Comparison of It Security Standards

2009
Masters of Science
Information Security and
Assurance
Christine Kuligowski 61575
[COMPARISON OF IT SECURITY
STANDARDS]
This paper proposes documenting the relationship between the FISMA security standards and guidelines
and the ISO 27001 Information Security Management System (ISMS) and provide complete mapping
between the two.
Comparison of IT Security Standards

Contents
Tables & Figures .................................................................................................................................4
Abstract .............................................................................................................................................5
Introduction.......................................................................................................................................5
Business Requirements .......................................................................................................................6
Organizational Risk .........................................................................................................................7
Management Commitment .............................................................................................................7
Security Standards ..........................................................................................................................8
Project Plan........................................................................................................................................9
Project Methodology ........................................................................................................................ 11
Waterfall, Spiral & PERT ................................................................................................................ 11
Standards Overview.......................................................................................................................... 12
NIST Risk Management Framework ................................................................................................... 12
Information Technology Trends in the Federal Government ............................................................ 12
Government Reform ..................................................................................................................... 13
Expanding E- Government ............................................................................................................. 14
Federal Information Assurance Regulations.................................................................................... 15
Clinger-Cohen Act...................................................................................................................... 15
The Business Reference Model ...................................................................................................... 16
Risk Management and the Clinger-Cohen Act ................................................................................. 17
Risk Management Framework Applied through Certification & Accreditation ................................... 18
Translation of Terminology................................................................................................................ 19
ISO 27001 Information Security Management System......................................................................... 21
History of ISO/IEC 27001 ............................................................................................................... 23
Structure and content of ISO/IEC 27001 ......................................................................................... 23
Mandatory requirements for certification ...................................................................................... 24
ISO 27002:2005 ............................................................................................................................ 25
A brief history of ISO/IEC 27002 ................................................................................................. 26
Scope of ISO/IEC 27002 ............................................................................................................. 29
Relationship to ISO/IEC 27001 .................................................................................................... 29
Structure and format of ISO/IEC 27002 ....................................................................................... 30
Page 2

39 control objectives ................................................................................................................. 30
Hundreds of specific controls ..................................................................................................... 30
ISO/IEC 27002 ISMS implementation guidance............................................................................ 31
Process Mapping .............................................................................................................................. 31
Security Control Mapping.................................................................................................................. 35
Document Mapping.......................................................................................................................... 35
Effectiveness of Security Standards.................................................................................................... 38
FISMA Statistics What do they mean? ......................................................................................... 38
ISO 27001 Certifications Issued in the US........................................................................................ 41
Privacy Data Security Breaches of 2009 .......................................................................................... 41
Reflections ....................................................................................................................................... 43
Appendix A Security Control Mappings from ISO 27002 to NIST 800-53............................................. 44
Appendix B Security Control Mappings from NIST 800-53 to ISO 27002 ............................................. 49
Appendix C Data Breach Details of 2009 .......................................................................................... 57
US Government Civilian Agencies................................................................................................... 57
US Government Military Agencies.................................................................................................. 58
ISO Certified Organizations ............................................................................................................ 59
Citigroup Technology Infrastructure's ......................................................................................... 59
Federal Reserve Bank of New York ............................................................................................. 59
Broadridge Financial Solutions, Inc. ............................................................................................ 60
World Bank............................................................................................................................... 60
References ....................................................................................................................................... 62
Page 3

Tables & Figures
Table 1 - Terminology Chart .............................................................................................................. 21
Table 2 - Process Mapping: ISO 27001 to NIST RMF ............................................................................ 34
Table 3 - Document Mapping Table ................................................................................................... 38
Table 4 - History of FISMA Statistics (OMB, 2009) ............................................................................... 39
Table 5 - FISMA Statistics FY2008 (OMB, 2009) ................................................................................... 39
Table 6 - OIG Report FY 2008 (OMB, 2009) ......................................................................................... 41
Table 7 - Security Control Mapping ISO to NIST................................................................................... 48
Table 8 - Security Control Mapping NIST to ISO................................................................................... 56
Figure 1- Capstone Project Gantt chart .............................................................................................. 10

Figure 2 - President's Management Agenda ....................................................................................... 14
Figure 3 - History of IT Security Legislation (US) .................................................................................. 15
Figure 4 - Risk Management & Clinger-Cohen Act ............................................................................... 18
Figure 5 - NIST Risk Management Framework..................................................................................... 19
Figure 6 - The Development of the ISO 27001/2 ................................................................................. 23
Figure 7 - Process Map of the ISO 27001 ............................................................................................ 25
Figure 8 - ISO 27001 Certification by Industry (USA) (ISMS International Users Group, 2009) ................. 41
Figure 9 - 2009 Privacy Data Breaches by Industry (Givens, 2009) ........................................................ 42
Page 4

Abstract
This paper proposes documenting the relationship between the FISMA security standards and
guidelines and the ISO 27001 Information Security Management System (ISMS) and provide complete
mapping between the two. The business problem addressed aims to reduce duplication of compliance
effort by corresponding the NIST standards and guidelines with ISO 27001 standards. Having a solid
understanding of the NIST FISMA standards and guidelines, the approach will start with creating a
lexicon for translation of terminology, followed by an insertion of the ISO standards into the NIST Risk
Management Framework (RMF). The implementation would produce transitional references for
organizations compliant in one standard, to take the most efficient path to becoming compliant in the
other standard, such as the identification and acceptance of reusable assessment results. The report
collaterally addresses FAQs that distinguish the differing requirements, methods, logistics and cost
vectors of each standards certification process.
Introduction
The idea that information security and assurance, has become such critical element of any
organizations efforts to manage risk, is what drives the need for a well defined, thoroughly
documented, and measurable way of implementing a system security program.
The phrase security framework is a collective term for the various documents that give advice on
topics related to information systems security, predominantly regarding the planning, implementing,
managing, and auditing of overall information security practices.
One weakness that is very common across all the security frameworks is the narrow focus to a
particular area, topic, or approach. Security should be a holistic practice, with input from a variety of
fields and a wide-ranging overview of the problem, as well as details suitable to the situation or
environment. As Eugene Spafford has famously said, a secure system is one that does what it is
supposed to. (Breaux, Antn, & Spafford, 2009) Therefore, it is impossible to define a state of security
that is applicable to all computers, since not all computers are, in the minds of the users, supposed to do
the same thing.
Does the best practice mean something that will work for everyone in all situations? There is
very little (possibly nothing) that will be "secure" in any and every environment. Does best practice
Page 5

mean a minimum level of security required by all? Does it mean an optimal balance? We do not know.
There are plenty of published best practices, but no truly agreed upon definition of "best practice."
This proposal provides a literature review to give the reader and idea of the overwhelming, yet
still non-comprehensive, number of security frameworks to choose from in the process of constructing a
suitable security program. There is no single security framework suitable for all situations and
applications. Multiple perspectives are necessary to provide for realistic security, and multiple
documents have additional viewpoints to add to the construction of se curity architecture.
The Capstone Project will focus on two specific security frameworks; the Risk Management
Framework created by NIST, and the Information Security Management System offered by the ISO/IEC. I
have chosen to focus on these because I believe that a combination of these two frameworks provide
the best starting point for the most comprehensive security program product. NIST has, by far, the most
comprehensive and well-documented procedures and programs to support secure information systems,
while ISO/IEC offers a repeated and proven method for integrating information security into the
management process, and creating a culture throughout the organization that includes information
security in the overall organizational risk management process.
My project will attempt to provide the most efficient path of compliance mapping between the
two standards. The idea is to allow an organization, who may be compliant in one standard, to realize
the benefits of the other standard. This paper will provide direction on how applying that alternate
standard may help fill in the gaps of their current security program, and, given their current state of
compliance, how they can take the most efficient and cost effective path to obtaining compliance in the
alternate standard. I will specifically provide a mapping of security controls, mandatory and
recommended documents, and a cost comparison between the two standards.
Business Requirements
Organizations in the public and private sectors depend on information technology in support
their missions and business functions. Information systems can be very diverse entities ranging from
high-end supercomputers to very specialized systems (e.g., industrial/process control systems,
telecommunications systems, and environmental control systems). Information systems are subject to
risks that can have adverse effects on organizational operations (including missions, functions, image, or
reputation), organizational assets, individuals, other organizations, by compromising the confidentiality,
Page 6

integrity, or availability of information processed, stored, or transmitted by those systems. Threats to
information systems include environmental disruptions, human errors, and malicious attacks. Attacks on
information systems are extremely sophisticated. Given the significant danger of these attacks, it is
imperative that leaders at all levels understand their responsibilities in managing the risks from
information systems that support the missions and business functions of organizations.
Organizational Risk
Risk related to the operation and use of information systems is another component of
organizational risk that senior leaders must address as a routine part of their ongoing risk management
responsibilities. Organizational risk can include many types of risk (e.g., investment risk, budgetary risk,
program management risk, legal liability risk, safety risk, inventory risk, and the risk from information
systems). Effective risk management requires recognition that organizations operate in a highly complex
and interconnected world using state-of-the-art and legacy information systemssystems that
organizations depend upon to accomplish critical missions and to conduct important business. Leaders
must recognize that explicit, well-informed management decisions are necessary in order to balance the
benefits gained from the use of these information systems with the risk of the same systems being the
vehicle through which adversaries cause mission or business failure. (Bowen, Chew, & Hash, Information
Security Guide For Government Executives, 2007)Managing risk is not an exact science. It brings
together the best collective judgments of the individuals, responsible for the strategic planning and dayto-day operations of organizations, to provide adequate security and risk mitigation, for the information
systems supporting the missions and business functions of those organizations.
Management Commitment
To achieve success with information system-dependent processes, senior leaders must be
committed to making information security a fundamental mission/business requirement. This top -level
commitment ensures that sufficient resources are available in the design, development,
implementation, operation, and disposition of information systems to provide adequate levels of
security for the systems in light of the explicit expectations placed upon those systems.
Information security is a strategic capability and an enabler of missions and business functions
across the organization. However, information security is but one important factor among many factors
considered by senior leaders in carrying out their risk management responsibilities within the
Page 7

organization. Effective management of risk from information systems involves the following key
elements:
Assignment of information security responsibilities to senior leaders/executives within the

organization;
Understanding by senior leaders/executives of the degree of protection or risk mitigation that

implemented security controls provide against todays sophisticated and diverse threats;
Recognition and acceptance by senior leaders/executives of the risks (including potential magnitude
of harm) to organizational operations and assets, individuals, other organizations, and the Nation
arising from the use of information systems; and
Accountability by senior leaders/executives for their risk management decisions

(Bowen, Hash, & Wilson, Information Security Handbook: A Guide for Managers, 2006)
Managing that portion of organizational risk related to information systems begins with an
effective information security program. In addition to developing and deploying an effective

information security program, there is great benefit to be obtained in reducing risk from information
systems by building an information technology infrastructure that promotes the use of shared services,
common solutions, and information sharing. Applying the principles and concepts used in enterprise
architectures, provides a disciplined, structured, systems engineering-based approach to achieving
consolidation, simplification, and optimization of the information technology infrastructure and the
information systems that operate within that infrastructure. Risk reduction is achievable through the full
integration of management processes organization-wide, thereby providing greater degrees of security,
privacy, reliability, and cost effectiveness for core missions and business functions carried out by
organizations. This unified and balanced approach gives senior leaders the opportunity to make
informed decisions in a dynamic environment on the tradeoffs between fulfilling and improving
organizational missions and business processes and managing the many sources of risk that must be
considered in their overall risk management responsibilities.
Security Standards
Recognition for due care, due diligence and legal compliance, for the adequate protection of
information assets, is a universally acknowledged business requirement for organizations of all types
and sizes worldwide. Certification against well-known standards is the key to obtaining that recognition.
This paper will explore the two most well known security certifications that define a process for
Page 8

managing organizational risk as it relates to information and information systems; NIST Risk
Management Framework for FISMA compliance and the ISO/IEC 27001 Certification of Information
Security Management Systems. It will further establish specific mappings and relationships of process
requirements, security controls, documents and procedures between the two standards in order to
enable organizations compliant in one standard, to efficiently transition to the other standard with
minimal duplication of effort.
Project Plan
There are many different types of project. In practice they all have a number of common stages,
which will be included in my Capstone Project Plan, as shown below in Figure 1.
The Initiation Stage will typically confirm the project feasibility, and agree upon a scope and the
main objectives. I will establish a project charter and focus on the business drivers as the main
objectives. This stage will also consider risk and feasibility in the initiation phase review.
The Planning Stage shall list what to be done and when in the form of a Project Plan. A Quality
Control Plan evolves during this stage to provide metrics for staying on track, in order to meet
the project objectives.
The Execution Stage is broken down into many tasks, culminating in the compilation of the
deliverables.
The Testing Stage, also referred to as the Monitoring Stage, fulfils quality assurance tasks to
rectify until project deliverables pass acceptance criteria. These tasks break down into three
separate categories of management; time, quality and acceptance.
Submission of the project deliverables, along with the Project Closure Report, commences
during the Release Stage.
The Project Closure Stage will confirm realization of objectives and benefits; provide oral
assessment of deliverables and close down project.
Page 9
Figure 1- Capstone Project Gantt chart
Page 10

Project Methodology
Project management is the discipline of planning, organizing, and managing resources to bring
about the successful completion of specific project goals and objectives.
A project is a temporary endeavor, having a defined beginning and end, undertaken to meet
particular goals and objectives, usually to bring about beneficial change.
The primary challenge of project management is to achieve all of the project goals and
objectives while honoring the preconceived project constraints. Typical constraints are scope, time, and
budget. The secondaryand more ambitiouschallenge is to optimize the allocation and integration of
inputs necessary to meet pre-defined objectives. (Wikipedia contributors , 2009)
There are a number of approaches to managing project activities; however, regardless of the
methodology employed, the overall project objectives, timeline, cost, and the roles and responsibilities
of all participants and stakeholders are considered.
Waterfall, Spiral & PERT

