the Internet?
[Note: the requirement is to minimize risk of
confidential information exposure, i.e.,
confidential information should not be
transmitted unless there is a business need that
has been approved by appropriate level of
management].
Are information systems configured in a manner Obtain system and communications protection policy; procedures addressing network disconnect; information
that custodians can, in accordance with the system design documentation; organization-defined time period of inactivity before network disconnect;
institution's policy, terminate network information system configuration settings and associated documentation; other relevant documents or records
connections associated with a communication and ascertain if :
session and "kill" the session in a manner that (I)the organization defines in the security plan, explicitly or by reference, the time period of inactivity before the
someone else cannot hijack or take over a information system terminates a network connection.
session neither i) at the end of the session, nor ii) (ii)the information system terminates a network connection at the end of a session or after the organization-
after a period of inactivity? defined time period of inactivity.

Files may be disclosed or modified by

unauthorized parties as they are transferred.
8350 6.3.4
Lack of network connection controls over

communications sessions may result in
unauthorized access to information systems
8350 6.1.5

A.R.S. § 44-7500 A.R.S. § 13-2316



Files are protected when transmitted over a communications network.[MA.201.CMR.17] To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitt
Cryptographic techniques must be applied to protect the confidentiality of information based on legal and regulatory requirements.[PCI DSS v2.0] For PCI covered data use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data dur
c networks. Examples of open, public networks that are in scope of the PCI DSS are: The Internet, Wireless technologies, Global System for Mobile communications (GSM), and General Packet Radio Service (GPRS). For PCI covered data, ensure wireless networks transmitting cardholde
cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementatio
WEP after June 30, 2010.[MA.201.CMR.17] Encrypt all personal information stored on laptops or other portable devices.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.
1075] Information systems that receive, process, store, or transmit FTI, must:
nfidentiality and integrity of transmitted information.
ptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN). (CE1)
ot used, to reduce the risk of unauthorized access to FTI, the agency must use physical means (e.g., by employing protected physical distribution systems) to ensure that FTI is not accessible to unauthorized users. The agency must ensure that all network infrastructure, access points,
bling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4, Access Control for Transmission Me
es to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines).
ntrol Guidance
1075] The information system must terminate the network connection associated with a communications session at the end of the session or after 30 minutes of inactivity. This control addresses the termination of network connections that are associated with communications sessio
ntrast to user-initiated logical sessions in AC-12.

HIPAA Security Section - 45 CFR 164.312(e)(1)

HIPAA Security Section - 45 CFR 164.312(e)(2)(i)
HIPAA Security Section - 45 CFR 164.312(e)(2)(ii)
NIST 800-53 Rev.4 - SC-8(1)
NIST 800-53 Rev.4 - SC-10

R0140 SYSTEM AND CRYPTOGRAPHIC KEY SC-12 Protect -> System

COMMUNICATIONS ESTABLISHMENT AND Communications
PROTECTION MANAGEMENT Protection
Protect -
Cryptography

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance
with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS
The organization produces, controls, and distributes symmetric cryptographic keys using
[Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.
(3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS
The organization produces, controls, and distributes asymmetric cryptographic keys using
[Selection: NSA-approved key management technology and processes; approved PKI Class 3
certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and
hardware security tokens that protect the user’s private key].



language Column O)
Does the institution or department have Obtain system and communications protection policy; procedures addressing cryptographic key management
documented policies and supporting processes and establishment; NIST Special Publications 800-56 and 800-57; information system design documentation;
to effectively manage the lifecycle of encryption information system configuration settings and associated documentation; other relevant documents or records
keys? Including: and ascertain if:
a. access to cryptographic keys to the fewest (I)the organization establishes and manages cryptographic keys using automated mechanisms with supporting
number of custodians necessary; procedures or manual procedures, when cryptography is required and employed within the information system.
b. storing cryptographic keys securely in the
fewest possible locations and forms;
c. preventing unauthorized substitution of
cryptographic keys;
d. splitting knowledge among key custodians and
establishing dual control of cryptographic keys;
and
e. signing acknowledgements from cryptographic
key custodians stating that they understand and
accept their key custodian responsibilities.

Cryptographic keys are modified, lost, destroyed

or disclosed to unauthorized parties.
8350 6.3.2

A.R.S. § 44-7500 A.R.S. § 13-2316


y management is in place to support the organization's use of cryptographic techniques. [PCI DSS v2.0] Restrict access to cryptographic keys to the fewest number of custodians necessary.[PCI DSS v2.0] Store cryptographic keys securely in the fewest possible locations and forms.[PCI
stablishment of dual control of cryptographic keys. [PCI DSS v2.0] Prevention of unauthorized substitution of cryptographic keys. [PCI DSS v2.0] Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key custodian responsibilities.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Encrypted information can only be decrypted, and therefore read, by those possessing the appropriate cryptographic key. While encryption can provide strong access control, it is accompanied by the need for stron
1075] The agency must establish and manage cryptographic keys for required cryptography employed within the information system. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual pr


NIST 800-53 Rev.4 - SC-12

R0141 SYSTEM AND CRYPTOGRAPHIC SC-13 Protect -> System

Protect -
Cryptography
Required Required

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in
accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.




language Column O)
Does the institution or department have policies Obtain system and communications protection policy; procedures addressing use of cryptography; FIPS 140-2 (as
and supporting processes in place that provide amended); NIST Special Publications 800-56 and 800-57; information system design documentation; information
requirements on: system configuration settings and associated documentation; cryptographic module validation certificates; other
i) situations where encryption should be applied; relevant documents or records and ascertain if ,for information requiring cryptographic protection, the
and information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders,
ii) use of appropriate level of encryption directives, policies, regulations, standards, and guidance.
strengths based on current practices, and in
compliance with State and Federal
requirements?

Encryption and other cryptographic controls are

inconsistently used to protect information assets
and deviate with policy.
8350 6.3.2

A.R.S. § 44-7500 A.R.S. § 13-2316


policy on the use of cryptographic controls for protection of information is developed and implemented. Approach must be defined to adequately protect PAN (One-way hashes based on strong cryptography Truncation Index tokens and pads (pads must be securely stored)). Passwor
transmission and storage on all system components using strong cryptography. Strong cryptography must be used whenever cardholder data is sent via end-user messaging technologies. A policy stating that unprotected PANs are not to be sent via end-user messaging technologies.
The organization implements procedures which can implement a mechanism to encrypt and decrypt electronic protected health information.
The organization implements procedures to encrypt electronic protected health information whenever deemed appropriate.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] Encrypted information can only be decrypted, and therefore read, by those possessing the appropriate cryptographic key. While encryption can provide strong access control, it is accompanied by the need for stron
encryption of stored information is employed as an access enforcement mechanism, the cryptography used is Federal Information Processing Standards (FIPS) 140-2 (as amended) compliant (see section 5.10.1.2 for encryption requirements).
on
ll be a minimum of 128 bit.
nsmitted outside the boundary of the physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption).
sections 5.5.7.3.2 and 5.10.2.
rest (i.e. stored electronically) outside the boundary of the physically secure location, the data shall be protected via cryptographic mechanisms (encryption).
on is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards.
ent versions of approved cryptographic modules that are under current review for FIPS 140-2 compliancy can be used in the interim until certification is complete.
PS 197 (Advanced Encryption Standard) certification is desirable, a FIPS 197 certification alone is insufficient as the certification is for the algorithm only vs. the FIPS 140-2 standard which certifies the packaging of an implementation.
sing public key infrastructure technology, the agency shall develop and implement a certificate policy and certification practice statement for the issuance of public key certificates used in the information system. Registration to receive a public key certificate shall:
ization by a supervisor or a responsible official.
ed by a secure process that verifies the identity of the certificate holder.
tificate is issued to the intended party.
1075] The information system must implement cryptographic modules in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.


