157 Security Controls Criteria for Multi-purpose Projects

What is involved in Security control

Find out what the related areas are that Security control connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security control thinking-frame.

How far is your company on its Security Controls journey?

Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Security control related domains to cover and 157 essential critical questions to check off in that domain.

The following domains are covered:

Security control, Security controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:

Security control Critical Criteria:

Analyze Security control goals and test out new things.

– Have we developed a continuous monitoring strategy for the information systems (including monitoring of security control effectiveness for system-specific, hybrid, and common controls) that reflects the organizational Risk Management strategy and organizational commitment to protecting critical missions and business functions?

– Have the it security cost for the any investment/project been integrated in to the overall cost including (c&a/re-accreditation, system security plan, risk assessment, privacy impact assessment, configuration/patch management, security control testing and evaluation, and contingency planning/testing)?

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– What training is provided to personnel that are involved with Cybersecurity control, implementation, and policies?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– How do we ensure that implementations of Security control products are done in a way that ensures safety?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Do we have sufficient processes in place to enforce security controls and standards?

– How do we go about Comparing Security control approaches/solutions?

– Are there recognized Security control problems?

– What are the known security controls?

Security controls Critical Criteria:

Rank Security controls governance and achieve a single Security controls view and bringing data together.

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– How do we measure improved Security control service perception, and satisfaction?

– Are there Security control problems defined?

– What is Effective Security control?

Access control Critical Criteria:

Have a session on Access control issues and modify and define the unique characteristics of interactive Access control projects.

– What are your current levels and trends in key measures or indicators of Security control product and process performance that are important to and directly serve your customers? how do these results compare with the performance of your competitors and other organizations with similar offerings?

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– Can the access control product protect individual devices (e.g., floppy disks, compact disks–read-only memory CD-ROM, serial and parallel interfaces, and system clipboard)?

– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?

– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?

– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?

– Do access control logs contain successful and unsuccessful login attempts and access to audit logs?

– Is the process actually generating measurable improvement in the state of logical access control?

– Access control: Are there appropriate access controls over PII when it is in the cloud?

– What new services of functionality will be implemented next with Security control ?

– What are your most important goals for the strategic Security control objectives?

– What is the direction of flow for which access control is required?

– Should we call it role based rule based access control, or rbrbac?

– Do the provider services offer fine grained access control?

– What type of advanced access control is supported?

– What access control exists to protect the data?

– What is our role based access control?

– Who determines access controls?

CIA Triad Critical Criteria:

Contribute to CIA Triad outcomes and define CIA Triad competency-based leadership.

– What other jobs or tasks affect the performance of the steps in the Security control process?

– How do we make it meaningful in connecting Security control with what users do day-to-day?

– Are there Security control Models?

Countermeasure Critical Criteria:

Reason over Countermeasure issues and get out your magnifying glass.

– How do you determine the key elements that affect Security control workforce satisfaction? how are these elements determined for different workforce groups and segments?

– What tools do you use once you have decided on a Security control strategy and more importantly how do you choose?

DoDI 8500.2 Critical Criteria:

Infer DoDI 8500.2 outcomes and get out your magnifying glass.

– How will you measure your Security control effectiveness?

– Do we have past Security control Successes?

Environmental design Critical Criteria:

Map Environmental design failures and explain and analyze the challenges of Environmental design.

– In the case of a Security control project, the criteria for the audit derive from implementation objectives. an audit of a Security control project involves assessing whether the recommendations outlined for implementation have been met. in other words, can we track that any Security control project is implemented as planned, and is it working?

– How would one define Security control leadership?

Health Insurance Portability and Accountability Act Critical Criteria:

Experiment with Health Insurance Portability and Accountability Act quality and finalize the present value of growth of Health Insurance Portability and Accountability Act.

– How can you measure Security control in a systematic way?

– How can the value of Security control be defined?

ISAE 3402 Critical Criteria:

Refer to ISAE 3402 strategies and research ways can we become the ISAE 3402 company that would put us out of business.

– What tools and technologies are needed for a custom Security control project?

– What are the short and long-term Security control goals?

ISO/IEC 27001 Critical Criteria:

Depict ISO/IEC 27001 projects and don’t overlook the obvious.

– Meeting the challenge: are missed Security control opportunities costing us money?

– What are the usability implications of Security control actions?

– How is the value delivered by Security control being measured?

Information Assurance Critical Criteria:

Guard Information Assurance risks and frame using storytelling to create more compelling Information Assurance projects.

– How do mission and objectives affect the Security control processes of our organization?

– How do we go about Securing Security control?

– How do we keep improving Security control?

Information security Critical Criteria:

Analyze Information security adoptions and know what your objective is.