My preferred project methodology is a variation of the waterfall method that includes an
iterative process, similar to the spiral method. I have done a good deal of software deve lopment in the
past and I tend to approach a project such as this the same way I develop software; by assembling a
prototype, or complete rough draft, and then ironing out the details my making several passes through
the project. This allows me to not only adequately develop my ideas, but also make sure that the
organization and flow of the material is logical.
My method incorporates the PERT method, for its focus on time management.
The Project Evaluation and Review Technique, commonly abbreviated PERT, is a model for
project management designed to analyze and represent the tasks involved in completing a given project.
In a project such as this one, where the size of the team is one and the resources are readily available,
the PERT model offers a simple plan for time, quality and acceptance management.
PERT is a method to analyze the involved tasks in completing a given project, especially the time
needed to complete each task, and identifying the minimum time needed to complete the total project.
PERT developed primarily to simplify the planning and scheduling of complex projects. It was
able to incorporate uncertainty by making it possible to schedule a project while not knowing precisely
Page 11

the details and durations of all the activities. It is more of an event-oriented technique rather than startand completion-oriented, and used more in projects where time, rather than cost, is the major factor.
The first step to scheduling the project is to determine the tasks that the project requires and
the order of completion. The order may be easy to record for some tasks while difficult for others.
Additionally, the time estimates usually reflect the normal, non-rushed time. Many times, the time
required to execute the task decreases for an additional cost or a reduction in quality. Once this step is
complete, one can draw a Gantt chart such as the Capstone Project Gantt Chart in Figure 1.
Standards Overview
I am going to provide a guiding statement that you should keep in mind as I outline a more
detailed overview of the two standards. The NIST Risk Management Framework is focused on defining,
assessing, implementing, and monitoring the risk of a specific system, whereas the Information Security
Management System of the ISO 27001 standard is primarily a management system standard for which
compliance requires the organization to have a suite of management controls in place, not necessarily
information security controls. In summary, NIST is a risk management framework for a system, ISO
27001 defines a standard for a management process. One is not necessarily better than the other. In
fact, to compare the two standards is like comparing apples and oranges. However, they are perfectly
suited to complement one another, implemented side-by-side, in an effort to mitigate system risk to an
adequate level, and integrate that component of risk management as a critical part of managements
responsibility for managing the overall organizational risk.
NIST Risk Management Framework

The NIST Risk Management Framework (RMF) has a fascinating history of development over
time that deserves a proper narrative in order to show how the RMF fits into the overall plan for a more
productive, efficient and cost effective US Government.
Information Technology Trends in the Federal Government

Let us run our Government like a business. This was the thrust of Governor George Bushs
political platform in his run for the 2000 Presidency. Shortly after taking office, President Bush
introduced his vision for transforming the managerial procedures of the Government in his Presidents
Management Agenda. One of the initiatives addressed in The Agenda is Expanded Electronic
Page 12

Government, which has had a significant impact on the way information systems are acquired, secured
and operated in the Federal Government.
While the infrastructure of the US Government is reconstructing, government IT professionals
pay very little mind to the federal laws, mandates, standards and guidelines that have a direct bearing
on their responsibilities, which in turn will impede the process of this grand reform. IT professionals
have their hands full just staying current with the ever-changing technology itself. Government IT
workers need to keep pace with the Federal mandates that are reshaping the way we operate and
secure Federal information systems. Let us explore the legislations that are influencing the IT trends of
the US Government. Specifically, the Presidents Management Agenda, the E-Government Act (E-Gov)
and the Federal Information Security Management Act of 2002 (FISMA), the Clinger-Cohen Act of 1996
(CCA), the Federal Enterprise Architecture (FEA) and various documents from the National Institute of
Standards and Technology (NIST) that provide standards and guidelines for the Certification &
Accreditation (C&A) of Federal information systems.
Government Reform
In the summer of 2001, a few months after sworn in as the new President of the United States,
President George Bush introduced The Presidents Management Agenda, an ambitious plan for
improving the management and performance of the Federal Government. The premise of President
Bushs political vision is to run Government like a business.
Government likes to begin things to declare grand new programs and causes and national
objectives. But good beginnings are not the measure of success. What matters in the end is
completion. Performance. Results. Not just making promises, but making good on promises. In
my Administration, that will be the standard from the farthest regional office of government to
the highest office of the land. (Bush, 1999)
The focus of the Presidents Management Agenda is to address the areas of management that
need the most attention and will have the biggest impact for reform. There are five government wide
and nine program specific initiatives of improvement where the Bush administration can begin to deliver
on those promises. In the following diagram, you see that one of the five government wide initiatives is
Expanded Electronic Government, codified by the E-Government Act of 2002. Title III of the EGovernment Act, Information Security, has the most direct impact on defining and expanding the
responsibilities of those involved in operating, managing and securing Government Agency information
Page 13

systems. Other considerable components of E-Government, that IT professionals should be aware of,
include supporting the goals of developing IT enterprise architecture and taking a business minded
approach to managing Federal IT systems.
Figure 2 - President's Management Agenda
Expanding E- Government
The Expanding E-Government initiative of the Presidents Management Agenda is more than
just information security; its employing technology to improve how the Government serves its citizens,
businesses and state and local governments. The information policy of E-Gov provides an agenda for
Federal information systems to include not just security, but also privacy and capital planning as well as
a standardized model for an information technology architecture that lends to the overarching goal of
function-driven business in Government. In hopes of attaining these goals, the OMB is taking a business motivated approach in developing enterprise architecture. To that end, OMB is identifying opportunities
to simplify and consolidate work into lines of business across the Federal Government. For over 200
Page 14

years, agencies have grown up around a stovepipe structure of management that must be abandoned in
order for E-Government to succeed.
Federal Information Assurance Regulations

Security, privacy, capital planning and enterprise architecture are not exactly making their debut
in the Presidents Management Agenda. The following histogram shows a history of information
assurance regulations that date back to 1983 two years after International Busi ness Machines
introduced the IBM PC. The Computer Security Act of 1987, for example, was the first piece of legislation
from Congress to address computer security.
Figure 3 - History of IT Security Legislation (US)
It initially tasked NIST to provide guidelines and standards for implementing computer security.
NIST has since published hundreds of Special Publications (SP) or guidelines to the computer security
community. Good information systems security is good business and IT professionals would be hard
pressed to find a better source of information pertaining to all aspects of computer security than in the
documents issued by NIST.
Clinger-Cohen Act
Another stellar piece of legislation is the Clinger-Cohen Act of 1996, which requires government
agencies to use performance based management principles for acquiring and managing information
Page 15

technology. All aspects of capital planning are taken into consideration just as they would be in a private
business:
Cost/benefit analysis
Performance
Standards
Accountability
Life expectancy
Multiple uses
The Clinger-Cohen Act also demands agency Chief Information Officers (CIOs) to develop integrated
information technology architecture. The Federal Enterprise Architecture (FEA) is an OMB program that
intends to comply with the Clinger-Cohen Act and provide a model for sharing information and
resources across all Federal agencies. This will reduce overall spending and provided continuity in
Government services.
The substance of these laws and regulations, as they apply to IT professionals, is that IT
professionals understand their expanding roles and responsibilities so they may interface successfully
with other aspects of managing the Government like a business. Their actions and decisions mu st align
with the business goals of the organization.
The Business Reference Model

The Business Reference Model of the FEA represents the business of Government using a
function-driven approach. Horizontal Lines of Business (LoB) reform previous managerial practices that
use stovepipe, agency-centric management. For example, every agency provides IT training and
awareness programs that have the same general requirements, yet they implemented differently
according to the culture and politics of each individual agency. IT training is a function that is an easily
identifiable Line of Business. This is a service that should come from a single source, providing
consistency and continuity to the rest of the Federal Government. IT professionals must recognize that
the Government of the future will be a competitive one. Stability and complacency in government
positions and wasteful, inefficient management will be outdated as agencies compete for these Lines of
Business.
Page 16

Risk Management and the Clinger-Cohen Act
How exactly does a system administrators responsibility for computer security tie into the
Clinger-Cohen Act? For starters, pursuant to CCA and FISMA, NIST issues Federal Information Processing
Standards (FIPS) for which all agencies must comply. For example, FIPS 199 requires that all agencies
must categorize their information systems according to the information stored, processed or
transmitted by those systems. Information is categorized from a catalog of information types listed in
NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security
Categories. These information types tie to Lines of Business in the Business Reference Model. The simple
act of categorizing an information system accomplishes so many goals that lend to the accomplishment
of an efficient, well-managed business.
First, it identifies the importance of that system based on the information it stores, processes or
transmits. If you know the value of the system, you know how much effort should be required to prote ct
that system. Second, system categorization will associate that asset with Lines of Business within the
agencys enterprise architecture, which reduces administrative overhead for other tasks such as
budgeting and capital planning. Take look at the following graphical representation of the link between
implementing systems security and management using elements of the Clinger-Cohen Act.
Page 17
Figure 4 - Risk Management & Clinger-Cohen Act
Risk Management Framework Applied through Certification & Accreditation

System categorization is only the first step of risk management. Certification and Accreditation is
the formal process of risk management. The OMB mandates Accreditation in their Circular A -130 and
FISMA is the reporting tool for Congress to see the progress of agency System Security Programs, for
which C&A is the key component. The following diagram shows a parallel of risk management as defined
by NIST SP 800-30, the C&A process as defined by NIST SP 800-37, and the other supporting documents
from NIST that provide guidance for carrying out the C&A process on Federal information systems.
Page 18
Figure 5 - NIST Risk Management Framework
Computer security is a critical element in running a business with a mission so dependent on the
capabilities of information systems. The exhibit shows the five steps of risk management, which
includes the assessment and mitigation of risk during the Initiation Phase of C&A and a risk evaluation
during the Certification Phase of C&A. The formalization of risk management is in the element of
accountability executed in the last two phases of C&A, Authorization and Monitoring & Status
Reporting. NIST Special Publications and Federal Information Processing Standards, as well as mem os
and circulars from the OMB, provide well documented and easy to follow guidance for every step of the
C&A process.
Translation of Terminology
Before I move on to discuss the ISO standards and guidelines, it might be helpful and certainly
appropriate to examine a few key terms defined, sometimes uniquely different, by both NIST and the
ISO. I find the NIST glossary, contained as a standalone document NISTIR 7298, to be much more robust
Page 19

and thorough than the ISO glossary, which is a component of their IT Security Standards document
ISO/IEC 27000. It really provides us with an opportunity to identify the tone and overall holistic of each
standard.
Term
ISO
NIST
Information Security
Thankfully they both agree on
the basic definition of
information security
Preservation of confidentiality,
integrity and availability of
information.
Risk Management NIST is

outlining their RMF in their
definition of Risk Management.
Risk Management is what these
two standards are all about.
ISOs focal point is
organizational risk and NIST is
centered on the information
system. But you can see from
the color coded words that the
process for managing risk is very
similar.
Risk ISO breaks it into two
distinct definitions to
underscore the importance of
information risk to the overall
organizational risk.
Coordinated activities to direct

and control an organization with
regard to risk. NOTE Risk
management generally includes
risk assessment, risk treatment,
risk acceptance, risk
communication, risk monitoring
and risk review.
The protection of information

and information systems from
unauthorized access, use,
disclosure, disruption,
modification, or destruction in
order to provide confidentiality,
integrity, and availability.
The process of managing risks to
agency operations, agency
assets, or individuals resulting
from the operation of an
information system. It includes
risk assessment; cost-benefit
analysis; the selection,
implementation, and assessment
of security controls; and the
formal authorization to operate
the system.
Information Security Risk:

potential that a threat will
exploit a vulnerability of an
asset or group of assets and
thereby.
cause harm to the organization
Risk: combination of the
probability of an event and its
consequence.
Risk Analysis This is a typical
Risk Analysis - Systematic use of
ISO definition: short and vague; information to identify sources
I suspect to provide a more
and to estimate risk.
extensive application of the
Risk Assessment - overall process
definition. Also note the ISO
of risk analysis and risk
distinction between risk analysis evaluation. NOTE Risk analysis
and risk assessment. NIST
provides a basis for risk
emphasizes just the opposite.
evaluation, risk treatment and
risk acceptance.
Risk Treatment/Mitigation
Risk Treatment - Process of
Different terms, same meaning selection and implementation of
measures to modify risk.
Documented in a Risk Treatment
The level of impact on agency

operations (including mission,
functions, image, or reputation),
agency assets, or individuals,
resulting from the operation of
an information system given the
potential impact of a threat and
the likelihood of that threat
occurring.
The process of identifying the
risks to system security and
determining the likelihood of
occurrence, the resulting impact,
and the additional safeguards
that mitigate this impact. Part of
risk management and
synonymous with risk
assessment.
Risk mitigation involves
prioritizing, evaluating, and
implementing the appropriate
risk-reducing controls
Page 20

Plan
Policy We can start to feel a

divergence between the two
standards with the definition of
policy; ISO is simply and
squarely focused on the
management process, whereas
the NIST term revolves around a
system.
Management System (ISO)
Overall intention and direction

as formally expressed by
management.
Management System framework of policies,

General Support System (NIST)
procedures, guidelines and
Major Information System (NIST) associated resources to achieve
Major Application (NIST)
the objectives of the
organization.
I have included partial
definitions for theses terms to
further illustrate the emphasis
of each standards differing
objectives
recommended from the risk

assessment process.
Documented in the Risk
Assessment Report and the Plan
of Actions and Milestones
A document that delineates the
security management structure
and clearly assigns security
responsibilities and lays the
foundation necessary to reliably
measure progress and
compliance.
General Support System - An
interconnected set of
information resources
Major Information System - An
information system that requires
special management attention
Major Application - An
application that requires special
attention
Table 1 - Terminology Chart
ISO 27001 Information Security Management System