HIPAA Security Section - 45 CFR 164.312(a)(2)(iv)
HIPAA Security Section - 45 CFR 164.312(e)(2)(i)
NIST 800-53 Rev.4 - SC-13

R0142 SYSTEM AND COLLABORATIVE SC-15 Protect -> System

COMMUNICATIONS COMPUTING DEVICES Communications
Required Required
R0143 SYSTEM AND PUBLIC KEY SC-17 Protect -> System

COMMUNICATIONS INFRASTRUCTURE Communications
PROTECTION CERTIFICATES Protection
Required


a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions
where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices.
The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates
from an approved service provider.






language Column O)
Does the institution or department have policies Obtain system and communications protection policy; procedures addressing collaborative computing; access
and practices in place to minimize security control policy and procedures; information system design documentation; information system configuration
exposure from collaborative computing devices settings and associated documentation; other relevant documents or records and ascertain if :
(e.g., networked white boards, cameras, video (I)the information system prohibits remote activation of collaborative computing mechanisms and provides an
conferencing, microphones, etc.)? [Note: explicit indication of use to the local users.
examples include proper baseline secure
configuration of such devices, restriction on
remote activation of collaborative computing
devices, etc.].
Does the institution or department issue public Obtain system and communications protection policy; procedures addressing public key infrastructure
key certificates under an appropriate certificate certificates; public key certificate policy or policies; public key issuing process; NIST Special Publication 800-
policy or obtain public key certificates under an 32;other relevant documents or records and ascertain if :
appropriate certificate policy from an approved (I)the organization issues public key certificates under an appropriate certificate policy or obtains public key
service provider? certificates under an appropriate certificate policy from an approved service provider.
[Note: A public key certificate (also known as a
digital certificate or identity certificate) is an
electronic document that uses a digital signature
to bind a public key with an identity —
information such as the name of a person or an
organization, their address, and so forth. The
certificate can be used to verify that a public key
belongs to an individual. For example on
Windows server use a public key certificate in
situations that include access to corporate
resources, external business partner
communications, or computers that do not run
the Kerberos V5 authentication protocol. This
requires that at least one trusted root CA is
configured on your network and that client
computers have an associated computer
certificate.]

Unauthorized parties gain access to sensitive,

secure areas due to the lack of implemented
physical security controls.
8350 6.3.6
Cryptographic keys are modified, lost, destroyed

or disclosed to unauthorized parties.
8350 6.3.2.3

A.R.S. § 44-7500 A.R.S. § 13-2316


Objective
of data.

ntrol Guidance

e activation of collaborative computing devices; and
licit indication of use to users physically present at the devices. Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activ
ntrol Guidance
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] For agencies using public key infrastructure technology, the agency shall develop and implement a certificate policy and certification practice statement for the issuance of public key certificates used in the informati
eceive a public key certificate shall:
ization by a supervisor or a responsible official.
ed by a secure process that verifies the identity of the certificate holder.
tificate is issued to the intended party.
1075] The agency must issue public key infrastructure certificates or obtain public key infrastructure certificates from an approved service provider.


NIST 800-53 Rev.4 - SC-15
NIST 800-53 Rev.4 - SC-17


R0144 SYSTEM AND MOBILE CODE SC-18 Protect -> System

Required
R0145 SYSTEM AND VOICE OVER INTERNET SC-19 Protect -> System
COMMUNICATIONS PROTOCOL Communications
Required

The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to
cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system.






language Column O)
Has the institution or department established Obtain system and communications protection policy; procedures addressing mobile code; mobile code usage
policy and supporting procedures related to restrictions, mobile code implementation guidance; NIST Special Publication 800-28; other relevant documents or
mobile code development or acquisition to records and ascertain if :
minimize risk of introduction of unacceptable (I)the organization establishes usage restrictions and implementation guidance for mobile code technologies
mobile code within the information system? based on the potential to cause damage to the information system if used maliciously.
[Note: Mobile code technologies include, for (ii)the organization authorizes, monitors, and controls the use of mobile code within the information system.
example, Java, JavaScript, ActiveX, PDF,
Postscript, Shockwave movies, Flash animations,
and VBScript. The employment of mobile code
within organizational information systems are
based on the potential for the code to cause
damage to the system if used maliciously.]
Has the institution or department documented Obtain system and communications protection policy; procedures addressing VoIP; NIST Special Publication 800-
and established usage restrictions and 58; VoIP usage restrictions; other relevant documents or records and ascertain if:
implementation guidance for Voice Over Internet (I)the organization establishes usage restrictions and implementation guidance for Voice over Internet Protocol
Protocol (VoIP) technologies based on impact to technologies based on the potential to cause damage to the information system if used maliciously.
the institution and risk? [Note: Implementation (ii)the organization authorizes, monitors, and controls the use of VoIP within the information system.
guidance could offer solutions such as
authentication using the MAC address of an IP
phone; disabling automatic registration function
of the call-processing server].

Unauthorized mobile code disrupts the

production environment due to lack of built-in
security controls.
8350 6.3.5
Users have access to networks that they are not

authorized to use.
8350 6.3.7

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
ntrol #5] The processes and tools used to detect/prevent/correct installation and execution of malicious software on all devices.

ble and unacceptable mobile code and mobile code technologies;
e restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
nitor, and control the use of mobile code within the information system.
hnologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript, which are common installations on most end user workstations. Usage restrictions and implementation guidance apply to both the selection and use of mobile
obile code downloaded and executed on individual workstations and devices (e.g., tablet computers and smartphones).
r PCI covered data, documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] 5.10.1.4 Voice over Internet Protocol
et Protocol (VoIP) has been embraced by organizations globally as an addition to, or replacement for, public switched telephone network (PSTN) and private branch exchange (PBX) telephone systems. The immediate benefits are lower costs than traditional telephone services and Vo
with an organization’s existing Internet Protocol (IP) services. Among VoIP’s risks that have to be considered carefully are: myriad security concerns, cost issues associated with new networking hardware requirements, and overarching quality of service (QoS) factors.
e security controls described in this document, the following additional controls shall be implemented when an agency deploys VoIP within a network that contains unencrypted CJI:
e restrictions and implementation guidance for VoIP technologies.
fault administrative password on the IP phones and VoIP switches.
Local Area Network (VLAN) technology to segment VoIP traffic from data traffic.
tlines threats, vulnerabilities, mitigations, and NIST best practices for VoIP.

e restrictions and implementation guidance for VoIP technologies based on the potential to cause damage to the information system if used
nitor, and control the use of VoIP within the information system.

NIST 800-53 Rev.4 - SC-18

Critical Control 5: Malware Defenses.