– Do we cover the five essential competencies-Communication, Collaboration,Innovation, Adaptability, and Leadership that improve an organizations ability to leverage the new Security control in a volatile global economy?

– Are information security policies and other relevant security information disseminated to all system users (including vendors, contractors, and business partners)?

– Does the ISMS policy provide a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security?

– Are Human Resources subject to screening, and do they have terms and conditions of employment defining their information security responsibilities?

– Do suitable policies for the information security exist for all critical assets of the value added chain (indication of completeness of policies, Ico )?

– Is mgmt able to determine whether security activities delegated to people or implemented by information security are performing as expected?

– Is the documented Information Security Mgmt System (ISMS) established, implemented, operated, monitored, reviewed, maintained and improved?

– Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?

– Are we requesting exemption from or modification to established information security policies or standards?

– Have standards for information security across all entities been established or codified into law?

– Does mgmt establish roles and responsibilities for information security?

– Are damage assessment and disaster recovery plans in place?

– Conform to the identified information security requirements?

– What is the goal of information security?

– What is information security?

OSI model Critical Criteria:

Conceptualize OSI model outcomes and devote time assessing OSI model and its risk.

– What other organizational variables, such as reward systems or communication systems, affect the performance of this Security control process?

– Do several people in different organizational units assist with the Security control process?

– Who will provide the final approval of Security control deliverables?

Payment Card Industry Data Security Standard Critical Criteria:

Ventilate your thoughts about Payment Card Industry Data Security Standard engagements and proactively manage Payment Card Industry Data Security Standard risks.

– What are the top 3 things at the forefront of our Security control agendas for the next 3 years?

– Does the Security control task fit the clients priorities?

Physical Security Critical Criteria:

Consult on Physical Security governance and achieve a single Physical Security view and bringing data together.

– What are your results for key measures or indicators of the accomplishment of your Security control strategy and action plans, including building and strengthening core competencies?

– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?

– What role does communication play in the success or failure of a Security control project?

– Is the security product consistent with physical security and other policy requirements?

SSAE 16 Critical Criteria:

Transcribe SSAE 16 issues and display thorough understanding of the SSAE 16 process.

– Among the Security control product and service cost to be estimated, which is considered hardest to estimate?

– Does Security control create potential expectations in other areas that need to be recognized and considered?

Security Critical Criteria:

Dissect Security engagements and figure out ways to motivate other Security users.

– What domains of knowledge and types of Cybersecurity-associated skills and abilities are necessary for engineers involved in operating industrial processes to achieve safe and reliable operating goals?

– Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX?

– Does your organization perceive the need for more effort to promote security and trust in data technologies?

– Do you require that sub contractors submit proof of insurance separate from the primary?

– Who has access, and what is left behind when you scale down a service?

– Are passwords, log-ins, and email accounts cancelled and reassigned?

– What performance requirements do you want from the company?

– Has your system or websites availability been disrupted?

– How does our organization monitor service performance?

– How does our organization choose a service provider?

– How do you assess threats to your system and assets?

– Do you use contingency-driven consequence analysis?

– What is the first priority cloud security concern?

– Is there a risk related to data location?

– Why focus on Cybersecurity & resilience?

– How much to invest in Cybersecurity?

– How do we build the Trusted Cloud ?

– Is sensitive information involved?

Security engineering Critical Criteria:

Define Security engineering quality and create Security engineering explanations for all managers.

– Think about the people you identified for your Security control project and the project responsibilities you would assign to them. what kind of training do you think they would need to perform these responsibilities effectively?

Security management Critical Criteria:

Participate in Security management management and explain and analyze the challenges of Security management.

– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?

– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?

– Marketing budgets are tighter, consumers are more skeptical, and social media has changed forever the way we talk about Security control. How do we gain traction?

– Does the service agreement have metrics for measuring performance and effectiveness of security management?

– Do we monitor the Security control decisions made and fine tune them as they evolve?

– Does Security control analysis isolate the fundamental causes of problems?

– Is there a business continuity/disaster recovery plan in place?

– So, how does security management manifest in cloud services?

Security risk Critical Criteria:

Tête-à-tête about Security risk engagements and observe effective Security risk.

– Has your organization conducted a cyber risk or vulnerability assessment of its information systems, control systems, and other networked systems?

– Has your organization conducted an evaluation of the Cybersecurity risks for major systems at each stage of the system deployment lifecycle?

– How do you monitor your Cybersecurity posture on business IT systems and ICS systems and communicate status and needs to leadership?

– Do you have a process for looking at consequences of cyber incidents that informs your risk management process?

– Are we currently required to report any cyber incidents to any federal or state agencies?