ISO/IEC 27001 is the formal set of specifications against which organizations may seek
independent certification of their Information Security Management System (ISMS). It specifies
requirements for the establishment, implementation, monitoring and review, maintenance and
improvement of a management system, an overall management and control framework, for managing
an organizations information security risks. It does not mandate specific information security controls
but stops at the level of the management system.
The standard covers all types of organizations and all sizes from micro-businesses to huge
multinationals. Bringing information security under management control is a prerequisite for
sustainable, directed and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates
several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely
specified and implemented as a one-off activity but are continually reviewed and adjusted to take
Page 21

account of changes in the security threats, vulnerabilities and impacts of information security failures,
using review and improvement activities specified within the management system.
According to the ISOs Joint Technical committee 1/Subcommittee 27 (JTC1/SC27), the ISO/IEC
committee responsible for ISO 27000 and related standards, ISO/IEC 27001 is intended to be suitable for
several different types of use, including:
Use within organizations to formulate security requirements and objectives;
Use within organizations as a way to ensure that security risks are cost-effectively managed;
Use within organizations to ensure compliance with laws and regulations;
Use within an organization as a process framework for the implementation and

management of controls to ensure that the specific security objectives of an organization
are met;
The definition of new information security management processes;
Identification and clarification of existing information security management processes;
Use by the management of organizations to determine the status of information security

management activities;
Use by the internal and external auditors of organizations to demonstrate the information
security policies, directives and standards adopted by an organization and determine the
degree of compliance with those policies, directives and standards;
Use by organizations to provide relevant information about information security policies,

directives, standards and procedures to trading partners and other organizations that they
interact with for operational or commercial reasons;
Implementation of a business enabling information security; and
Use by organizations to provide relevant information about information security to

customers.
The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC
27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific
information security controls are applicable to their particular information security situations, drawing
on those listed in the menu and potentially supplementing them with other a la carte options,
sometimes known as extended control sets. As with ISO/IEC 27002, the key to selecting applicable
Page 22

controls is to undertake a comprehensive assessment of the organizations information security risks,
which is one vital part of the ISMS.
History of ISO/IEC 27001

ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It revised in 2002 by BSI, explicitly
incorporating a Plan-Do-Check-Act cycle, and adopted by ISO/IEC in 2005. ISO/IEC 27001, currently
under revision, seems likely to publish in 2010, depending on the amount of work involved in
formulating and incorporating changes.
Since ISO/IEC 27001 is an active Certification standard. Major changes are likely to be difficult
and minor changes will require justification in order to retain backwards compatibility with the existing
standards. Nevertheless, there is pressure to realign 27001 with 27000, 27002, 27003 and 27005,
reducing duplication and potential conflict, and to realign with other ISO management systems
standards such as ISO 9000 and ISO 14000.
Figure 6 - The Development of the ISO 27001/2
Structure and content of ISO/IEC 27001

ISO/IEC 27001:2005 has the following sections:
Introduction - the standard uses a process approach.
Page 23
Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or
nature.
Normative references - only ISO/IEC 27002:2005 considered essential to the use of 27001
Terms and definitions - a brief glossary, superseded by ISO/IEC 27000
Information security management system - the guts of the standard, based on the Plan-DoCheck-Act cycle where Plan = define requirements, assess risks, decide which controls are
applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act =
maintain and continuously improve the ISMS. Also specifies certain specific documents that are
required and controlled.
Management responsibility - management must demonstrate their commitment to the ISMS,

principally by allocating adequate resources to implement and operate it.
Internal ISMS audits - the organization must conduct periodic internal audits to ensure the ISMS
incorporate adequate controls, which operate effectively.
Management review of the ISMS - management must review the suitability, adequacy and
effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the
need for changes.
ISMS improvements - the organization must continually improve the ISMS by assessing and
where necessary making changes to ensure its suitability and effectiveness, addressing
nonconformance (noncompliance) and where possible preventing recurrent issues.
Annex A - Control objectives and controls - little more in fact than a list of titles of the control
sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2).
Annex B - OECD principles and this International Standard - a table briefly showing which parts
of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of
Information Systems and Networks.
Annex C - Correspondence between ISO 9001:2000, ISO 14001:2004 and this International
Standard - the standard shares the same basic structure of other management systems
standards, meaning that an organization, which implements any one, should be familiar with
concepts such as PDCA, records and audits.
Mandatory requirements for certification

ISO/IEC 27001 is a formalized specification such that accredited certification auditors are meant
to be able to use the standard as a formal description of items that their clients must have in order to be
Page 24

certified compliant. It does indeed specify certain mandatory documents explicitly. However, in other
areas, it is more vague and, in practice, other documents are commonly demanded, including certain
items which provide the auditors with evidence or proof that the ISMS is operating. Figure 7 shows the
stages of a typical ISO 27001 implementation process and the corresponding documents.
Figure 7 - Process Map of the ISO 27001
ISO 27002:2005
ISO/IEC 27002:2005, the latest version of Information technology - Security techniques - Code
of practice for information security management, to give it its full title, is an internationally accepted
standard of good practice for information security.
Page 25

A brief history of ISO/IEC 27002
ISO/IEC 27002 has evolved through several changes:
Late 1980s Royal Dutch/Shell Group Information Security Policy Manual
BS 7799 and ISO 27000 owe their existence to this internal document, generously donated to
the community by Royal Dutch Shell, which is a multinational petroleum company of Dutch and British
origins. The original emphasis on mainframe security concepts and lack of explicit references to the
Internet belies its origin in the previous decade or so.
BSI-DISC PD003:1993 Department of Trade and Industry (DTI); Code of Practice for
Information Security Management - first public release
Pending its release as an official British Standard, the guts of BS 7799 were, in effect, prereleased by the UK Department of Trade and Industry as a free informational item called BSI -DISC PD003
(British Standards Institution - Delivering Information Solutions to Customers - Public Document 003).
Professor Edward Humphreys, the UK National Computing Centre (NCC) and a promising community of
information security professionals (which gradually evolved into the ISMS International User Group, a
loose association of ISMS users and fans) played a part in developing PD003 and BS 7799. BSI -DISC
released free accompanying booklets too, one of which (PD005) had a one -page flowchart summarizing
the implementation process, which, did not survive to any of the current-day ISO 27000 materials. The
DTI later became BERR, the Department for Business Enterprise and Regulatory Reform and still
supports the ISO 27000 standards today.
DTI CCSC Users Code of Practice: 1989 - First Publication
Using Shells donor document, the UK Department of Trade and Industrys Commercial
Computer Security Centre developed this information security guide for their members. The CCSC also
wrote the Green Books that, with assistance from the UK Government's Communications Electronics
Security Group (CESG), turned into the UK ITSEC (IT Security Evaluation and Certification) scheme for
certification of security products, launched in 1990/1991.
BS 7799:1995 - Initial Release as A British Standard
The British Standards Institute BSI (now known as BSI British Standards, part of the BSI Group)
released British Standard 7799.
Page 26

BS 7799 Part 1:1998 - Renamed
The previous British Standard 7799 was joined by a new part 2 (that later became ISO/IEC
27001), the accompanying certification standard, so the original standard was renamed Part 1 in 1998.
BS 7799 Part 1:1999 - Revised
Following a BSI review process, the revised standard reissued in 1999.
ISO/IEC 17799:2000 - First ISO/IEC Version of BS7799-1
After a difficult period of international consideration and review, the ISO/IEC adopted BS 7799
part 1:1999 on a fast track process and released it as ISO/IEC 17799 in December 2000. Members of
ISO/IEC JTC1/SC27 were not universally supportive of this first release but accepted it as a starting point.
ISO/IEC 17799:2005 - 2005 Revision
In June 2005, ISO/IEC released an updated version with new sections consolidating advice on
risk and incident management. They incorporated a new format to clarify the implementation
guidance under each control.
ISO/IEC 27002:2005 - The Current, Issued Standard
ISO/IEC 17799:2005 was renumbered ISO/IEC 27002:2005 in the middle of 2007 to bring it into
the ISO/IEC 27000 family of standards. The text remains word-for-word identical to ISO/IEC 17799:2005
- in fact, for some while the ISO/IEC 17799 standard continued to be delivered to anyone who ordered
ISO/IEC 27002, along with a cover sheet noting the change of number.
ISO/IEC 27002:2011 - Currently Undergoing Revision
Alongside the revision of ISO/IEC 27001, ISO/IEC JTC1/SC27 has started the process of revising
ISO/IEC 27002. Numerous comments and improvement suggestions were discussed at the ISO/IEC
JTC1/SC27 meeting in Beijing in May 2009.
Since ISO/IEC 27002 is used by the ISMS certification standard ISO/IEC 27001, structural changes
are likely to be limited and minor changes will have to be justified in order to retain backwards
compatibility with the existing standard. There is pressure to review the structure again, thus the
editors took the unusual step of issuing an additional comments sheet regarding the relationship
between these two standards, and a couple of national bodies proposed significant structural revisions.
Prior to the Beijing meeting, potential revisions to ISO/IEC 27002 were discussed on the ISO 27000
Implementers Forum, including the following 12 suggestions:
Page 27

1.
Section 4 on "Risk assessment and treatment" is particularly weak. It should at least

reference, if not summarize relevant content from ISO/IEC 27005 and emphasize the
importance of risk analysis as a key part of the planning stage of PDCA. Some have
suggested that the risk assessment activities are part of the management system and should
be included in ISO/IEC 27001 not the 27002.
2.
New ISO 27000 standards (e.g. ISO/IEC 27000, 27003, 27004, 27007) referenced if they
release before updates to the 27002.
3.
Section 5 on "Security policy" is confusing. Terms such as 'overarching security policy' are
somewhat ambiguous when policies that are more detailed are needed covering particular
security requirements and controls. There was considerable discussion on this point in
Beijing but the resolution is unclear at this point.
4.
Section 7.1.2 on "Ownership of assets" should expand on the concept of 'personal

accountability' versus 'responsibility'. There is also some confusion around the use of
'information assets' - is this IT equipment, data content, both, or something else?
Again,there was a lot of discussion in Beijing and we await the outcome in a working draft.
5.
Section 9.2 does not cover typical computer room 'environmental protection' very well - for
example, it is weak on environmental monitoring with local and remote alarms (for fire,
water, intrusion, power problems etc.). There are presumably other ISO/IEC standards in
this area, as well as national standards, building codes, laws etc.
6.
Section 10 is a bit of a mixed bag, covering issues such as outsourcing/3rd party IT service
delivery in addition to systems and network management. Some rationalization of these
items may be appropriate. Section 10.8 "Exchange of information" seems outdated, with a
lot going on these days in terms of mobile code, Web 2.0/Software As a Service etc. In
Beijing, a radical restructuring of 27002 was proposed but had insufficient time to consider
it prior to or during the meeting, so this major issue was tabled until the next SC27 meeting.
7.
Section 11.2 on "User access management" ought to include more on identification and
especially authentication of remote users, federated identity management, etc.
8.
Section 11.4 covers "Network access control" without mentioning the term "firewall".
9.
Section 12 does not explicitly cover security testing of new/changed application systems, at
least not clearly enough. Pragmatic advice on security testing would be worthwhile,
covering issues such as developing structured tests based on the security elements o f
Page 28

system specifications (e.g. using boundary conditions to test data integrity controls) and
unstructured testing (penetration testing and so on).
10.
Section 14 on "Business continuity management" says very little about specifying and
meeting availability requirements, particularly the need to consider and, if necessary,
provide or improve resilience as well as facilitate recovery. This section would also benefit
from more explanation of "contingency", namely planning and preparing to cope with
incidents if/when other controls fail.
11.
Various changes needed in section 15 to reflect legal and regulatory changes since 2005,
such as the rise of "e-discovery", document/email retention and increasing use of computer
data as evidence in court.
12.
Section 15.3 "Information systems audit considerations" merely covers securing audit
tools/data. There is value in IT auditing for reviewing and making improvements to the
ISMS. Emphasis on the involvement of legal, risk, compliance and governance specialists in
the ISMS design and operations would be useful.
The revised standard plans to release in 2011, expectantly the same time the revised ISO/IEC 27001
is released.
Scope of ISO/IEC 27002
Like governance, information security is a broad topic with ramifications in all parts of the
modern organization. Information security, and the ISO/IEC 27001/2, is relevant to all types of
organization including commercial enterprises of all sizes (from one -man-bands up to multinational
giants), not-for-profits, charities, and government entities. The specific information security
requirements may be different in each case but the whole point of ISO 27001/2 is that there is a lot of
common ground.
Relationship to ISO/IEC 27001
ISO/IEC 27001 formally defines the mandatory requirements for an Information Security
Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls
within the ISMS. However, since ISO/IEC 27002 is merely a guideline rather than a certification
standard, organizations are free to select and implement other controls as they see fit. ISO/IEC 27001
incorporates a summary of controls from ISO/IEC 27002 under Annex A.
Page 29