NIST 800-53 Rev.4 - SC-19

R0146 SYSTEM AND SECURE NAME / SC-20 Protect -> System

COMMUNICATIONS ADDRESS RESOLUTION Communications
PROTECTION SERVICE Protection
(AUTHORITATIVE
SOURCE)
Required Required
R0147 SYSTEM AND SECURE NAME / SC-21 Protect -> System

COMMUNICATIONS ADDRESS RESOLUTION Communications
PROTECTION SERVICE (RECURSIVE OR Protection
CACHING RESOLVER)
Required Required
R0148 SYSTEM AND ARCHITECTURE AND SC-22 Protect -> System

COMMUNICATIONS PROVISIONING FOR Communications
PROTECTION NAME / ADDRESS Protection
RESOLUTION SERVICE
Protect ->
Enterprise
Architecture,
Roadmap &
Emerging
Required Required Technology


a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to
external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a
chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution
responses the system receives from authoritative sources.
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement
internal/external role separation.









language Column O)
Has the institution or department implemented Obtain system and communications protection policy; procedures addressing secure name/address resolution
the DNS service in a manner that supports service (authoritative source); NIST Special Publication 800-81; information system design documentation;
cryptographically signed responses and validates information system configuration settings and associated documentation; other relevant documents or records
DNS results to reduce risk of traffic diversion and ascertain if :
through DNS spoofing, cache poisoning, etc.? (I)the information system, (if the system provides a name/address resolution service), provides artifacts for
[Note: example of proper security includes additional data origin authentication and data integrity artifacts along with the authoritative data it returns in
separation of external and internal DNS, response to resolution queries.
validating DNS results, etc.]. (ii)the information system, when operating as part of a distributed, hierarchical namespace, provides the means
to indicate the security status of child subspaces and (if the child supports secure resolution services) enable
verification of a chain of trust among parent and child domains.
Does the institution or department have Obtain procedures addressing secure addressing practices and ascertain if the organization performs data origin
documented processes on secure addressing authentication and data integrity verification on the name/address resolution responses (such as recursive
practices and mechanisms to verify the resolving or caching domain name system (DNS) servers)
authenticity and integrity of name/ address
resolution (such as recursive resolving or caching
domain name system (DNS) servers)?
Has the institution or department implemented Obtain system and communications protection policy; procedures addressing architecture and provisioning for
the DNS architecture in a manner that addresses name/address resolution service; access control policy and procedures; NIST Special Publication 800-81;
fault tolerance and appropriate security (e.g. information system design documentation; assessment results from independent, testing organizations;
reduce risk of traffic diversion through DNS information system configuration settings and associated documentation; other relevant documents or records
spoofing, cache poisoning, etc.)? and ascertain if:
[Note: example of proper security includes (I)the information systems that collectively provide name/address resolution service for an organization are fault
separation of external and internal DNS results tolerant and implement role separation.
etc.]

Networks and supporting infrastructure are

exposed to unauthorized parties due to lack of
defined network security and administration
policies, procedures and standards.
8350 6.3.9
Lack of procedures to verify the authenticity and

data integrity of the name/address resolution
responses might result in potential breaks to the
chain of trust in the DNS infrastructure.
8350 6.3.9
Information systems fail due to improper fault

tolerant or redundant architectures.
8350 6.3.9

A.R.S. § 44-7500 A.R.S. § 13-2316



standards.

ntrol Guidance
ntrol Guidance
ntrol Guidance

NIST 800-53 Rev.4 - SC-20

NIST 800-53 Rev.4 - SC-21

NIST 800-53 Rev.4 - SC-22


R0149 SYSTEM AND SESSION AUTHENTICITY SC-23 Protect -> System

Required
R0150 SYSTEM AND PROTECTION OF SC-28 Protect -> System

COMMUNICATIONS INFORMATION AT REST Communications
Required (1)
R0151 SYSTEM AND PROCESS ISOLATION SC-39 Protect -> System

Required Required

The information system protects the authenticity of communications sessions.
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
SC-28 PROTECTION OF INFORMATION AT REST
Control: The information system protects the [Selection (one or more): confidentiality; integrity] of
[Assignment: organization-defined information at rest].
The information system maintains a separate execution domain for each executing process.








language Column O)
Does the institution or department have a Obtain system and communications protection policy; procedures addressing session authenticity; NIST Special
control in place to protect the authenticity of Publications 800-52, 800-77, and 800-95; information system design documentation; information system
communications sessions? [Note: For example, configuration settings and associated documentation; other relevant documents or records and ascertain if:
this control addresses man-in-the-middle attacks (I)the information system provides mechanisms to protect the authenticity of communications sessions.
including session hijacking or insertion of false
information into a session. This control is only
implemented where deemed necessary by the
institution (e.g., sessions in service-oriented
architectures providing web-based services).]
Does the institution or department provide Obtain system and communications protection policy; procedures addressing protection of information at rest;
controls for the protection of confidentiality and information system design documentation; information system configuration settings and associated
integrity of information at rest. [Information at documentation; cryptographic mechanisms and associated configuration documentation; list of information at
rest refers to the state of information when it is rest requiring confidentiality and integrity protections; other relevant documents or records and ascertain if:
located on a secondary storage device (e.g., disk (I) if the information system protects the confidentiality and integrity of information at rest.
drive, tape drive) within an organizational
information system. Institutions may choose to
employ different mechanisms to achieve
confidentiality and integrity protections, as
appropriate]
Does the institution or department have Obtain procedures addressing process isolation and ascertain if:
established mechanisms to securely control (i) Information systems maintain separate execution domains for each executing process
communications and interfaces between the (ii) Each information system process has a distinct address space to securely control the communications and
system processes (such that one process cannot interfaces between the two processes (such that one process cannot modify the executing code of another
modify the executing code of another process)? process)

Unauthorized users access operating systems by

physically or logically accessing valid inactive
and/or unattended sessions.
8350 6.3.8
Sensitive data is exposed to unauthorized

disclosure or modification while in storage.
8350 6.3.10
Insufficient segregation of communications and

interfaces between the system processes, may
expose sensitive information resources to
unauthorized access.

A.R.S. § 44-7500 A.R.S. § 13-2316




ntrol Guidance
1075] The information system must protect the authenticity of communications sessions. This control addresses communications protection at the session level versus the packet level (e.g., sessions in service-oriented architectures providing Web-based services) and establishes groun
th ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.
ntrol Guidance
1075]
system must protect the confidentiality and integrity of FTI at rest.
st refers to the state of information when it is located on storage devices as specific components of information systems.
mploy different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms, file share scanning, and integrity protection. Agencies may also employ other security controls, including, for example, secure offline storage in lieu of onlin
tion of information at rest cannot otherwise be achieved or when continuously monitoring to identify malicious code at rest.
ty and integrity of information at rest shall be protected when located on a secondary (non-mobile) storage device (e.g., disk drive, tape drive) with cryptography mechanisms.
ployed user workstations, in non-volatile storage, shall be encrypted with FIPS-validated or National Security Agency (NSA)-approved encryption during storage (regardless of location) except when no approved encryption technology solution is available that addresses the specific tec
ntrol Guidance

NIST 800-53 Rev.4 - SC-23
NIST 800-53 Rev.4 - SC-28

NIST 800-53 Rev.4 - SC-39

R0152 SYSTEM AND SYSTEM AND SI-1 Protect ->

INFORMATION INFORMATION Enterprise
INTEGRITY INTEGRITY POLICY AND Architecture,
PROCEDURES Roadmap &
Emerging
Technology
Required Required

The organization:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity
controls; and
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency].





language Column O)
Does the institution or department have Obtain system and information integrity policy and procedures; other relevant documents or records and
documented policy or other directive(s) that ascertain if :
addresses information integrity requirements, (I)the organization develops and documents system and information integrity policy and procedures.
including roles and responsibilities? (ii)the organization disseminates system and information integrity policy and procedures to appropriate elements
[Note: this may be embedded in institution's within the organization.
SDLC policy, change management processes, (iii)responsible parties within the organization periodically review system and information integrity policy and
security policy, etc.] procedures.
(iv)the organization updates system and information integrity policy and procedures when organizational review
(iv)the system and information integrity policy addresses purpose, scope, roles and responsibilities, management
(v)the system and information integrity policy is consistent with the organization’s mission and functions and
with applicable laws, directives, policies, regulations, standards, and guidance.
(vi)the system and information integrity procedures address all areas identified in the system and information
integrity policy and address achieving policy-compliant implementations of all associated system and information
integrity controls.