– Does senior leadership have access to Cybersecurity risk information?

– Is your Cybersecurity plan tested regularly?

– What else do you need to learn to be ready?

– Is Cybersecurity Insurance coverage a must?

– How do the actors compromise our systems?

– Will a permanent standard be developed?

– Are there beyond-compliance activities?

– Who will be responsible internally?

– How do we prioritize risks?

Security service Critical Criteria:

Shape Security service adoptions and devise Security service key steps.

– Policy compliance is closely related to IT governance. Compliance has much to do with defining, controlling and governing security efforts. How should an organization respond to security events?

– During the last 3 years, has anyone alleged that you were responsible for damages to their systems arising out of the operation of your system?

– For the private information collected, is there a process for deleting this information once it is complete or not needed anymore?

– Have you had a PCI compliance audit performed in the last 12 months by an approved PCI Qualified Security Assessor?

– Is firewall technology used to prevent unauthorized access to and from internal networks and external networks?

– Do you provide opt-out controls that are visible and addressed within the privacy policy?

– Is your organizations policy consistent with that of contractors you work with?

– Do you monitor log files on a regular basis to help spot abnormal trends?

– How many UNIX servers are there and what functions are they providing?

– Do you train employees on the proper handling of private information?

– Is your security policy reviewed and updated at least annually?

– What is the range of the limitation of liability in contracts?

– What issues/factors affect IT security service decisions?

– Are there any industry based standards that you follow?

– Do you have any DR/business continuity plans in place?

– When does the it security services life cycle end?

– Can Managing Enterprise Security Be Made Easier?

– What is the funding source for this project?

– What is the IT security service life cycle?

– Do you have a privacy policy?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | http://theartofservice.com

[email protected]


Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Security control External links:

AZ Security Control – Remote Dealer Access

Security controls External links:

CIS Top 20 Critical Security Controls Solutions | Rapid7

[PDF]Product SecureNow Security Controls for Financial …

Access control External links:

Mercury Security Access Control Hardware & Solutions

Open Options – Open Platform Access Control

Linear Pro Access – Professional Access Control Systems

CIA Triad External links:

CIA Triad of Cybersecurity – InfoSec Resources

what is CIA triad? – 12148 – The Cisco Learning Network

CIA Triad « CIPP Guide

Countermeasure External links:

ACT Cert: Attack Countermeasures Training and …

Countermeasure | Definition of Countermeasure by …

Improvised Device Defeat/Explosives Countermeasures …

DoDI 8500.2 External links:

[PDF]DoDI 8500.2 Solution Brief – EventTracker

DoDI 8500.2 – Intelsat General Corporation

Environmental design External links:

[PDF]Aviation Environmental Design Tool (AEDT)

T. Lake Environmental Design | Landscaping Macon …

Mona + Associates Design – Interiors + Environmental Design

Health Insurance Portability and Accountability Act External links:

Health Insurance Portability and Accountability Act …

Health Insurance Portability and Accountability Act …

ISAE 3402 External links:

ISAE 3402 – Service Organization Control Reports

22. What are SSAE 16 and ISAE 3402? What happened to …


ISO/IEC 27001 External links:

BSI Training – ISO/IEC 27001 Lead Implementer

ISO/IEC 27001 Information Security | BSI America

ISO/IEC 27001:2013
http://ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

Information Assurance External links:

Information Assurance Training Center


Information Assurance Training Center

Information security External links:


Title & Settlement Information Security

Information Security Management Company | …

OSI model External links:

The OSI Model’s Seven Layers Defined and Functions …

The 7 Layers of the OSI Model – Webopedia Study Guide

A Guide to the OSI Model in Computer Networking

Payment Card Industry Data Security Standard External links:

Payment Card Industry Data Security Standard …

[PDF]Payment Card Industry Data Security Standard 3 – …

Physical Security External links:

Qognify: Big Data Solutions for Physical Security & …

ADC LTD NM Leader In Personnel & Physical Security

Access Control and Physical Security

SSAE 16 External links:

[PDF]Payday – SSAE 16

SSAE 16 Auditing and Reporting Services – A-LIGN

SSAE 16 Type 2 Compliant – Alliant National

Security engineering External links:

Security Engineering – Covenant Security Solutions

Security Engineering Capability

Security management External links:

Cloud Based Security Management – MAXPRO® Cloud

Security Management Resources

Welcome to 365 Security | 365 Security Management Group

Security risk External links:

Security Risk (eBook, 2011) [WorldCat.org]

Security Risk (1954) – IMDb

Security service External links:

Toyota Enterprise Security Service – Login

myBranch Online Banking Log In | Security Service

Contact Us: Questions, Complaints | Security Service