Structure and format of ISO/IEC 27002
ISO/IEC 27002 is a code of practice - a generic, advisory document, not truly a standard or
formal specification such as ISO/IEC 27001. It lays out a reasonably well structured set of suggested
controls to address information security risks, covering confidentiality, integrity and availability aspects.
Organizations that adopt ISO/IEC 27002 must assess their own information security risks and apply
suitable controls, using the standard for guidance. Strictly speaking, none of the controls are mandatory
but if an organization chooses not to adopt something as common as, say, antivirus con trols, they
should certainly be prepared to demonstrate that this decision was reached through a rational risk
management decision process, not just an oversight, if they anticipate being certified compliant to
ISO/IEC 27001.
39 control objectives
After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC
27002 specifies 39 control objectives to protect information assets against threats to their
confidentiality, integrity and availability. These control objectives ,in effect, comprise a generic
functional requirements specification for an organizations information security management controls
architecture.
Few people would argue the necessity of most of the control objectives. However, some are
not applicable in every case and the generic wording of the standard is unlikely to reflect each
organizations precise requirements. The control objectives make an excellent starting point to define a
comprehensive set of axioms or high-level principles for information security policies with only slight
re-wording.
Hundreds of specific controls
The ISO/IEC 27001 Annex A refers to 139 controls, which are just sections in ISO/IEC 27002,
many of which propose multiple security controls. ISO/IEC 27002 suggests hundreds of best -practice
information security controls that organizations should consider satisfying the stated control objectives.
The 139 figure often quoted is highly misleading.
Like ISO/IEC 27001, 27002 does not mandate specific controls, but leaves it to the users to select
and implement controls that suit their organization. They are also free to select controls not listed in
the standard, just so long as their control objectives are satisfied. We treat the ISO/IEC standard as a
generic controls checklist, a menu from which organizations select their own set or a la carte controls.
Page 30

Not mandating specific controls is what makes the standard broadly applicable, even as the
technology and security risks change, and gives users tremendous flexibility in the implementation.
Unfortunately, it also makes it difficult for the certification bodies to assess whether an organization is
fully compliant with the standard; therefore, there are no formal compliance certificates against ISO/IEC
27002 itself. Organizations may alternately get their information security management processes,
meaning the Information Security Management System as a whole, certified against ISO/IEC 27001,
which describes the process for assessing risks and selecting, implementing and managing specific
security controls from ISO/IEC 27002 or other sources, such as the NIST SP 800-53 security controls.
ISO/IEC 27002 ISMS implementation guidance
ISO/IEC 27003 will also provide generic ISMS implementation guidance. A series of sectorspecific ISMS implementation guidelines may follow, starting with ISO/IEC 27011 for the
telecommunications sector (released in 2008) and ISO/IEC 27015 for the financial services sector (banks,
insurance companies etc.), and ISO/IEC 27799 for the healthcare sector. Guidelines for other sectors
have not been initiated by JTC1/SC27.
Process Mapping
ISO 27001
Certification
Process
NIST Certification &

Accreditation
Process
Get Management
Support
Define ISMS Scope
Information System
Description
Inventory Information
Assets
Security Categorization
Comment
Given that C&A of all US Federal information
systems are mandated to comply with the
NIST standards and guidelines, management
support is implied.
Significant distinctions right from the
beginning; ISO requires that the scope of the
management system is defined. They are
looking for the bounds of an organization;
could be an international company, or a
department within any organization. NIST, on
the other hand, is looking for the boundaries
of an information system.
ISO considers the inventory of assets to be
crucial in order to focus on the amount of time
you have been given to accomplish the task of
implementing ISO 27001/27002.
Determining a systems Security
Categorization is a mandatory initial step
Page 31
Define Risk Assessment

Methods
Methods And
Procedures
Conduct Risk
Assessment
Threat Identification
Vulnerability
Identification
Initial Risk
Determination
Prepare Statement of
Applicability
Security Control
Identification
Prepare Risk Treatment

Plan
Plan of Actions and

Milestones
Security Assessment
Report
Develop ISMS
according to the NIST Federal Information

Processing Standard (FIPS) 199. You MUST
know the value of your information assets in
order to determine how much effort you will
put forth to protect that information.
This is a crucial element to both standards.
Both the ISO and NIST provide detailed
guidelines for conducting risk assessments; ISO
27005:2008 and NIST SP 800-30. While
ISO/IEC 27005 offers general advice on
choosing and using information security risk
analysis or assessment methods, the standard
does not specify any specific method, giving
you the flexibility to select a method, or more
likely several methods and/or tools, that suit
your organizations requirements.
The SoA is an ISO 27001 documented
statement describing the control objectives
and controls that are relevant and applicable
to the organizations ISMS. These are
documented management decisions that
determine which of the control objectives
from ISO/IEC 27002 are applicable, and which
are irrelevant, not appropriate or not required.
FISMA requires the exact same thing for the
accreditation of an information system. The
identification of security controls are
documented in the system security plan.
The SoA is prepared in conjunction with the
Risk Treatment Plan, one of the required
documents of the ISO 27001 certification
process, described as a plan that identifies the
appropriate management actions, resources,
responsibilities, timeliness and priorities for
managing information security risks.
Similarly, NIST describes the Plan of Actions
and Milestones (POA&M) as a document that
identifies tasks needing to be accomplished. It
details resources required to accomplish the
elements of the plan, any milestones in
meeting the tasks, and scheduled completion
dates for the milestones. This is used as
evidence provided to the authorizing official to
be used in the security accreditation decision
process, along with the system security plan
and the security assessment report.
FISMA Mandate
Page 32

Implementation
Program
Identify ISMS
Operational Artifacts
Compliance Review
Define Corrective Action

Procedures
Pre Certification
Assessment
Documentation And
Supporting Materials
Artifacts include security policies, standards,

procedures, guidelines etc., and routinely
generates and uses security logs, log review
reports, firewall configuration files, and risk
assessment reports, all of which need to be
retained and managed. These artifacts are
indispensable evidence that the ISMS is
operating correctly. You need to build up
sufficient artifacts to prove to the auditors
that the system is operating, stable and
effective.
Methods And
Are you actually doing what you said you were
Procedures
going to do? Section 15 of ISO/IEC 27002
Security Assessment
covers compliance with both internal
Security Assessment
requirements (corporate policies etc.) and
Report
external obligations (such as laws and industry
regulations). The ISMS itself needs to
incorporate compliance testing activities
which will generate reports and corrective
actions. Internal compliance assessments and
perhaps external/independent assessments
(audits, penetration tests etc.) are therefore
routine activities in mature ISMS. The ISMS
operational artifacts are a major source of
evidence for such compliance activities - they
give the auditors something to test.
Security Assessment
ISO utilizes the Plan-Do-Check-Act cycle,
Report
which is central to the management system
Findings And
part of ISMS and should result in continuous
Recommendations
alignment/re-alignment between business
System Security Plan
requirements, risks and capabilities for
Update
information security. As with quality
Plan Of Action And
management systems, the idea is to give
Milestones Preparation management a means of controlling
information security management processes
systematically such that they can be
continually monitored and improved.
Accreditation Package When the ISMS has stabilized, a certification
Assembly
body or other trusted, competent and
Final Risk
independent advisor is invited by management
Determination
to check whether the ISMS is functioning
Risk Acceptability
correctly. This is largely a compliance
Security Accreditation assessment but should ideally incorporate
Package Transmission
some independent review of the Scope, the
SOA and RTP to make sure that nothing
Page 33

Update
External Certification
Audit
Office of Inspector
General (OIG) Audit
important has been missed out of the ISMS,

especially as the business situation and
information security risks have probably
changed in the months or years that it will
have taken to implement the ISMS. It is an
opportunity for your organization to identify
and tie up any remaining loose ends before
the actual certification audit. Its also a good
low-impact way to get to know the auditors.
when management is happy that ISMS is
stable and effective, they select and invite an
accredited certification body to assess and
hopefully certify that the ISMS complies fully
with ISO/IEC 27001. The auditors will check
evidence such as the SOA, RTP, operational
artifacts etc. and will attempt to confirm that
the ISMS (a) is suitable and sufficient to meet
the organizations information security
requirements in theory i.e. it is correctly
specified; and (b) actually meets the
requirements in practice i.e. it is operating as
specified.
Table 2 - Process Mapping: ISO 27001 to NIST RMF
Page 34

Security Control Mapping
The security controls listed in ISO/IEC 27002 have been mapped to the security controls of the
NIST Special Publication 800-53 in Appendix A and vice versa in Appendix B. One of the major
differences in the organization of security controls is that the ISO/IEC 27001 has a category (objective)
specifically for Security Policy, whereas the NIST SP 800-53 does not. The SP 800-53 has a security policy
control for every category (family) of controls. It is always the first control listed in any family of
controls, hence the xx-1 reference.
Document Mapping
ISO 27001 Document
Records of Management
Decisions
NIST RMF Document

for C&A
CIO & OIG Year-end
FISMA Report to
Congress
Document Control
Procedures
ISMS Scope
System Security Plan:

System Boundaries
ISMS Policy
None
Comment
For ISO 27001 certification, management is
involved every step of the way, which is why
an official Record of Management Decisions
is the first required document in the process.
The NIST C&A process requires the
management sign off on the work that has
been completed. It is known as the
Authorization Stage of C&A. Regarding the
ISMS: Minutes of management meetings,
investment decisions, mandating of policies,
reports, etc.
Document control procedure explaining how
ISMS documents are approved for use,
reviewed/updated/re-approved as necessary,
and version managed, disseminated as
necessary, marked etc. (see 4.3.2 for the full
list). If the organization already has a Quality
Management System conforming to ISO 9000,
the QMS document control procedure (or
equivalent from another management
system) may be applied to the ISMS.
ISMS scope defines the boundaries of the
ISMS in relation to the characteristics of the
business, the organization, its location,
[information] assets and technology. Any
exclusion from the ISMS scope must be
explicitly justified.
An ISMS policy defining the objective-setting
management framework for the ISMS, giving
it an overall sense of direction/purpose and
defining key principles. The ISMS policy must:
Page 35
Risk Assessment Methods
Risk Assessment Report
Statement of Applicability
Risk Treatment Plan
Internal ISMS Audit

Procedures
Take account of information security

compliance obligations defined in laws,
regulations and contracts
Align with the organizations strategic
approach to risk management in general
Establish information security risk
evaluation criteria (the risk appetite)
Be approved by management
Predefined in NIST 800- Risk assessment methods i.e. policies,
53A
procedures and/or standards describing how
information security risks are assessed,
probably referencing ISO/IEC 27005.
Risk Assessment Report Risk assessment reports documenting the
results/outcomes/recommendations of
information security risk assessments using
the methods noted above. For identified risks
to information assets, possible treatments
are applying appropriate controls; knowing
and objectively accepting the risks (if they fall
within the risk appetite); avoiding them; or
transferring them to third parties. The
reference to 4.2.1c-g implies that information
security control objectives and controls
should be identified in these reports.
Risk Assessment Report Statement of Applicability stating the
information security control objectives and
controls that are relevant and applicable to
the ISMS, generally a consolidated summary
of the results of the risk assessments, crossreferenced to the control objectives from
ISO/IEC 27002, that are in scope.
Risk Assessment
Risk treatment plan i.e. a [project?] plan
Addendum/Plan of
describing how the identified information
Action and Milestone
security control objectives are to be satisfied,
with notes on funding plus roles and
responsibilities.
Certification Agent
Internal ISMS audit plans and procedures
Report
stating the auditors responsibilities in
relation to auditing the ISMS, the audit
criteria, scope, frequency and methods.
While not stated directly, further comments
in section 6 regarding the need for actions
arising from audits, to be taken without
undue delay, could be taken to imply that
ISMS audit reports, agreed action plans and
follow-up/verification/closure reports should
be retained and made available to the
Page 36

Preventive Action
Procedures

Security Controls
Information Security Metrics
None
ISMS Operating Procedures

Standard Operating
Procedures (SOPs)
ISMS Operational Artifacts:

Procedures
None
Records Control Procedures
Documented in Yearly
OMB Memo: FISMA
Reporting Guidelines
(for FY2008,M-08-21)
Corrective Action Procedures Plan of Action and

Milestones
Record of ISMS Management Chief Information

Review
Officers (CIO)
Report/Office of the
Inspector General
certification auditors on request.

Preventive action procedure similar to the
corrective action procedure but focusing
more on preventing the occurrence of
nonconformities in the first place, with such
activities being prioritized on the basis of the
assessed risk of such nonconformities.
Information security metrics describing how
the effectiveness of the ISMS as a whole, plus
key information security controls where
relevant, are measured, analyzed, presented
to management and ultimately used to drive
ISMS improvements.
ISMS operating procedures i.e. written
descriptions of the management processes
and activities necessary to plan, operate and
control the ISMS e.g. policy review and
approvals process, continuous ISMS
improvement process.
Records means information security
paperwork such as user ID authorizations,
and electronic documents such as system
security logs, that are used routinely while
operating the ISMS and should be retained
and made available for the certification
auditors to sample and check. Collectively,
these prove that the ISMS has been properly
designed, mandated by management and put
into effect by the organization.
Records control procedure explaining how
records proving conformity to ISMS
requirements and the effective operation of
the ISMS (as described elsewhere in the
standard) are protected against unauthorized
changes or destruction. Again, this procedure
may be copied from the QMS or other
management systems.
Corrective action procedure documenting the
way in which nonconformities which exist are
identified, root-causes are analyzed and
evaluated, suitable corrective actions are
carried out and the results thereof are
reviewed.
7.1 Management shall review the
organizations ISMS at planned intervals (at
least once a year) to ensure its continued
suitability, adequacy and effectiveness
Page 37

(OIG)Report
Security awareness, training

and education records
Security awareness,
training and education
records in the CIO
report
7.3 The output from the management review

shall include and decisions and actions
relating to
This implies the need to retain records (such
as management review plans and reports)
proving that management does in fact review
the ISMS at least once a year.
Security awareness, training and education
records documenting the involvement of all
personnel having ISMS responsibilities in
appropriate activities (e.g. security awareness
programs and security training courses such
as new employee security induction/
orientation classes).
Various other clauses in section 5 mandate
management support for information security
awareness activities in general, therefore
while not directly stated, the requirement for
information security awareness materials,
training evaluation/feedback reports etc. may
be inferred from this section.
Table 3 - Document Mapping Table
Effectiveness of Security Standards

As a means of measuring the effectiveness of implementing security standards, data is
presented to show which types of organizations implement these standards and how effective these
standards are, based on reported privacy data breaches of 2009.
FISMA Statistics What do they mean?