Applications fail to process correctly and

accurately due to a failure to design control
during application development.
8120 6.2

A.R.S. § 44-7500 A.R.S. § 13-2316

standards.

ntrol Guidance
1075 The agency must:

nformation integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
and compliance; and
facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
date the current:
ormation integrity policy every three years; and
ormation integrity procedures at least annually.

NIST 800-53 Rev.4 - SI-1

R0153 SYSTEM AND FLAW REMEDIATION SI-2 Detect ->

INFORMATION Vulnerability
INTEGRITY Assessment

The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates;
and
d. Incorporates flaw remediation into the organizational configuration management process.
(2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS
The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system
components with regard to flaw remediation.
(3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.



language Column O)
Does the institution or department have policies Obtain system and information integrity policy; procedures addressing flaw remediation; NIST Special Publication
and supporting processes for timely 800-40; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw
identification and implementation of patches to remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes,
applicable information systems (e.g., operating and other software updates to correct information system flaws); test results from the installation of software to
systems, applications, databases, etc.) based on correct information system flaws; automated mechanisms supporting flaw remediation; information system
risk? design documentation; information system configuration settings and associated documentation; list of
[Note: An organization may consider applying a information system flaws; information system audit records; other relevant documents or records and ascertain
risk-based approach to prioritize their patch if:
installations.] (I)the organization identifies, reports, and corrects information system flaws.
(ii)the organization installs newly released security patches, service packs, and hot fixes on the information
system in a reasonable timeframe in accordance with organizational policy and procedures.
(iii)the organization addresses flaws discovered during security assessments, continuous monitoring, or incident
response activities in an expeditious manner in accordance with organizational policy and procedures.
(iv)the organization tests information system patches, service packs, and hot fixes for effectiveness and potential
side effects before installation.
(v)the organization captures all appropriate information pertaining to the discovered flaws in the information
system, including the cause of the flaws, mitigation activities, and lessons learned.
(vi)the organization employs automated mechanisms to periodically and upon demand determine the state of
information system components with regard to flaw remediation.

Security vulnerabilities may not be identified

timely.
8220 6.3.1,6.3.2

A.R.S. § 44-7500 A.R.S. § 13-2316

and incidents.

sure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example
ture (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months. [PCI DSS v2.0] All changes (inc
e being deployed into production.
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall identify applications, services, and information systems containing software or components affected by recently announced software flaws and potential vulnerabilities resulting from those flaws.
he software developer/vendor in the case of software developed and maintained by a vendor/contractor) shall develop and implement a local policy that ensures prompt installation of newly released security relevant patches, service packs and hot fixes. Local policies should include
ropriate patches before installation.
bilities when installing patches, updates, etc.
ates without individual user intervention.
tch management.
nts discovered during security assessments, continuous monitoring or incident response activities shall also be addressed expeditiously.

t, and correct information system flaws;
and firmware updates related to flaw remediation for effectiveness
e effects before installation;
-relevant software and firmware updates based on severity and
the confidentiality of FTI;
w remediation into the agency configuration management process;
age the flaw remediation process. (CE1)

software updates include, for example, patches, service packs, hot
us signatures.


NIST 800-53 Rev.4 - SI-2(2)

R0154 SYSTEM AND MALICIOUS CODE SI-3 Detect -> Malware

INFORMATION PROTECTION Protection
INTEGRITY

The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration
management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external
sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with
organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined
action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of
the information system.
(1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT
The organization centrally manages malicious code protection mechanisms.
(2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES
The information system automatically updates malicious code protection mechanisms.
(7) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION
The information system implements nonsignature-based malicious code detection mechanisms





language Column O)
Does the institution or department have policies, Obtain system and information integrity policy; procedures addressing malicious code protection; NIST Special
supporting processes and measures for guarding Publication 800-83; malicious code protection mechanisms; records of malicious code protection updates;
against, detecting, and reporting malicious information system configuration settings and associated documentation; information system design
software (e.g., anti-virus, anti-spyware, etc.) documentation; other relevant documents or records and ascertain if:
across applicable information systems like (I) if the information system prevents non-privileged users from circumventing malicious code protection
servers and endpoints? capabilities.
[Note: processes include ensuring that tools are
properly deployed across applicable information
systems mechanisms, as well as regularly
updating rules, signature, and behavior patterns,
etc.]

Unauthorized, malicious code is executed on

systems without authorization.
8220 6.3.3

A.R.S. § 44-7500 A.R.S. § 13-2316


r PCI covered data deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) and ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious softwar
implements procedures and measures for guarding against, detecting and reporting malicious software.
ntrol #5] The processes and tools used to detect/prevent/correct installation and execution of malicious software on all devices.
ntrol #6] The processes and tools organizations use to detect/prevent/correct security weaknesses in the development and acquisition of software applications
8140-5.1 Criminal Justice Information Services (CJIS) Security Policy] The agency shall implement malicious code protection that includes automatic updates for all systems with Internet access. Agencies with systems not connected to the Internet shall implement local procedures to
rotection is kept current (i.e. most recent update available).
employ virus protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses) at critical points throughout the network and on all workstations, servers and mobile computing devices on the network. The agency shall ensure malicious code protecti
entioned critical points and information systems and resident scanning is employed.
1075] Malicious code protection includes antivirus software and antimalware and intrusion detection systems.
:
ous code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
ous code protection mechanisms whenever new releases are available in accordance with agency configuration management policy and procedures;
cious code protection mechanisms to:
dic scans of the information system weekly and real-time scans of files from external sources at endpoint and network entry/exit
s are downloaded, opened, or executed in accordance with agency security policy; and
quarantine malicious code and send an alert to the administrator in response to malicious code detection; and
ceipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system; and
age malicious code protection mechanisms. (CE1)
system must automatically update malicious code protection mechanisms. (CE2)
em entry and exit points include, for example, firewalls, electronic mail servers, Web servers, proxy servers, remote access
tions, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware.
an also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files or
ing steganography. Malicious code can be transported by different means, including, for example, Web accesses, electronic mail,
ttachments, and portable storage devices.


NIST 800-53 Rev.4 - SI-3(1) (2)
Critical Control 5: Malware Defenses

R0155 SYSTEM AND INFORMATION SYSTEM SI-4 Detect -> Security

INFORMATION MONITORING Monitoring and
INTEGRITY Event Analysis
Required Required (1,2,4,5,14,16,23)

The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at
ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and
assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources
of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders,
directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or
roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
(2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS
The organization employs automated tools to support near real-time analysis of events.
(4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or
unauthorized activities or conditions.
(5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential
compromise occur: [Assignment: organization-defined compromise indicators]. (14)
INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION
The organization employs a wireless intrusion detection system to identify rogue wireless devices
and to detect attack attempts and potential compromises/breaches to the information system.
Supplemental Guidance: Wireless signals may radiate beyond the confines of organizationcontrolled
facilities. Organizations proactively search for unauthorized wireless connections
including the conduct of thorough scans for unauthorized wireless access points. Scans are not
limited to those areas within facilities containing information systems, but also include areas
outside of facilities as needed, to verify that unauthorized wireless access points are not
connected to the systems. Related controls: AC-18, IA-3.
(16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION
The organization correlates information from monitoring tools employed throughout the
information system.





language Column O)
1) Does the institution or department have Obtain system and information integrity policy; procedures addressing information system monitoring tools and
effective tools and processes in place to techniques; information system design documentation; information system monitoring tools and techniques
proactively detect and respond to security documentation; information system configuration settings and associated documentation; information system
threats/events, through: protocols documentation; types of activities or conditions considered unusual or unauthorized; security plan;
i) effectively placed and configured intrusion- other relevant documents or records and ascertain if :
detection system(s) and/or intrusion-prevention (I)the organization employs tools and techniques to monitor events on the information system, detect attacks,
system(s) to guard against or monitor for and provide identification of unauthorized use of the system.
malicious network traffic at the perimeter; (ii)the organization deploys monitoring devices strategically within the information system (e.g., at selected
ii) effective placement and use of monitoring perimeter locations, near server farms supporting critical applications) to collect essential information.
tools with configured applicable use cases to (iii)the organization deploys monitoring devices at ad hoc locations within the information system to track
detect potential events relevant to the specific transactions.
information system (e.g., DLP, SIEM, Netflow, (iv)the organization uses the monitoring devices to track the impact of security changes to the information
etc.) ; system.
iii) effective monitoring processes (e.g., alerts (v)the organization determines the granularity of the information collected based upon its monitoring objectives
from IDS/IPS alert) for taking timely actions; and the capability of the information system to support such activities.
iv) defined processes (e.g., use cases) that guide (vi)the organization consults appropriate legal counsel with regard to all information system monitoring activities.
the responders to take appropriate level of (vii)the organization heightens the level of information system monitoring activity whenever there is an
action? indication of increased risk to organizational operations and assets, individuals, other organizations, or the
Nation, based on law enforcement information, intelligence information, or other credible sources of
information.
(viii)the organization employs automated tools to support near-real-time analysis of events.
(ix)the organization identifies the types of activities or conditions considered unusual or unauthorized; and
(x)the information system monitors inbound and outbound communications for unusual or unauthorized
activities or conditions.
(xi)the organization defines in the security plan, explicitly or by reference, indications of compromise or potential
compromise to the security of the information system.
(xii)the information system provides a real-time alert when any of the organization-defined list of compromise, or
potential compromise indicators occurs.

Suspicious or anomalous activities are not are

not detected due to lack of intrusion detection
systems.
8220 6.3.4

A.R.S. § 44-7500 A.R.S. § 13-2316


e intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises.

formation system to detect:
dicators of potential attacks; and
ocal, network, and remote connections.
horized use of the information system;
ring devices: (i) strategically within the information system to collect agency-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the agency;
ation obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
evel of information system monitoring activity whenever there is an indication of increased risk to agency operations and assets, individuals, other
the nation, based on law enforcement information, intelligence information, or other credible sources of information;
ation system monitoring information to designated agency officials as needed;
und communications traffic at the external boundary of the information system and selected interior points within the network (e.g., subnetworks, subsystems) to discover anomalies—anomalies within agency information systems include, for example, large file transfers, long-time p
sual protocols and ports in use, and attempted communications with suspected malicious external addresses;
ated mechanisms to alert security personnel of inappropriate or unusual activities with security implications; and (CE11)
t-based monitoring mechanisms (e.g., Host intrusion prevention system (HIPS)) on information systems that receive, process, store, or transmit
system must:
nd and outbound communications traffic continuously for unusual or unauthorized activities or conditions; (CE4)
ed agency officials when indications of compromise or potential compromise occur—alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boun
firewalls, gateways, and routers and alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging; agency personnel on the notification list can include, for example, system
mission/business owners, system owners, or information system security officers; and (CE5)
ted agency officials of detected suspicious events and take necessary actions to address suspicious events. (CE7) Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system bou
ense and boundary protection). Internal monitoring
ervation of events occurring within the information system.
em monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious
software, scanning tools, audit record monitoring software, network monitoring software).
ns for monitoring devices include, for example, selected perimeter locations and nearby server farms supporting critical
h such devices typically being employed at the managed interfaces.


NIST 800-53 Rev.4 - SI-4(2) (4) (5)
Critical Control 7: Wireless Device Control.
Security Audit Logs.
Critical Control 17: Data Loss Prevention.

R0156 SYSTEM AND SECURITY ALERTS, SI-5 Protect-> System

INFORMATION ADVISORIES, AND Communications
INTEGRITY DIRECTIVES Protection
Required Required
R0157 SYSTEM AND SECURITY FUNCTION SI-6 Identify>informatio

INFORMATION VERIFICATION n system functions
INTEGRITY >Verification
Required

The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an
ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with
appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system;
[Assignment: organization-defined alternative action(s)]] when anomalies are discovered.






language Column O)
Does the institution or department, receive and Obtain system and information integrity policy; procedures addressing security alerts and advisories; NIST Special
provide, timely security notifications and Publication 800-40; records of security alerts and advisories; other relevant documents or records and ascertain
advisories to appropriate institution personnel if:
(e.g., security advisories from external sources to (I)the organization receives information system security alerts/advisories on a regular basis.
institutional or departmental administrators; (ii)the organization issues security alerts/advisories to appropriate organizational personnel.
general security advisories like a phishing scam (iii)the organization takes appropriate actions in response to security alerts/advisories.
to institutional users)? (iv)the organization maintains contact with special interest groups (e.g., information security forums) that:
-facilitate sharing of security-related information (e.g., threats, vulnerabilities, and latest security technologies).
-provide access to advice from security professionals.
-improve knowledge of security best practices.
1. Does the institution or department, perform Obtain system and information integrity policy; procedures addressing security verification, and testing
security function verification upon system
startup and restart, upon command by user with
appropriate privilege, periodically?
2. Do you have a process in place for notification
if the test fails

Contacts with special interest groups or other

specialists security forums and professional
associations is not coordinated or performed as a
result of ill-defined processes.
8220 6.3.5
Verifies that all Security Functions in the

information system are well defined

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective EDM02; AP001; AP002;
AP005] Controls have been defined
for creation and maintenance of IT
strategic plans.

On-going notifications are communicated to users in an effort to increase awareness pertaining to the security policy, adherence to said policy, and means of escalation in the event of an incident, weakness, or malfunction.
1075]
:
mation system security alerts, advisories, and directives from
nal organizations on an ongoing basis;
nal security alerts, advisories, and directives as deemed
curity alerts, advisories, and directives to designated agency
urity directives in accordance with established time frames or

agency of the degree of noncompliance.