The NIST RMF is a FISMA mandate for Federal information systems, including any contractor
systems that store, transmit or process US government agency information. The NIST RMF can also
apply to healthcare organizations by way of the Health Insurance Portability and Accountability Act of
1996 (HIPAA), minus the high profile auditing component provided by federal agency OIGs and the
Congressional oversight.
It is noted that an organization must adhere to a rigorous, yet voluntary, external audit in order
to achieve the ISO 27001 certification. Agencies and contractor organizations striving f or mandatory
FISMA compliance, on the other hand, have not always achieved that mandate. Table 3 illustrates a
history of struggle and continuous improvement.
Page 38
Percentage of Systems with a:
FY
2002
FY
2003
FY
2004
FY
2005
FY
2006
FY
2007
FY
2008
Certification and Accreditation
47%
62%
77%
85%
88%
92%
96%
Tested Contingency Plan
35%
48%
57%
61%
77%
86%
92%
Tested Security Controls
60%
64%
76%
72%
88%
95%
93%
Total Systems Reported
7,957
7,998
8,623
10,289
10,595
10,304
10,679
Table 4 - History of FISMA Statistics (OMB, 2009)
It is stated that these numbers reflect the collective reports from agency CIOs. They are the
department heads who rely on making a good impression, through these FISMA reports, in order to
avoid budgetary penalties from the OMB.
FIPS 199
Risk Impact
Level
Number of
Agency
Systems
Number of
Contractor
Systems
Total
Number of
Systems
Percent
certified and
accredited
Percent with
tested
contingency
plans
Percent
with tested
security
controls
High
1,055
113
1168
98%
90%
95%
Moderate
3576
536
4112
95%
92%
95%
Low
3,952
738
4690
96%
90%
91%
Not
187
522
709
96%
96%
95%
8770
1909
10679
96%
92%
93%
Categorized
Total
Table 5 - FISMA Statistics FY2008 (OMB, 2009)
There is a second FISMA report to OMB, from agency OIGs, who do not need to make an
impression on anyone; their budget is relatively fixed. Their job is to validate the numbers reported by
the agency CIO. Even though the overall statistics look very impressive, there are still a few
organizations, like the Department of Defense, that continue to struggle to attain a passing FISMA
grade. They are the only agency out of 26 that have received a failing audit from their OIG. This is also
the first year they have even had an external audit. The DoD owns 40% of all US Government
information systems. They have 265 systems in the HIGH impact category alone; that is more than 16
other agencies individual systems total. Table 5 puts the FISMA reporting into a more accurate
perspective by showing the number of systems owned by each agency. The OIG report summary shows
Page 39

the validity of the numbers reported by agency CIOs; excellent is best, followed by good, satisfactory,
poor and failing.
US Government Agency
Department of Defense
4279
Percentage
of US Gov't
Systems
40%
Department of Energy
1323
12%
Satisfactory
National Aeronautics and Space Administration
634
6%
Excellent
Department of Veterans Affairs
618
6%
Satisfactory
Department of Homeland Security
591
6%
Good
Department of the Treasury
509
5%
Satisfactory
Department of Transportation
405
4%
Satisfactory
Department of State
356
3%
Good
Department of Commerce
312
3%
Satisfactory
Department of Justice
254
2%
Good
Department of Agriculture
245
2%
Poor
Department of the Interior
177
2%
Satisfactory
Environmental Protection Agency
171
2%
Good
Department of Health and Human Services
162
2%
Satisfactory
Department of Education
145
1%
Satisfactory
Small Business Administration
93
1%
Satisfactory
Department of Housing and Urban Development
86
1%
Satisfactory
General Services Administration
85
1%
Satisfactory
Department of Labor
72
1%
Satisfactory
Office of Personnel Management
40
<1%
Satisfactory
Nuclear Regulatory Commission
39
<1%
Satisfactory
US Agency for International Development
29
<1%
Excellent
National Science Foundation
20
<1%
Good
Social Security Administration
20
<1%
Good
Smithsonian Institution
14
<1%
Satisfactory
Total US Government Systems
Number of
Systems
OIG Report
Failing
10679
Page 40

Table 6 - OIG Report FY 2008 (OMB, 2009)
Most US Government agencies implement the NIST RMF to a satisfactory level, according to the
OIG reports; which is to say they are doing a good job, but there is a lot of room for improvement.
ISO 27001 Certifications Issued in the US

Again, an organization must adhere to a rigorous, yet voluntary, external audit in order to
achieve the ISO 27001 certification. The following chart shows the types of organizations who
voluntarily put themselves through the agony of this certification process. It does not come as a
surprise that organizations offering IT related services, including systems security and management,
would top the list. It is also somewhat assuring to see a good number of financial institutions being
proactive about systems security, since their business relies almost completely on information systems.
US ISO 27001 Certifications by

Industry
IT
58%
Financial
21%
Business
8%
Insurance
5%
Legal
4%
University
2%
Healthcare
2%
0%
10%
20%
30%
40%
50%
60%
70%
Figure 8 - ISO 27001 Certification by Industry (USA) (ISMS International Users Group, 2009)
Privacy Data Security Breaches of 2009

By viewing a summary of notable, privacy-related, data breaches during the past year, we see an
interesting pattern of victims. The top five most exploited industries, which account for 78% of all
security breaches, include universities, healthcare, financial, small businesses and state government
agencies. Two theories as to why that is; first, these organizations have the most valuable information,
and second, they are the most vulnerable, and therefore, the easiest to target.
Page 41
Percent of Privacy Data Breaches Ranked

by Industry
School
27%
Health
20%
Financial
11%
Business - Small
10%
Government - State
10%
Government - City
5%
Business - Large
3%
Government - US
3%
IT
2%
Telecommunications
2%
Government - Mil
2%
Insurance
1%
Systems Security
1%
Library
1%
Legal
1%
Church
1%
Figure 9 - 2009 Privacy Data Breaches by Industry (Givens, 2009)
The total number of security violations reported by the Privacy Rights Clearinghouse is 245.
Four involved ISO 27001 certified organizations, and eleven involved US Government agencies, five of
which were from DoD. See Appendix C for the details of those incidents.
Page 42

Reflections
Distinct patterns emerge to answer the following questions:
1. What types of organizations are implementing one of these two security standards?
a. The NIST RMF is utilized by US Government agencies and US Government contractors,
who store, transmit or process US Government agency information. Table 5 shows that
contractor systems make up a significant portion, 18%, of systems external to the USG.
b. The ISO ISMS is implemented predominately by organizations that specialize in IT
services; to include application and system development, data centers, and system
security and management, as well as large financial organizations such as banks and
brokerage firms.
2. What types of organizations need to implement a security standard, or a better security
standard?
a. Universities
b. Healthcare Organizations
c. Financial Institutions
d. Small Businesses
e. All Levels of Government Agencies: State, City, Town, Local, Tribal, etc
3. How effective are systems or organizations protected by implementing these standards. Is one
better than the other?
a. By cross-referencing the privacy data breaches of 2009 to the organizations
implementing either standard, we can see that the answer to this question is somewhat
inconclusive. Neither framework is perfect! However, we can also see that the most
exploited organizations are universities and healthcare providers, neither of which
utilizes either standard. Therefore, we can say conclusively that implementing a
security standard is better than nothing.
Page 43

Appendix A Security Control Mappings from ISO 27002 to NIST 800-53
Clause
Sec
ISO Control Objective/Control
Security Policy
5.1
5.1.1
5.1.2
Information Security Policy

Information Security Policy Document
Review of Information Security Policy
XX-1 controls
6.1
6.1.1
Internal Organization
Management Commitment to information
security
Information security Co-ordination
XX-1 controls, PM-2; SP 800-39, SP 80037
Organization of
Information
security
6.1.2
CP-2, CP-4, IR-4, PL-1, PL-6, PM-2, SA2;SP 800-39, SP 800-37

XX-1 controls, AC-5, AC-6, CM-9. PM-2;
SP800-39, SP 800-37
AT-5
6.2.3
Contact with special interest groups

Independent review of information security
External Parties
Identification of risk related to external parties
Addressing security when dealing with
customers
Addressing security in third party agreements
7.1
7.1.1
7.1.2
7.1.3
7.2
7.2.1
7.2.2
Responsibility for Assets

Inventory of assets
Ownership of Assets
Acceptable use of assets
Information classification
Classification Guidelines
Information Labeling and Handling
8.1
8.1.1
Prior to Employment
Roles and Responsibilities
8.1.2
8.1.3
8.2
8.2.1
8.2.2
Screening
Terms and conditions of employment
During Employment
Management Responsibility
Information security awareness, education
and training
Disciplinary process
Termination or change of employment
Termination responsibility
Return of assets
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.2
6.2.1
6.2.2
Hum an Resource
Security
XX-1 controls
Allocation of information security

Responsibilities
Authorization process for Information
Processing facilities
Confidentiality agreements
Contact with authorities
6.1.3
Asset
Management
NIST Security Control
8.2.3
8.3
8.3.1
8.3.2
CA-1, CA-6, PM-10; SP 800-37

PL-4, PS-6, SA-9
Multiple controls w ith contact reference
(e.g.,IR-6, SI-5); SP 800-39; SP 800-37
CA-2, CA-7; SP 800-39, SP 800-37
CA-3, PM-9, RA-3, SA-1, SA-9, SC-7
AC-8 , AT-2, PL-4
CA-3, PS-7, SA-9
CM-8, CM-9, PM-5

CM-8, CM-9, PM-5
AC-20, PL-4
RA-2
AC-16, MP-2, MP-3, SC-16
XX-1 controls, AC-5, AC-6, AC-8, AC-20,

AT-2,AT-3, CM-9, PL-4, PS-2, PS-6, PS-7,
SA-9
PS-3
AC-20, PL-4, PS-6, PS-7
PL-4, PS-6, PS-7, SA-9
AT-2, AT-3, IR-2
PS-8
PS-4, PS-5
PS-4, PS-5
Page 44
Physical and
Environm ental
Security
Com munications
and Operations
Management
8.3.3
Removal of access rights
9.1
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
Secure Areas
Physical security Perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and
environmental threats
Working in secure areas
9.1.6
9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
Public access, delivery and loading areas

Equipment security
Equipment sitting and protection
Support utilities
Cabling security
Equipment Maintenance
Security of equipment off-premises
Secure disposal or reuse of equipment
Removal of Property
10.1
10.1.1
10.1.2
10.1.3
10.1.4
10.4.1
Operational Procedures and responsibilities

Documented operating Procedures
Change Management
Segregation of Duties
Separation of development and Operations
facilities
Third Party Service Delivery Management
Service Delivery
Monitoring and review of third party services
Manage changes to the third party services
System Planning and Acceptance
Capacity management
System acceptance
Protection against Malicious and Mobile
Code
Controls against malicious code
10.4.2
Controls against Mobile code
10.5
10.5.1
10.6
10.6.1
Back-Up
Information Backup
Network Security Management
Network controls
10.6.2
10.7
10.7.1
10.7.2
10.7.3
Security of Network services

Media Handling
Management of removable media
Disposal of Media
Information handling procedures
10.2
10.2.1
10.2.2
10.2.3
10.3
10.3.1
10.3.2
10.4
AC-2, PS-4, PS-5
PE-3
PE-3, PE-5, PE-6, PE-7
PE-3, PE-4, PE-5
CP Family; PE-1, PE-9, PE-10, PE-11,
PE-13, PE-15
AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE4,PE-6, PE-7, PE-8
PE-3 , PE-7, PE-16
PE-1, PE-18
PE-1, PE-9, PE-11, PE-12, PE-14
PE-4, PE-9
MA Family
MP-5, PE-17
MP-6
MP-5, PE-16
XX-1 controls, CM-9

CM-1, CM-3, CM-4, CM-5, CM-9
AC-5
CM-2
SA-9
SA-9
RA-3, SA-9
AU-4, AU-5, CP-2, SA-2, SC-5
CA-2, CA-6, CM-3, CM-4, CM-9, SA-11
AC-19, AT-2, SA-8, SC-2, SC-3, SC-7,

SC-14, SI-3, SI-7
SA-8, SC-2, SC-3, SC-7, SC-14, SC-8,
SC-18
CP-9
AC-4, AC-17, AC-18, AC-20, CA-3, CP-8,
PE-5, SC-7, SC-8, SC-9, SC-10, SC-19,
SC-20, SC-21, SC-22, SC-23
SA-9, SC-8, SC-9
MP Family, PE-16
MP-6
MP Family, SI-12
Page 45

MP-4, SA-5
10.8.2
10.8.3
Security of system documentation

Exchange of Information
Information exchange policies and
procedures
Exchange agreements
Physical media in transit
10.8.4
Electronic Messaging
Multiple controls; electronic messaging not

addressed separately in SP 800-53
10.8.5
10.9
10.9.1
Business Information systems

Electronic Commerce Services
Electronic Commerce
CA-1, CA-3
10.9.2
10.9.3
10.10
10.10.1
On-Line transactions
Publicly available information
Monitoring
Audit logging
10.10.2
10.10.3
10.10.4
10.10.5
10.10.6
Monitoring system use

Protection of log information
Administrator and operator logs
Fault logging
Clock synchronization
11.1
11.1.1
Business Requirement for Access Control

Access control Policy
11.2
11.2.1
11.2.2
User Access Management

User Registration
Privilege Measurement
11.2.3
11.2.4
11.3
11.3.1
11.3.2
11.3.3
11.4
11.4.1
11.4.2
11.4.3
11.4.4
11.4.5
11.4.6
11.4.7
11.5
11.5.1
User password management

Review of user access rights
User Responsibilities
Password Use
Unattended user equipment
Clear Desk and Clear Screen Policy
Network Access control
Policy on use of network services
User authentication for external connections
Equipment identification in networks
Remote diagnostic and configuration port
protection
Segregation in networks
Network connection control
Network Routing control
Operating System Access Control
Secure Log-on procedures
11.5.2
11.5.3
11.5.4
11.5.5
User identification and authentication