NIST 800-53 Rev.4 - SI-5

R0158 SYSTEM AND SOFTWARE, FIRMWARE, SI-7 Identify -> Privacy

INFORMATION AND INFORMATION & Confidentiality
INTEGRITY INTEGRITY
Required (1,7)
R0159 SYSTEM AND SPAM PROTECTION SI-8 Protect -> Spam

INFORMATION Filtering
INTEGRITY
Protect - Internet
Content Filtering
Required (1,2)

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware,
and information].
(1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or
more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined
frequency]].
(7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE
The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information
system] into the organizational incident response capability.
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy
and procedures.
(1) SPAM PROTECTION | CENTRAL MANAGEMENT
The organization centrally manages spam protection mechanisms.
(2) SPAM PROTECTION | AUTOMATIC UPDATES
The information system automatically updates spam protection mechanisms.






language Column O)
Does the institution or department have Obtain system and information integrity policy; procedures addressing software and information integrity;
mechanisms in place to prevent or detect information system design documentation; information system configuration settings and associated
unauthorized changes to critical system files documentation; integrity verification tools and applications documentation; security plan; records of integrity
(e.g., through use of file integrity monitoring scans; other relevant documents or records and ascertain if :
(FIM) tools and monitoring processes to (I)the information system detects and protects against unauthorized changes to software and information.
investigate alerts from such tools)? (ii)the organization employs commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical
redundancy checks, cryptographic hashes) in accordance with good software engineering practices and uses tools
to automatically monitor the integrity of the information system and the applications it hosts.
(iii)the organization defines in the security plan, explicitly or by reference, the frequency of integrity scans on the
(iv)the organization reassesses the integrity of software and information by performing integrity scans of the
information system in accordance with the organization-defined frequency.
Does the institution or department have Obtain system and information integrity policy; procedures addressing spam protection; information system
effective mechanisms in place to guard against design documentation; spam protection mechanisms; information system configuration settings and associated
spam and phishing attempts? documentation; other relevant documents or records and ascertain if :
[Note: mechanisms include tools and supporting (I)the information system implements spam protection by verifying that the organization:
processes like timely updates from vendors on -employs spam protection mechanisms at critical information system entry points and at workstations, servers,
signatures]. or mobile computing devices on the network.
-employs spam protection mechanisms to detect and take appropriate action on unsolicited messages
transported by electronic mail, electronic mail attachments, Internet accesses, or other common means.

Unauthorized tampering of system and/or

configuration files is undetected due to the
absence of file integrity mechanisms.
8220 6.3.6
Unauthorized information processing activities

occur undetected due to lack of consistent
logging and monitoring activities.
8220 6.3.7

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective BAI10; BAI10;


r PCI covered environments, file-integrity monitoring software is deployed to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Note: For file-integrity
files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise.
ntrol Guidance

protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
protection mechanisms when new releases are available in accordance with agency configuration management policy and procedures.


NIST 800-53 Rev.4 - SI-7(1)(7)
Software
NIST 800-53 Rev.4 - SI-8 (1) (2)

R0160 SYSTEM AND INFORMATION INPUT SI-10 Protect ->

INFORMATION VALIDATION Enterprise
INTEGRITY Architecture,
Roadmap &
Emerging
Technology
Required
R0161 SYSTEM AND ERROR HANDLING SI-11 Detect -> Security

INFORMATION Monitoring and
INTEGRITY Event Analysis
Required

The information system checks the validity of [Assignment: organization-defined information inputs].

a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by
adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles].







language Column O)
Does the institution or department have explicit Obtain System and information integrity policy; procedures addressing information accuracy, completeness,
requirements for data input validation controls validity, and authenticity; access control policy and procedures; separation of duties policy and procedures;
as part of the institution's or department's SDLC documentation for automated tools and applications to verify accuracy, completeness, validity, and authenticity
and change management processes, to prevent of information; information system design documentation; information system configuration settings and
the altering of input provided to information associated documentation; other relevant documents or records and ascertain if:
systems especially web applications? (I)the information system checks information for accuracy, completeness, validity, and authenticity by verifying
[Note: many vulnerabilities to data that the system:
confidentiality and integrity stem from -checks for accuracy, completeness, validity, and authenticity of information is accomplished as close to the point
unauthorized users manipulating data input of origin as possible.
causing issues such as SQL injection]. -employs rules to check the valid syntax of information inputs to verify that inputs match specified definitions for
format and content.
-prescreens information inputs passed to interpreters to prevent the content from being unintentionally
interpreted as commands.
-checks the accuracy, completeness, validity, and authenticity of information to the extent guided by
organizational policy and operational requirements.
Are the information system(s) configured in a Obtain system and information integrity policy; procedures addressing information system error handling;
manner as to not reveal error / error messages information system design documentation; information system configuration settings and associated
that "bad actors" with information that could documentation; other relevant documents or records and ascertain if :
help them to mount further or specific attacks? (I)the information system identifies and handles error conditions in an expeditious manner without providing
[Note: an example of this is when a bad actor information that could be exploited by adversaries.
tries to login with an id and password, the (ii)the information system reveals error messages only to authorized individuals.
system provides an error message that says (iii)the information system does not include sensitive information in error logs or associated administrative
incorrect password - so the bad actor knows that messages.
username is good, so keep trying passwords;
other examples include system banners that give
information about the system and software
version]

Data is input into applications that cause

unexpected or incorrect results, possibly
crashing or placing the application in an
unknown and unplanned for state.
8220 6.3.8
System failure is not detected in a timely fashion

due to inadequate fault logging and monitoring
capabilities.
8220 6.3.9

A.R.S. § 44-7500 A.R.S. § 13-2316

standards.

Objective DSS01; DSS05; BAI09]
manage operations through
establishment of service levels for
scheduled data processing, protecting
sensitive output, and monitoring and
maintaining infrastructure.

ntrol Guidance
1075]
system must check the validity of information inputs.
ntrol Guidance

r messages that provide information necessary for corrective
evealing information that could be exploited by adversaries; and
essages only to designated agency officials.

NIST 800-53 Rev.4 - SI-10

NIST 800-53 Rev.4 - SI-11


R0162 SYSTEM AND INFORMATION OUTPUT SI-12 Protect ->

INFORMATION HANDLING AND Enterprise
INTEGRITY RETENTION Architecture,
Roadmap &
Emerging
Technology
Required Required
R0163 SYSTEM AND MEMORY PROTECTION SI-16 Protect -> Data Loss
INFORMATION Prevention
INTEGRITY
Required

The organization handles and retains information within the information system and information output from the system in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code
execution.






language Column O)
1) Does the institution or department have Obtain system and information integrity policy; procedures addressing information system output handling and
policies and processes in place to minimize risk of retention; media protection policy and procedures; information retention records, other relevant documents or
maintaining or retaining confidential data on records and ascertain if :
shared drives, SharePoint sites, and other (I)the organization handles output from the information system in accordance with applicable laws, Executive
repositories beyond business need (e.g., Orders, directives, policies, regulations, standards, and operational requirements.
indefinitely or beyond requirements of the (ii)the organization retains output from the information system in accordance with applicable laws, Executive
institutional record retention schedule)? Orders, directives, policies, regulations, standards, and operational requirements.
2) Does the institution or department have
knowledge of and appropriate visibility into
confidential data repositories outside core
applications?
[Note: an example of this could be scanning for
personal information on shared drives.]
Does the institution or department have Obtain documents addressing memory protection and ascertain if security safeguards (such as data execution
established mechanisms to safeguard the prevention through hardware or software-enforced mechanisms and address space layout randomization) are
information system memory from unauthorized employed to protect information system's memory from unauthorized code execution.
code execution?
[Note: example of safeguarding information
system memory include, data execution
prevention through hardware or software-
enforced mechanisms and address space layout
randomization]

Inaccurate data output from applications triggers

unexpected results.
8220 6.3.10
Lack of operational controls to protect

information system memory may result in
malicious code exploiting the memory space to
take control of critical systems and endpoints.

A.R.S. § 44-7500 A.R.S. § 13-2316



ntrol Guidance
1075] The agency must handle and retain information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
ntrol Guidance
1075] The information system must implement safeguards to protect its memory from unauthorized code execution. Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguar
include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism.