Password Management system
Use of system utilities
Session Time-out
10.7.4
10.8
10.8.1
Access control
AC-1, AC-3, AC-4, AC-17, AC-18, AC-20,

CA-3, PL-4, PS-6, SC-7, SC-16, SI-9
CA-3, SA-9
MP-5
AU-10, IA-8, SC-7, SC-8, SC-9, SC-3, SC14

SC-3, SC-7, SC-8, SC-9, SC-14
SC-14
AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU11, AU-12
AU-1, AU-6, AU-7, PE-6, PE-8, SC-7, SI-4
AU-9
AU-2, AU-12
AU-2, AU-6, AU-12, SI-2
AU-8
AC-1, AC-5, AC-6, AC-17, AC-18, AC-19,

CM-5, MP-1, SI-9
AC-1, AC-2, AC-21, IA-5, PE-1, PE-2
AC-1, AC-2, AC-6, AC-21, PE-1, PE-2, SI9
IA-5
AC-2, PE-2
IA-2, IA-5
AC-11, IA-2, PE-3, PE-5, PE-18, SC-10
AC-11
AC-1, AC-5, AC-6, AC-17, AC-18, AC-20
AC-17, AC-18, AC-20, CA-3, IA-2, IA-8
AC-19, IA-3
AC-3, AC-6, AC-17, AC-18, PE-3, MA-3,
MA-4
AC-4, SA-8, SC-7
AC-3, AC-6, AC-17, AC-18, SC-7
AC-4, AC-17, AC-18
AC-7, AC-8, AC-9, AC-10, IA-2, IA-6, IA-8,
SC-10
IA-2, IA-4, IA-5, IA-8
IA-2, IA-5
AC-3, AC-6
AC-11, SC-10
Page 46
Information
Systems
Acquisition
Development and
Maintenance
Limitation of connection time

Application access control
Information access restriction
Sensitive system isolation
Mobile Computing and Teleworking
Mobile computing and communication
Teleworking
12.1
12.2
12.2.1
Security Requirements of Information

Systems
Security requirement analysis and
specifications
Correct Processing in Applications
Input data validation
12.2.2
Control of internal processing
SI-7, SI-9, SI-10
12.2.3
Message integrity
AU-10, SC-8, SI-7
12.2.4
12.3
12.3.1
Output data validation

Cryptographic controls
Policy on the use of cryptographic controls
None
12.3.2
12.4
12.4.1
Key Management
Security of System Files
Control of Operational software
SC-12, SC-17
12.4.2
Protection of system test data
Multiple controls; protection of test data

not addressed separately in SP 800-53
(e.g., AC-3, AC-4)
12.4.3
12.5
AC-3, AC-6, CM-5, CM-9, MA-5, SA-10
12.5.4
12.5.5
Access control to program source library

Security in Development & Support
Processes
Change Control Procedures
Technical review of applications after
Operating system changes
Restrictions on changes to software
packages
Information Leakage
Outsourced Software Development
12.6
12.6.1
Technical Vulnerability Management

Control of technical vulnerabilities
13.1
Reporting Information Security Events and

Weaknesses
Reporting Information security events
Reporting security weaknesses
Management of Information Security
Incidents and Improvements
12.1.1
12.5.1
12.5.2
12.5.3
Information
Security Incident
Management
None
11.5.6
11.6
11.6.1
11.6.2
11.7
11.7.1
11.7.2
13.1.1
13.1.2
13.2
AC-3, AC-6, AC-14, CM-5

None; SP 800-39
AC-1, AC-17, AC-18, AC-19, PL-4, PS-6
AC-1, AC-4, AC-17, AC-18, PE-17, PL-4,
PS-6
SA-1, SA-3, SA-4
SI-10
Multiple controls address cryptography

(e.g., IA-7, SC-8, SC-9, SC-12, SC-13)
CM-1, CM-2, CM-3, CM-4, CM-5, CM-9,

PL-4, SA-6, SA-7
CM-1, CM-3, CM-9, SA-10

CM-3, CM-4, CM-9, SI-2
CM-3, CM-4, CM-5, CM-9
AC-4, PE-19
SA-1, SA-4, SA-6, SA-7, SA-8, SA-9, SA11, SA-12, SA-13
RA-3, RA-5, SI-2, SI-5
AU-6, IR-1, IR-6, SI-4, SI-5

PL-4, SI-2, SI-4, SI-5
Page 47
Business
Continuity
Management
13.2.1
13.2.2
13.2.3
Responsibilities and Procedures

Learning for Information security incidents
Collection of evidence
14.1
Information Security Aspects of Business

Continuity Management
Including Information Security in Business
continuity management process
Business continuity and Risk Assessment
developing and implementing continuity
plans including information security
Business continuity planning framework
Testing, maintaining and re-assessing
business continuity plans
14.1.1
14.1.2
14.1.3
14.1.4
14.1.5
Com pliance
15.1
15.1.1
15.1.2
15.1.3
Compliance with Legal Requirements

Identification of applicable legislations
Intellectual Property Rights ( IPR)
Protection of organizational records
15.1.4
15.2.1
Data Protection and privacy of personal

information
Prevention of misuse of information
processing facilities
Regulation of cryptographic controls
Compliance with Security Policies and
Standards and Technical compliance
Compliance with security policy
15.2.2
15.3
15.3.1
15.3.2
Technical compliance checking

Information System Audit Considerations
Information System Audit controls
Protection of information system audit tools
15.1.5
15.1.6
15.2
IR-1
IR-4
AU-9, IR-4
CP-1, CP-2, CP-4

CP-2, PM-9, RA Family
CP Family
CP-2, CP-4
CP-2, CP-4
XX-1 controls, IA-7

SA-6
AU-9, AU-11, CP-9, MP-1, MP-4, SA-5, SI12
PL-5; SI-12
AC-8, AU-6, PL-4, PS-6, PS-8, SA-7
IA-7, SC-13
XX-1 controls, AC-2, CA-2, CA-7, IA-7,

PE-8, SI-12
CA-2, CA-7, RA-5
AU-1, AU-2, PL-6
AU-9
Table 7 - Security Control Mapping ISO to NIST
Page 48

Appendix B Security Control Mappings from NIST 800-53 to ISO 27002
NIST 800-53 Controls
ISO 27002 Controls
Clause
Sec
NIST Control Objective
Access Controls
AC
Access Controls
AC-1
Access Control Policy and

Procedures
AC-2
Account Management
AC-3
Access Enforcement
AC-4
Information Flow Enforcement
AC-5
Separation of Duties
6.1.3, 8.1.1, 10.1.3, 11.1.1, 11.4.1
AC-6
Least Privilege
6.1.3, 8.1.1, 11.1.1, 11.2.2, 11.4.1,

11.4.4,11.4.6, 11.5.4, 11.6.1, 12.4.3
AC-7
Unsuccessful Login Attempts
11.5.1
AC-8
AC-9
6.2.2, 8.1.1, 11.5.1, 15.1.5

11.5.1
AC-10
System Use Notification

Previous Logon (Access)
Notification
Concurrent Session Control
AC-11
Session Lock
11.3.2, 11.3.3, 11.5.5
AC-12
Withdrawn
AC-13
Withdrawn
AC-14
11.6.1
AC-15
Permitted Actions without

Identification or Authentication
Withdrawn
AC-16
Security Attributes
7.2.2
AC-17
Remote Access
10.6.1, 10.8.1, 11.1.1, 11.4.1, 11.4.2,

11.4.4,11.4.6, 11.4.7, 11.7.1, 11.7.2
AC-18
Wireless Access
10.6.1, 10.8.1, 11.1.1, 11.4.1, 11.4.2,

11.4.4,11.4.6, 11.4.7, 11.7.1, 11.7.2
AC-19
Access Control for Mobile Devices
10.4.1, 11.1.1, 11.4.3, 11.7.1
AC-20
7.1.3, 8.1.1, 8.1.3, 10.6.1, 10.8.1,

11.4.1,11.4.2
AC-22
Use of External Information

Systems
User-Based Collaboration and
Information Sharing
Publicly Accessible Content
AT
Awareness and Training
AT-1
Security Awareness and Training

Policy and Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

15.1.1,15.2.1
AT-2
Security Awareness
6.2.2, 8.1.1, 8.2.2, 9.1.5, 10.4.1
AT-3
Security Training
8.1.1, 8.2.2, 9.1.5
AC-21
Aw areness and
Training
ISO Security Control
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

10.8.1,11.1.1, 11.2.1, 11.2.2, 11.4.1,
11.7.1, 11.7.2,15.1.1, 15.2.1
8.3.3, 11.2.1, 11.2.2, 11.2.4,15.2.1
10.8.1 11.4.4, 11.4.6, 11.5.4, 11.6.1,
12.4.2
10.6.1, 10.8.1, 11.4.5, 11.4.7, 11.7.2,
12.4.2,12.5.4
11.5.1
11.2.1, 11.2.2
None
Page 49
Audit and
Accountability
AT-4
Security Training Records
None
AT-5
Contacts with Security Groups and

Associations
6.1.7
AU
Audit and Accountability
AU-1
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

10.10.2,15.1.1, 15.2.1, 15.3.1
AU-3
Audit and Accountability Policy and

Procedures
Auditable Events
Content of Audit Records
AU-4
Audit Storage Capacity
10.10.1, 10.3.1
AU-5
10.3.1, 10.10.1
AU-8
Response to Audit Processing

Failures
Audit Review, Analysis, and
Reporting
Audit Reduction and Report
Generation
Time Stamps
AU-9
Protection of Audit Information
10.10.3, 13.2.3, 15.1.3, 15.3.2
AU-10
Non-repudiation
10.9.1, 12.2.3
AU-11
Audit Record Retention
10.10.1, 10.10.2, 15.1.3
AU-12
10.10.1, 10.10.4, 10.10.5
AU-14
Audit Generation
Monitoring for Information
Disclosure
Session Audit
CA
Security Assessment and Authorization
CA-1
Security Assessment and

Authorization Policies and
Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.3 6.1.4, 8.1.1,

10.1.1,15.1.1, 15.2.1
CA-2
Security Assessments
6.1.8, 10.3.2, 15.2.1, 15.2.2
CA-3
Information System Connections
6.2.1, 6.2.3, 10.6.1, 10.8.1, 10.8.2,

10.8.5,11.4.2
CA-4
Withdrawn
CA-5
Plan of Action and Milestones
None
CA-6
Security Authorization
6.1.4, 10.3.2
CA-7
Continuous Monitoring
6.1.8, 15.2.1, 15.2.2
CM
Configuration Management
CM-1
Configuration Management Policy

and Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

10.1.2,12.4.1, 12.5.1, 15.1.1, 15.2.1
CM-2
Baseline Configuration
12.4.1, 10.1.4
CM-3
Configuration Change Control
10.1.1, 10.1.2, 10.3.2, 12.4.1, 12.5.1,

12.5.2,12.5.3
AU-2
AU-6
AU-7
AU-13
Security Assessment
and Authorization
Configuration
Management
10.10.1, 10.10.4, 10.10.5, 15.3.1

10.10.1
10.10.2, 10.10.5, 13.1.1, 15.1.5

10.10.2
10.10.1, 10.10.6
None
None
Page 50
Contingency
Planning
Identification and
Authentication
CM-4
Security Impact Analysis
10.1.2, 10.3.2, 12.4.1, 12.5.2, 12.5.3
CM-5
Access Restrictions for Change
10.1.2, 11.1.1, 11.6.1, 12.4.1, 12.4.3,

12.5.3
CM-6
Configuration Settings
None
CM-7
Least Functionality
None
CM-8
7.1.1, 7.1.2
CM-9
Information System Component

Inventory
Configuration Management Plan
CP
Contingency Planning
CP-1
Contingency Planning Policy and

Procedures
CP-2
Contingency Plan
CP-3
Contingency Training
8.2.2, 9.1.4, 14.1.3
CP-4
Contingency Plan Testing and

Exercises
6.1.2, 9.1.4, 14.1.1, 14.1.3, 14.1.4,

14.1.5
CP-5
Withdrawn
CP-6
Alternate Storage Site
9.1.4, 14.1.3
CP-7
Alternate Processing Site
9.1.4, 14.1.3
CP-8
Telecommunications Services
9.1.4, 10.6.1, 14.1.3
CP-9
Information System Backup
9.1.4, 10.5.1, 14.1.3, 15.1.3
CP-10
Information System Recovery and

Reconstitution
9.1.4, 14.1.3
IA
Identification and Authentication
IA-1

Identification and
Authentication(Organizational
Users)
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

11.2.1,15.1.1, 15.2.1
11.4.3
IA-4
Device Identification and

Authentication
Identifier Management
IA-5
Authenticator Management
11.2.1, 11.2.3, 11.3.1, 11.5.2, 11.5.3
IA-6
Authenticator Feedback
11.5.1
IA-7
Cryptographic Module
Authentication
(Non-Organizational Users)
12.3.1, 15.1.1, 15.1.6, 15.2.1
IA-2
IA-3
IA-8
Incident Response
IR
6.1.3. 7.1.1, 7.1.2, 8.1.1, 10.1.1, 10.1.2,

10.3.2,12.4.1, 12.4.3, 12.5.1, 12.5.2,
12.5.3
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 9.1.4,

10.1.1,10.1.2, 14.1.1, 14.1.3, 15.1.1,
15.2.1
6.1.2, 9.1.4, 10.3.1, 14.1.1, 14.1.2,
14.1.3,14.1.4, 14.1.5
11.3.2, 11.5.1, 11.5.2, 11.5.3
11.5.2
10.9.1, 11.4.2, 11.5.1, 11.5.2
Incident Response
Page 51

IR-1
Incident Response Policy and

Procedures
Incident Response Training
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