NIST 800-53 Rev.4 - SI-12
NIST 800-53 Rev.4 - SI-16

R0164 SECURITY INVENTORY OF SE-1 Identify -> Privacy

PERSONALLY & Confidentiality
IDENTIFIABLE
INFORMATION
Required Required
R0165 SECURITY PRIVACY INCIDENT SE-2 Respond -> Privacy

RESPONSE Incident Response
Required Required

The organization:
a. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and
information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and
b. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support
the establishment of information security requirements for all new or modified information systems containing PII.
The organization:
a. Develops and implements a Privacy Incident Response Plan; and
b. Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.





language Column O)
Does the institution or department have policies Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
and supporting processes for classifying (I) the organization establishes, maintains, and updates on an organization-defined frequency an inventory that
information systems based on whether the contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing
system stores, processes, and/or transmits PII; personally identifiable information (PII); and
and are data protection requirements associated (ii) the organization provides each update of the PII inventory to the CIO or information security official on an
with such classification established or organization-defined frequency to support the establishment of information security requirements for all new or
communicated, and implemented? modified information systems containing PII.
Has the institution or department developed and Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
implemented a Privacy Incident Response Plan to (I) the organization develops and implements a Privacy Incident Response Plan; and
respond to privacy incidents? [Note: this plan (ii) the organization provides an organized and effective response to privacy incidents in accordance with the
may integrate with an information security organizational Privacy Incident Response Plan.
incident response plan; privacy incidents may
have specific breach notification requirements in
terms of timing, content, etc., depending on type
of data and applicable regulator]

PII have not been clearly identified and

inventoried.
8210 6.2 8410 6.21
Lack of a Privacy Incident Response program may

result in improper identification and handling of
privacy events.
8240 6.4 8240 6.8.1 8240 6.9 8410 6.22

A.R.S. § 44-7500 A.R.S. § 13-2316

compliance.

compliance.

ntrol Guidance
ntrol Guidance

NIST 800-53 Rev.4 - SE-1
NIST 800-53 Rev.4 - SE-2

R0166 TRANSPARENCY PRIVACY NOTICE TR-1 Identify -> Privacy

& Confidentiality
Required Required

The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing,
safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any,
individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the
ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII
internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv)
whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may
obtain access to PII; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon
as practicable after the change.
(1) PRIVACY NOTICE | REAL-TIME OR LAYERED NOTICE
The organization provides real-time and/or layered notice when it collects PII.
Supplemental Guidance: Real-time notice is defined as notice at the point of collection. A layered notice approach involves providing individuals
with a summary of key points in the organization’s privacy policy. A second notice provides more detailed/specific information.





language Column O)
1) Does the institution or department developed Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
processes to notify the public and individuals on (I) the organization provides effective notice to the public and to individuals regarding:
the collection, use, sharing, safeguarding, (a) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal
maintenance, and disposal of personally of personally identifiable information (PII);
identifiable information (PII)? (b) authority for collecting PII;
(c) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of
exercising or not exercising those choices; and
(d) the ability to access and have PII amended or corrected if necessary;
(ii) the organization describes:
(a) the PII the organization collects and the purpose(s) for which it collects that information;
(b) how the organization uses PII internally;
(c) whether the organization shares PII with external entities, the categories of those entities, and the purposes
for such sharing;
(d) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such
consent;
(e) how individuals may obtain access to PII; and (vi) how the PII will be protected; and
(iii) the organization revises its public notices to reflect changes in practice or policy that affect PII or changes in
its activities that impact privacy, before or as soon as practicable after the change.
(iv) the organization provides real-time and/or layered notice when it collects PII.

Laws and regulations are violated due to an

organization failing to provide notices on usage
of customer data.
8410 6.23

A.R.S. § 44-7500 A.R.S. § 13-2316

compliance.

dividuals, including the purposes for which the organization collects and uses information about them, company contact information for any inquiries or complaints, the types of third parties to which it discloses the information as well as notification procedures when personal data is
municated on any systems collecting personally identifiable customer identification [State of Florida, Wisconsin, Kansas, Public Law 93-579]
edures involving the single incident of a breach of personal information, impacting 1,000 or more individuals, includes communication to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. [State of Georgia] Notification procedures in
data, impacting 10,000 or more individuals, includes communication to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices. [State of Indiana]
edures when personal data is improperly disclosed, includes: communication to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, when a single incident impacts 1,000 or more individuals. If more than 500,000 Indiana residents requ
he disclosure is determined to be more than $250,000, the data base owner is required to make a public disclosure through its website or the major news reporting media in the geographic area where the impacted parties reside. [State of Alaska: Chapter 48 - Personal Information Pr
ollector may delay disclosing the breach under AS 45.48.010 if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. If any person or entity is required by subsection (a) or (b) of this section to notify more than 1,000
y pursuant to this subsection, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by section 603(p) of the Fair Credit Reporting Act, approved October 26, 1970 (84 S
of the timing, distribution and content of the notices. [District of Columbia: Consumer Personal Information Security Breach Notification Act of 2006]
ness that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this subchapter shall be deemed to be in compliance with the notification requirements
siness provides notice, in accordance with its policies, reasonably calculated to give actual notice to persons to whom notice is otherwise required to be given under this subchapter. Notice under this section may be given by electronic mail if the person or entity's primary method of c
is by electronic means.[State of Iowa: Senate File - 2308]
de, at a minimum a description of the breach of security, the approximate date of the breach of security, the type of personal information obtained as a result of the breach of security, contact information for consumer reporting agencies and advice to the consumer to report suspec
ocal law enforcement or the attorney general. [State of Oklahoma: Security Breach Notification Act]
entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted pers
or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. An individual or entity must disclose the breach
ncrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident o
79] An agency shall publish in the Federal Register notice of any new use or intended use of the information in the system, at least 30 days prior to publication of information, and provide an opportunity for interested persons to submit written data, views, or arguments to the agency
79] A recipient agency or a source agency in a matching program with a non-Federal agency, publish in the Federal Register, notice of any establishment or revision of a matching program, at least 30 days prior to conducting such program.
nal Rights and Privacy Act Regulations] Educational agency or institution has procedures in place to annually notify parents of students currently in attendance, or eligible students currently in attendance, of their rights.


Subchapter I, Sec. 6802, 6803
The Children’s Online Privacy Protection Rule of 2000 (COPPA)
- Sec 312.3
- Sec 312.4
- Sec 312.5
- Sec 312.6
- Sec 312.7
Public Law 93-579 - Sec 552a.(e)(8)
Public Law 93-579 - Sec 552a.(e)(11)
Public Law 93-579 - Sec 552a.(e)(12)
Family Educational Rights and Privacy Act Regulations - Sec - §
99.7
NIST 800-53 Rev.4 - TR-1

R0167 TRANSPARENCY SYSTEM OF RECORDS TR-2 Identify-> Privacy &

NOTICES AND PRIVACY Confidentiality
ACT STATEMENTS
Required Required
R0168 TRANSPARENCY DISSEMINATION OF TR-3 Identify -> Privacy

PRIVACY PROGRAM & Confidentiality
INFORMATION
Required Required
R0169 USE LIMITATION INTERNAL USE UL-1 Identify -> Privacy

& Confidentiality
Required Required

The organization:
a. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally
identifiable information (PII);
b. Keeps SORNs current; and
c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional
formal notice to individuals from whom the information is being collected.
(1) SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS | PUBLIC WEBSITE PUBLICATION
The organization publishes SORNs on its public website.
The organization:
a. Ensures that the public has access to information about its privacy activities and is able to communicate with its Senior Agency Official for
Privacy (SAOP)/Chief Privacy Officer (CPO); and
b. Ensures that its privacy practices are publicly available through organizational websites or otherwise.
The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in
public notices.









language Column O)
NOT APPLICABLE Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization publishes System of Records Notices (SORNs) in the Federal Register, subject to required
oversight processes, for systems containing personally identifiable information (PII);
(ii) the organization keeps SORNs current;
(iii) the organization includes Privacy Act Statements on its forms that collect PII, or on separate forms that can
be retained by individuals, to provide additional formal notice to individuals from whom the information is being
collected; and
(iv) the organization publishes SORNs on its public website.
Does the institution or department publish its Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
privacy policies and practices in a manner where (I) the organization ensures that the public has access to information about its privacy activities and is able to
individuals can easily access them, and be able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and
contact the institution representative for privacy (ii) the organization ensures that its privacy practices are publicly available through organizational websites or
(e.g., Privacy Officer) if they have questions or otherwise.
concerns? [Note: how to contact the institution
with questions and privacy practices should be
current]
NOT APPLICABLE Obtain data privacy policy and procedures; other relevant documents or records and ascertain if the organization
uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy
Act and/or in public notices.