13.1.1,13.2.1, 15.1.1, 15.2.1
None
IR-4
Incident Response Testing and

Exercises
Incident Handling
IR-5
Incident Monitoring
None
IR-6
Incident Reporting
6.1.6, 13.1.1
IR-7
Incident Response Assistance
None
IR-8
Incident Response Plan
None
MA
Maintenance
MA-1
System Maintenance Policy and

Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 9.2.4,

10.1.1, 15.1.1, 15.2.1
MA-2
Controlled Maintenance
9.2.4
MA-3
Maintenance Tools
9.2.4, 11.4.4
MA-4
Non-Local Maintenance
9.2.4, 11.4.4
MA-5
Maintenance Personnel
9.2.4, 12.4.3
MA-6
Timely Maintenance
9.2.4
MP
Media Protection
MP-1
Media Protection Policy and

Procedures
MP-2
MP-3
Media Access
Media Marking
MP-4
Media Storage
10.7.1, 10.7.3, 10.7.4, 15.1.3
MP-5
Media Transport
9.2.5, 9.2.7, 10.7.1, 10.7.3, 10.8.3
MP-6
Media Sanitization
9.2.6, 10.7.1, 10.7.2, 10.7.3
PE
Physical and Environmental Protection
PE-1
Physical and Environmental

Protection Policy and Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 9.1.4,

9.2.1,9.2.2, 10.1.1, 11.1.1, 11.2.1,
11.2.2, 15.1.1,15.2.1
PE-2
Physical Access Authorizations
9.1.5, 11.2.1, 11.2.2, 11.2.4
PE-3
Physical Access Control
PE-4
Access Control for Transmission

Medium
Access Control for Output Devices
9.1.1, 9.1.2, 9.1.3, 9.1.5, 9.1.6, 11.3.2,

11.4.4
9.1.3, 9.1.5, 9.2.3
IR-2
IR-3
Maintenance
Media Protection
Physical and
Environm ental
Protection
PE-5
8.2.2
6.1.2, 13.2.2, 13.2.3
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

10.7.1,10.7.2, 10.7.3, 11.1.1, 15.1.1,
15.1.3, 15.2.1
7.2.2, 10.7.1, 10.7.3
7.2.2, 10.7.1, 10.7.3
9.1.2, 9.1.3, 10.6.1, 11.3.2
Page 52
Planning
Personnel Security
Risk Assessment
PE-6
Monitoring Physical Access
9.1.2, 9.1.5, 10.10.2
PE-7
Visitor Control
9.1.2, 9.1.5, 9.1.6
PE-8
Access Records
9.1.5, 10.10.2, 15.2.1
PE-9
9.1.4, 9.2.2, 9.2.3
PE-10
Power Equipment and Power

Cabling
Emergency Shutoff
PE-11
Emergency Power
9.1.4, 9.2.2
PE-12
Emergency Lighting
9.2.2
PE-13
Fire Protection
9.1.4
PE-14
Temperature and Humidity Controls
9.2.2
PE-15
Water Damage Protection
9.1.4
PE-16
Delivery and Removal
9.1.6, 9.2.7, 10.7.1
PE-17
Alternate Work Site
9.2.5, 11.7.2
PE-18
9.2.1, 11.3.2
PE-19
Location of Information System

Components
Information Leakage
PL
Planning
PL-1
Security Planning Policy and

Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.2, 6.1.3, 8.1.1,

10.1.1,15.1.1, 15.2.1
PL-2
None
PL-3
Withdrawn
PL-4
Rules of Behavior
PL-5
Privacy Impact Assessment
6.1.5, 6.2.2, 7.1.3. 8.1.1, 8.1.3, 8.2.1,

9.1.5,10.8.1, 11.7.1, 11.7.2, 12.4.1,
13.1.2, 15.1.5
15.1.4
PL-6
Security-Related Activity Planning
6.1.2, 15.3.1
PS
Personnel Security
PS-1
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

15.1.1,15.2.1
PS-2
Personnel Security Policy and

Procedures
Position Categorization
PS-3
Personnel Screening
8.1.2
PS-4
Personnel Termination
8.3.1, 8.3.2, 8.3.3
PS-5
Personnel Transfer
8.3.1, 8.3.2, 8.3.3
PS-6
Access Agreements
6.1.5, 8.1.1, 8.1.3, 8.2.1, 9.1.5, 10.8.1,

11.7.1,11.7.2, 15.1.5
PS-7
Third-Party Personnel Security
6.2.3, 8.1.1, 8.2.1, 8.1.3
PS-8
Personnel Sanctions
8.2.3, 15.1.5
RA
Risk Assessment
RA-1
Risk Assessment Policy and

Procedures
Security Categorization
RA-2
9.1.4
12.5.4
8.1.1
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

14.1.2,15.1.1, 15.2.1
7.2.1, 14.1.2
Page 53
System and Services

Acquisition
System and
Com munications
Protection
RA-3
Risk Assessment
6.2.1, 10.2.3, 12.6.1, 14.1.2
RA-4
Withdrawn
RA-5
Vulnerability Scanning
SA
System and Services Acquisition
SA-1
System and Services Acquisition

5.1.1, 5.1.2, 6.1.1, 6.1.3, 6.2.1, 8.1.1,

10.1.1,12.1.1, 12.5.5, 15.1.1, 15.2.1
SA-2
Allocation of Resources
6.1.2, 10.3.1
SA-3
Life Cycle Support
12.1.1
SA-4
Acquisitions
12.1.1, 12.5.5
SA-5
Information System Documentation
10.7.4, 15.1.3
SA-6
Software Usage Restrictions
12.4.1, 12.5.5, 15.1.2
SA-7
User-Installed Software
12.4.1, 12.5.5, 15.1.5
SA-8
Security Engineering Principles
10.4.1, 10.4.2, 11.4.5, 12.5.5
SA-9
External Information System

Services
6.1.5, 6.2.1, 6.2.3, 8.1.1, 8.2.1, 10.2.1,

10.2.2,10.2.3, 10.6.2, 10.8.2, 12.5.5
SA-10
12.4.3, 12.5.1, 12.5.5
SA-11
Developer Configuration
Management
Developer Security Testing
SA-12
Supply Chain Protections
12.5.5
SA-13
Trustworthiness
12.5.5
SA-14
Critical Information System

Components
None
SC
System and Communications Protection
SC-1
System and Communications

Protection Policy and Procedures
5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

15.1.1,15.2.1
SC-2
Application Partitioning
10.4.1, 10.4.2
SC-3
Security Function Isolation
10.4.1, 10.4.2, 10.9.1, 10.9.2
SC-4
Information In Shared Resources
None
SC-5
Denial of Service Protection
10.3.1
SC-6
Resource Priority
None
SC-7
Boundary Protection
6.2.1, 10.4.1, 10.4.2, 10.6.1, 10.8.1,

10.9.1,10.9.2, 10.10.2, 11.4.5, 11.4.6
SC-8
Transmission Integrity
SC-9
Transmission Confidentiality
10.4.2, 10.6.1, 10.6.2, 10.9.1, 10.9.2,

12.2.3,12.3.1
10.6.1, 10.6.2, 10.9.1, 10.9.2, 12.3.1
SC-10
Network Disconnect
10.6.1, 11.3.2, 11.5.1, 11.5.5
12.6.1, 15.2.2
10.3.2, 12.5.5
Page 54
Systems and
Information Integrity
SC-11
Trusted Path
None
SC-12
Cryptographic Key Establishment

and Management
12.3.2
SC-13
Use of Cryptography
12.3.1, 15.1.6
SC-14
Public Access Protections
10.4.1, 10.4.2, 10.9.1, 10.9.2, 10.9.3
SC-15
Collaborative Computing Devices
None
SC-16
Transmission of Security Attributes
7.2.2, 10.8.1
SC-17
12.3.2
SC-18
Public Key Infrastructure

Certificates
Mobile Code
SC-19
Voice Over Internet Protocol
10.6.1
SC-20
Secure Name /Address Resolution

Service (Authoritative Source)
10.6.1
SC-21
Secure Name /Address Resolution

service (Recursive or Caching
Resolver)
10.6.1
SC-22
Architecture and Provisioning for

Name/Address Resolution Service
10.6.1
SC-23
Session Authenticity
10.6.1
SC-24
Fail in Known State
None
SC-25
Thin Nodes
None
SC-26
Honeypots
None
SC-27
None
SC-28
Operating System-Independent
Applications
Protection of Information at Rest
SC-29
Heterogeneity
None
SC-30
Virtualization Techniques
None
SC-31
Covert Channel Analysis
None
SC-32
Information System Partitioning
None
SC-33
Transmission Preparation Integrity
None
SC-34
Non-Modifiable Executable
Programs
None
SI
Systems and Information Integrity
SI-1
System and Information Integrity

5.1.1, 5.1.2, 6.1.1, 6.1.3, 8.1.1, 10.1.1,

15.1.1,15.2.1
SI-2
Flaw Remediation
10.10.5, 12.5.2, 12.6.1, 13.1.2
10.4.2
None
Page 55
Program Management
SI-3
Malicious Code Protection
10.4.1
SI-4
Information System Monitoring
10.10.2, 13.1.1, 13.1.2
SI-5
6.1.6, 12.6.1, 13.1.1, 13.1.2
SI-6
Security Alerts, Advisories, and

Directives
Security Functionality Verification
SI-7
Software and Information Integrity
10.4.1, 12.2.2, 12.2.3
SI-8
Spam Protection
None
SI-9
Information Input Restrictions
10.8.1, 11.1.1, 11.2.2, 12.2.2
SI-10
Information Input Validation
12.2.1, 12.2.2
SI-11
Error Handling
None
SI-12
10.7.3, 15.1.3, 15.1.4, 15.2.1
SI-13
Information Output Handling and

Retention
Predictable Failure Prevention
PM
Program Management
PM-1
Information Security Program Plan
5.1.1, 5.1.2, 6.1.1, 6.1.3 8.1.1, 15.1.1,

15.2.1
PM-2
Senior Information Security Officer
6.1.1, 6.1.2, 6.1.3
PM-3
Information Security Resources
None
PM-4
Plan of Action and Milestones

Process
None
PM-5
Information System Inventory
7.1.1, 7.1.2
PM-6
None
PM-7
Information Security Measures of

Performance
Enterprise Architecture
PM-8
Critical Infrastructure Plan
None
PM-9
Risk Management Strategy
6.2.1, 14.1.2
PM-10
Security Authorization Process
6.1.4
PM-11
Mission/Business Process
Definition
None
None
None
None
Table 8 - Security Control Mapping NIST to ISO
Page 56

Appendix C Data Breach Details of 2009
US Government Civilian Agencies
[Good+ FISMA] State Department: Hundreds of files with Social Security numbers, bank account
numbers and other sensitive U.S. government information were found in a filing cabinet purchased from
the U.S. consulate in Jerusalem through a local auction.
[Good+ FISMA] DHS: FEMA - A laptop containing Social Security numbers and other personal
information from dozens of victims of last September's floods was reported stolen from a housing
inspector's car. The password-protected laptop was stolen from a housing inspector's car in Griffith on
Nov. 4, containing names, Social Security numbers, and dates of birth, addresses and phone numbers of
people who applied for assistance.
[Satisfactory+ FISMA] Department of Veterans Affairs - The issue involves a defective hard drive the
agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive
helped power eVetRecs, the system veterans use to request copies of their health records and discharge
papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold
it to them, for repair. GMRI determined it couldnt be fixed, and ultimately passed it to another firm to
be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held
detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972,
when the military began using individuals Social Security numbers as their service numbers.
[Satisfactory FISMA] IRS - The U.S Treasury Inspector General for Tax Administration found in a fiscal
year 2008 audit that in more than a dozen IRS document disposal facilities, old taxpayer documents
were being tossed out in regular waste containers and dumpsters. In addition, the investigation found
that IRS officials failed to consistently verify whether contract employees who have access to taxpayer
documents had passed background checks. Further, investigators had difficulty finding anyone
responsible for oversight of most of the facilities that the IRS contracted with to burn or shred sensitive
taxpayer documents. The review was performed at IRS offices in Phoenix, Tempe, and Tucson, Arizona;
New Carrollton, Maryland; Holtsville, Garden City, and Westbury, Ne w York; and Ogden, Utah, and
included questionnaires to 14 Territory Managers across the country during the period September 2007
through May 2008.
Page 57

[Satisfactory - FISMA] Smithsonian: The National Archives lost a computer hard drive containing massive
amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses,
and Secret Service and White House operating procedures. The Archives had been converting the
Clinton administration information to a digital records system when the hard drive went missing. The
hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to
resume work, the hard drive was missing.
Incident 2: The National Archives and Records Administration violated its information security policies
by returning failed hard drives from systems containing personally identifiable information of current
government employees and military veterans back to vendors. By agency policy, NARA is supposed to
destroy the hard drives rather than return them. On two separate occasions the agency sent defective
disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them
in-house.
[Satisfactory - FISMA] DOT: FAA - Hackers broke into the Federal Aviation Administration's computer
system, accessing 48,000 names and Social Security numbers of employees and retirees.
US Government Military Agencies

[Failing FISMA]Mar. 12, 2009 US Army - An Army database that contains personal information about
nearly 1,600 soldiers may have been penetrated by unauthorized users. The information that may have
been breached includes 1600 service members' names, e-mail messages, phone numbers, home
addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned from
their deployment.
[Failing FISMA] A recent breach involved a U.S. Army Special Forces document containing the names,
Social Security numbers, home phone numbers and home addresses of 463 soldiers. The document also
contained names and ages of soldiers' spouses and children. The document was discovered in
connection with a Congressional move to address the continuing risk of data leaks on peer-to-peer (P2P)
networks. Through its research, the firm, Tiversa, turned up the document among 240 others belonging
to federal government agencies and military branches, all sitting on P2P networks.
[Failing FISMA] An Army contractor had his laptop stolen containing personal information on 131,000
soldiers. On the stolen laptop contained personal information on soldiers enrolled in the Army National
Page 58

Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive
payment amounts and payment dates.
[Failing FISMA] An Army database that contains personal information about nearly 1,600 soldiers may
have been penetrated by unauthorized users. The information that may have been breached includes
the service members' names, e-mail messages, phone numbers, home addresses, awards received,
ranks, gender, ethnicity, and dates the soldiers deployed and returned from their deployment.
[Failing FISMA] A New Zealand man accesses US military secrets on an MP3 player he bought from an
Oklahoma thrift shop for $18. When the 29-year-old hooked up the player he discovered a playlist he
could never have imagined - 60 files in total, including the names and personal details of American
soldiers.
ISO Certified Organizations

Citigroup Technology Infrastructure's
[ISO Scope] Citigroup Technology Infrastructure's - This ISMS applies to Citigroup Technology
Infrastructure's (CTI's) Global Information Security (GIS) group. GIS is responsible for the provision of
information security programs for CTI that meets all of the relevant information security controls,
policies, and practices that govern Citigroup business, as they relate to technology infrastructure and
operational risk management in the infrastructure environment. This is in accordance with the
Statement of Applicability version 2.4 dated 07/03/08.
Aug. 11, 2009 Citigroup Inc. - (New York City, NY) Citigroup (NYSE:C) each recently issued replacement
cards to consumers, telling them that their account numbers may have been compromised. Citigroup
told credit-card customers in Massachusetts your account number may have been illegally obtained as
a result of a merchant database compromise and could be at risk for unauthorized use." Bank officials
are not certain if this is a new breach or a previously disclosed one.
Federal Reserve Bank of New York
[ISO Scope] Federal Reserve Bank of New York USA The management of Information Security
Management System for the Information Security Function (ISNY) which provides policy and security
product implementation services for the Federal Reserve Bank of New York in accordance with the
Statement of Applicability, 1 January 2009.
Page 59

April 27, 2009 Federal Reserve Bank of New York - (New York, NY) A former employee at the Federal
Reserve Bank of New York and his brother were arrested on suspicion of obtaining loans using stolen
identities. The former employee previously worked as an IT analyst at the bank and had access to
sensitive employee information, including names, birthdates, Social Security numbers and photographs.
A thumb drive attached to his computer had applications for $73,000 in student loans using two stolen
identities. They also found a fake drivers license with the photo of a bank employee who wasn't the
person identified in the license.
Broadridge Financial Solutions, Inc.
[ISO Scope]Broadridge Financial Solutions, Inc. provides proxy services for clients, including the
processing, distribution and tabulation of Annual Meeting Proxy materials for registered shareholders of
publically traded companies.
On June 2, 2009, the firm inadvertently disclosed Dynegy shareholder information including name,
address, Social Security number and other account information to another client.
World Bank
[ISO Scope] The information security management system in relation to the provision of it services by
the World Bank information solutions group and supporting functions to information users at the World
Bank Washington dc office. This covers life cycle processes in the planning development, deployment,
administration, support, management and de-commissioning of it services and archives.
The World Bank controls the Worlds banking system creates plans and strategies to develop economies
to protect countries from financial turmoil. This information is a treasure trove of data which can be
manipulated for huge monetary or political gain.
Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us
a story that protecting consumers data during these crisis might not be the first priority fo r many
suffering financial institutions.
It is still not known how much information was stolen. But sources inside the bank confirm that servers
in the institutions highly-restricted treasury unit were deeply penetrated with spy software last April.
Invaders also had full access to the rest of the banks network for nearly a month in June and July.
Page 60

In total, at least six major intrusions two of them using the same group of IP addresses originating
from China have been detected at the World Bank since the summer of 2007, with the most recent
breach occurring just last month.
The World Banks technology and security expert states that the incident is an unprecedented crisis.
Some security experts are saying that this might be the worst security breach to date at a global
financial institution. The hackers controlled around 18 servers for more than a month and World Bank
admits that sensitive data could have been stolen but they are not sure about the total impact of the
breach.
Alan Calder wrote about Data protection and financial chaos and mentioned that When financial
markets appear to be in free fall, many organizations might think that data protection is the least of
their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not
exist anymore?
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and
we have to be vigilant and carry the load to protect our data. At the same time, this might become
another reason for the financial institutions demise if they let their guards down now and do not make
a priority to protect customers data.
During this turmoil, some financial institutions upper management doesnt have to worry about their
responsibility of securing the customers data adequately when they already know that eventually the
taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are
sometimes the result of unprecedented greed.
Page 61

References
Alliance (of information security consultants from across the world). (2009). The ISO 27000 Directory.
Retrieved December 24, 2009, from ISO 27000 - ISO 27001 and ISO 27002 Standards:
http://www.27000.org/index.htm
ANSI. (2009). ANSI Standards Store. Retrieved December 19, 2009, from American National Standards
Institute: http://webstore.ansi.org/
Arnason, S. T., & Willett, K. D. (2008). How to Achieve 27001 Certification: An Example of Applied
Compliance Management. Auerbach Publications.
Bowen, P., Chew, E., & Hash, J. (2007, January). Information Security Guide For Government Executives.
Retrieved November 17, 2009, from Computer Security Resource Center:
http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf
Bowen, P., Hash, J., & Wilson, M. (2006, October). Information Security Handbook: A Guide for
Managers. Retrieved November 17, 2009, from Computer Security Resource Center:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
Breaux, T. D., Antn, A. I., & Spafford, E. H. (2009). A Distributed Requirements - Management
Framework For Legal Compliance And Accountability. Computers & Security , 8-17.
BS25999 Business Continuity Management . (2007, November). Retrieved December 21, 2009, from
BS25999 Business Continuity Management : http://www.pas56.com/
BSI. (2006). BSI Shop - IT Service Continuity Management. Code of Practice . Retrieved December 23,
2009, from BSI: British Standards - Publicly Available Specification :
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030141858
Calder, A., & Watkins, S. (2008). IT Governanace: A Managers Guide to Data Security and ISO27001/ISO
27002. Kogan Page.
Carnegie Mellon University. (2009). CMMI | Overview. Retrieved December 9, 2009, from Software
Engineering Institute - Carnegie Mellon: http://www.sei.cmu.edu/cmmi/
Page 62

Contributors, Various. (2009). Computer Security Division Special Publications. Retrieved December 23,
2009, from National Institute of Standards and Technology:
http://csrc.nist.gov/publications/PubsSPs.html
Contributors, Various. (2007, March). Guide to NIST Information Security Documents. Gaithersburg, MD,
US.
Defence Signals Directorate . (2009). Australian Government Information Security Manual. Retrieved
December 12, 2009, from Australian Government - Department of Defense Intelligence and Security:
http://www.dsd.gov.au/library/infosec/ism.html
FCC - PCS. (2009). Broadband PCS. Retrieved August 7, 2009, from Federal Communications Commission:
http://wireless.fcc.gov/services/index.htm?job=service_home&id=broadband_pcs
FCC - WCS. (2009). Wireless Communication Service (WCS). Retrieved August 7, 2009, from Federal
Communications Commission:
http://wireless.fcc.gov/services/index.htm?job=service_home&id=wcs
Givens, B. (2009). Chronology of Data Breaches. Retrieved January 7, 2010, from Privacy Rights
Clearinghouse: http://www.privacyrights.org/ar/ChronDataBreaches.htm
Herrmann, D. S. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory
Compliance, Operational Resilience, and ROI. Auerbach Publications.
IEEE. (2009). IEEE 1619. Retrieved December 22, 2009, from Security in Storage Working Group:
https://siswg.net/
Information Security Forum. (2007, October). ISF Standard of Good Practice. Retrieved December 22,
2009, from Information Security Forum: https://www.isfsecuritystandard.com/SOGP07/index.htm
ISACA. (2009). COBIT. Retrieved December 21, 2009, from ISACA - Serving IT Governance Professionals:
2009
ISM3 Consortium. (2009). Information Security Management Maturity Model v2.3. Spain: ISM3
Consortium.
Page 63

ISMS International Users Group. (2009). Certificate Search. Retrieved January 5, 2010, from International
Register of ISMS Certificates:
http://www.iso27001certificates.com/Taxonomy/CertificateSearch.htm
ISO/IEC. (2009). Information technology Security techniques Information security management
systems Overview and vocabulary. Geneva, Switzerland.
ITU-T. (2009). Standardization (ITU-T). Retrieved December 24, 2009, from Telecommunication
Standardization Sector (ITU-T): http://www.itu.int/ITU-T/
JOINT TASK FORCE TRANSFORMATION INITIATIVE. (2009, August). 800-53 Recommended Security
Controls for Federal Information Systems and Organizations. Gaithersburg, MD.
Joint Technical Committee 1. (2009). ISO Standards - JTC 1/SC 27 - IT Security Techniques. Retrieved
December 23, 2009, from International Standards for Business, Government and Society:
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306&pu
blished=on
McLeod, J. (2008, September 17). OCTAVE Information Security Risk Evaluation. Retrieved December 21,
2009, from CERT: http://www.cert.org/octave/
NFPA. (2006, December 20). Standard on Disaster/Emergency Management and Business Continuity
Programs. Retrieved December 23, 2009, from National Fire Protection Association:
http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf
NIST. (2006, February). 800-18 Guide for Developing Security Plans for Federal Information Systems.
Gaithersburg, MD.
NIST. (2009, November 17). 800-37 Rev 1 - Guide for Applying the Risk Management Framework to
Federal Information Systems: A Security Life Cycle Approach [Draft]. Gaithersburg, MD.
NIST. (2008, October). 800-66 Rev 1 - An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act (HIPAA) Security Rule. Gaithersburg, MD.
NIST Computer Security Division. (2004, February). FIPS 199 Standards for Security Categorization of
Federal Information and Information Systems. Gaithersburg, MD.
Page 64

NIST Computer Security Division. (2006, March). FIPS 200 Minimum Security Requirements for Federal
Information and Information Systems. Gaithersburg, MD.
OMB. (2009, March 25). Fiscal Year 2008 Report to Congress on Implementation of The Federal
Information Security Management Act of 2002. Washington, DC.
Ross, R., Stoneburner, G., Katzke, S., Johnson, A., Toth, P., & Rogers, G. (2008, July). 800-53a Guide for
Assessing the Security Controls in Federal Information Systems. Gaithersburg, MD.
Ross, R., Swanson, M., Johnson, A., Stoneburner, G., & Katzke, S. (2008, April). 800-39 Managing Risk
from Information Systems [draft]. Gaithersburg, MD.
Ross, R., Swanson, M., Stoneburner, G., Katzke, S., & Johnson, A. (2004, May). 800-37 Guide for the
Security Certification and Accreditation of Federal Information Systems. Gaithersburg, MD.
Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008, August). 800-60 Volume I - Guide for
Mapping Types of Information and Information Systems to Security Categories. Gaithersburg, MD.
Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). 800-30 Risk Management Guide for Information
Technology Systems. Gaithersburg, MD.
University of Auckland, NZ. (1995). Information Security Management. Retrieved December 21, 2009,
from University of Auckland, New Zealand: University of Auckland, NZ
Wikipedia contributors . (2009, December 22). Project management. Retrieved December 24, 2009,
from Wikipedia:
http://en.wikipedia.org/w/index.php?title=Project_management&oldid=333337385
Page 65

Comparison of It Security Standards

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Comparison of It Security Standards

Загружено:

Авторское право:

Доступные форматы

2009

Christine Kuligowski 61575

Comparison of IT Security Standards

Comparison of IT Security Standards

Comparison of IT Security Standards

Figure 1- Capstone Project Gantt chart .............................................................................................. 10

Comparison of IT Security Standards

Comparison of IT Security Standards

Comparison of IT Security Standards

Comparison of IT Security Standards

Assignment of information security responsibilities to senior leaders/executives within the

Understanding by senior leaders/executives of the degree of protection or risk mitigation that

Accountability by senior leaders/executives for their risk management decisions

effective information security program. In addition to developing and deploying an effective

Comparison of IT Security Standards

Comparison of IT Security Standards

Figure 1- Capstone Project Gantt chart

Comparison of IT Security Standards

Waterfall, Spiral & PERT

Comparison of IT Security Standards

NIST Risk Management Framework

Information Technology Trends in the Federal Government

Comparison of IT Security Standards

Comparison of IT Security Standards

Figure 2 - President's Management Agenda

Comparison of IT Security Standards

Federal Information Assurance Regulations

Figure 3 - History of IT Security Legislation (US)

Comparison of IT Security Standards

The Business Reference Model

Comparison of IT Security Standards

Comparison of IT Security Standards

Figure 4 - Risk Management & Clinger-Cohen Act

Risk Management Framework Applied through Certification & Accreditation

Comparison of IT Security Standards

Figure 5 - NIST Risk Management Framework

Comparison of IT Security Standards

Risk Management NIST is

Coordinated activities to direct

The protection of information

Information Security Risk:

The level of impact on agency

Comparison of IT Security Standards

Policy We can start to feel a

Overall intention and direction

Management System framework of policies,

recommended from the risk

Table 1 - Terminology Chart

ISO 27001 Information Security Management System

Comparison of IT Security Standards

Use within organizations to formulate security requirements and objectives;

Use within organizations to ensure compliance with laws and regulations;

Use within an organization as a process framework for the implementation and

The definition of new information security management processes;

Identification and clarification of existing information security management processes;

Use by the management of organizations to determine the status of information security

Use by organizations to provide relevant information about information security policies,

Implementation of a business enabling information security; and

Use by organizations to provide relevant information about information security to

Comparison of IT Security Standards

History of ISO/IEC 27001

Figure 6 - The Development of the ISO 27001/2

Structure and content of ISO/IEC 27001