Laws and regulations are violated due to an

organization failing to provide notices and
privacy statements on usage of customer data.
Absence of privacy communication and reporting

processes leading to policy violations and
security breaches.
8410 6.24
Customer information is improperly disclosed
8410 6.25

A.R.S. § 44-7500 A.R.S. § 13-2316

compliance.

compliance.

compliance.

ntrol Guidance
ntrol Guidance
ntrol Guidance

NIST 800-53 Rev.4 - TR-2
NIST 800-53 Rev.4 - TR-3
NIST 800-53 Rev.4 -UL-1

R0170 USE LIMITATION INFORMATION SHARING UL-2 Identify -> Privacy

WITH THIRD PARTIES & Confidentiality
Required Required

The organization:
a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its
notice(s) or for a purpose that is compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements,
or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may
be used;
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing
of PII; and
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or
new public notice is required.




language Column O)
Does the institution or department have policies Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
and supporting processes to control how (I) the organization shares personally identifiable information (PII) externally, only for the authorized purposes
personally identifiable information is shared identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those
between different departments as well as third- purposes;
parties, including, but not limited to: (ii) the organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement,
i) requirements and restrictions for sharing Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically
personally identifiable information, including describe the PII covered and specifically enumerate the purposes for which the PII may be used;
training of employees and contractors (iii) the organization monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on
ii) needs to comply with privacy policies the consequences of unauthorized use or sharing of PII; and
pledged / communicated to the owners of the (the organization evaluates any proposed new instances of sharing PII with third parties to assess whether the
information sharing is authorized and whether additional or new public notice is required.
iii) establishing contracts and agreements (such
as MOUs, CMAs, etc.) that govern the
requirements on how information needs to be
protected, breach notification requirements,
restrictions on sharing the information to other
third-parties, etc.?

Customer information is improperly disclosed

when transmitted to a third party.
8410 6.26

A.R.S. § 44-7500 A.R.S. § 13-2316

Objective MEA03]Controls have been
compliance.

or Safeguarding Customer Information, AICPA/CICA Generally Accepted Privacy Principles] Disclosure of customer identification to a third party, is only performed if it first ascertains that the third party provides appropriate security and privacy controls. [MA.201.CMR.17, Public Law 9
party service providers access to personal information, the person permitting such access shall obtain from the third party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provi


Subchapter I, Sec. 6802
Public Law 93-579 - Sec 552a.(m)
NIST 800-53 Rev.4 - UL-2

Texas Department of Information Resources
NIST 800-53 Rev.4 Control Crosswalk

Version 3.0 | February 23, 2016
Reference Components
Req.# Control requirement number, organized sequentially by control family
Risk Statement 'Risk Statement' indicates the risks associated with the absence of a particular control. This can be interpreted as the probable consequence of non-compliance
Security Control Family; Control Name; National Institute of Standards and Technology, i.e. NIST 800-53 Rev. 4 Control (MOD) control family name, control name, and control number organized by security
NIST 800-53 Control # domain
NIST 800-53 Rev. 4 Control (MOD) NIST 800-53 Rev. 4 Control (LOW and MODERATE) control description
[Control and Control Enhancement]
COBIT Reference (Control Objective) Provides the high level control objective for the identified control as defined by the Control Objectives for Information and Related Technology (COBIT) framework,
version 5
Consolidated Control Activities This column enables the linkage between the representative requirements / sources (leading practices, industry standards) and controls (Represents consolidation
of control activities via Column M through Z source references)
Associated Requirement Sections The 'Associated Requirement Sections' are the source and section references of the laws and regulations, industry standards, and/or guidance that are integrated
into the Control Activities.
Detailed Test Procedure The 'Test Procedure' provides guidance to examiners and the management in evaluating the effectiveness of the control. The test procedures have been
documented for the NIST 800-53 Rev 4 moderate baseline control requirements based on the test procedures in the NIST publication 800-53A.
General Assessment Questions The 'General Assessment Questions' provide a 'non-technical' basis (i.e. starting point) for obtaining an understanding of the nature and current posture of the
specified control activities and / or related control objective.

Arizona Baseline Security Controls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Arizona Baseline Security Controls

Uploaded by

Copyright:

Available Formats

NIST Low Security Program

Security Control MODERATE Area

ACCESS CONTROL ACCESS CONTROL AC-1 Protect -> Access

Example Required Required

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:58 1 of 881

The organization: 1. Access Control Policy - Partially Implemented

NIST 800-53 Rev. 4 Control Vendor's Response

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 2 of 881

Enterprise Policy, Section, Date 1. Access Control Policy - Partially Implemented

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 3 of 881

Vendor Non-Compliance Risk Statement

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 4 of 881

Access provided is not consistent with job

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 5 of 881

[CobiT v5 - High Level Control

Arizona Breach Notification Arizona Computer tampering

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 6 of 881

1075] 9.3.1.1 Access Control Policy and Procedures (AC-1)

Consolidated Control Activities

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 7 of 881

HIPAA Security Section - 45 CFR 164.308(a)(3)(ii)(B)

Associated Requirement Sections

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 8 of 881

R0001 ACCESS CONTROL ACCESS CONTROL AC-1 Protect -> Access

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 9 of 881

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 10 of 881

Implemented Service Provider Corporate

Planned Service Provider Hybrid (Corporate and System Specific)

Alternative Implementation Configured by Customer (Customer System Specific)

Not Applicable Provided by Customer (Customer System Specific)

Controls inherited by IaaS

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 11 of 881

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 12 of 881

Access provided is not consistent with job

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 13 of 881

[CobiT v5 - High Level Control

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 14 of 881

1075] 9.3.1.1 Access Control Policy and Procedures (AC-1)

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 15 of 881

HIPAA Security Section - 45 CFR 164.308(a)(3)(ii)(B)

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:24:59 16 of 881

R0002 ACCESS CONTROL ACCOUNT AC-2 Protect -> Access

Required Required (1,2,3,4,5,7,9,10,12)

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 17 of 881

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 18 of 881

Implemented Service Provider Corporate

Planned Service Provider Hybrid (Corporate and System Specific)

Not Applicable Provided by Customer (Customer System Specific)

Controls inherited by IaaS

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 19 of 881

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 20 of 881

Unauthorized access is gained to information

8310 6.1 8310 6.3-6.10

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 21 of 881

[CobiT v5 - High Level Control

A.R.S 13-2316 (A)

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 22 of 881

1075] The agency must:

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 23 of 881

Computer Fraud and Abuse Act of 1986 (US) 18 USC 1031 -

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 24 of 881

R0003 ACCESS CONTROL ACCESS ENFORCEMENT AC-3 Protect -> Access

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 25 of 881

DIR CONTROL CROSSWALK REFERENCE | 10/26/2021 06:25:00 26 of 881