Domain

Main security category

Control

07. Access Control

01. Business requirement for

access control

01. User registration

07. Access Control

02. User access management

02. Privilege
management

07. Access Control

02. User access management

02. Privilege
management

07. Access Control

02. User access management

03. User password

management

07. Access Control

02. User access management

04. Review of user

access rights

07. Access Control

02. User access management

01. Password use

07. Access Control

03. User responsibilities

02. Unattended user

equipment

07. Access Control

03. User responsibilities

03. Clear desk and clear

screen policy

07. Access Control

03. User responsibilities

01. Policy on use of

network services

04. Network access control

02. User authentication

for external
connections

04. Network access control

03. Equipment
identification in
networks

07. Access Control

04. Network access control

04. Remote diagnostic

and configuration port
protection

07. Access Control

04. Network access control

05. Segregation in
networks

07. Access Control

04. Network access control

06. Network connection

control

07. Access Control

07. Access Control

07. Access Control

04. Network access control

06. Network connection

control

07. Access Control

04. Network access control

06. Network connection

control

07. Access Control

04. Network access control

07. Network routing

control

07. Access Control

04. Network access control

01. Secure log-on

procedures

07. Access Control

05. Operating system access

control

02. User identification

and authentication

07. Access Control

05. Operating system access

control

03. Password
management system

07. Access Control

05. Operating system access

control

04. Use of system

utilities

07. Access Control

05. Operating system access

control

05. Session time-out

07. Access Control

05. Operating system access

control

06. Limitation of
connection time

07. Access Control

05. Operating system access

control

01. Information access

restriction

07. Access Control

06. Application and information 02. Sensitive system

access control
isolation

07. Access Control

01. Mobile computing

06. Application and information and
access control
telecommunications

07. Access Control

07. Mobile computing and

teleworking

02. Teleworking

07. Access Control

07. Mobile computing and

teleworking

01. Security
requirements analysis
and specification

Metrics

1.To what degree was

implemented your access
control policy?

1.How does your organization

implement user registration?

2.How does your organization

manage the allocation of
privileges?

2.How does your organization

handle exceptions to security
rules?
3.How does your organization
implement password (or
equivalent) management?

4.To what degree access rights

are reviewed?

1.To what degree users are

enforced to follow good
security practices when using
passwords?

2.How does your organization

protect unattended user
equipment?
3.To what degree is your clear
desk/screen policy been
implemented?
1.To what degree was
implemented your Policy on
use of network services?
2.What authentication methods
are used by your remote
users?
3.How does your organization
identify authorized equipment
in your network?

4.How does your organization

control access to remote
diagnostic and configuration
ports?

5.To what degree does your

organization segregates your
network?

6.How does your organization

control network connection?

6.How does your organization

track installed networks?

6.What controls exist over

public network connections
other than the Internet?

7.How does your organization

control network routing?

1.What controls are in place to

secure log-on procedures on
your operating systems?

2.What controls are in place to

provide appropriate user
identification and
authentication?

3.How strong is your password

management system?

4.How does your organization

control use of system utilities?

5.How does your organization

handle inactive sessions?

6.How does your organization

control connection time on high
risk or sensitive applications?

1.What controls are in place to

restrict access to information?

2.How does your organization

isolate sensitive systems?

1.To what extent was your

policy on mobile computing
and telecommunications
implemented?

2.To what degree is

teleworking implemented in
your organization?

Indicator

0 No access control policy have been developed

1 Access control policy address security requirements and the risks associated with business applicati
information
2 Above, plus address information dissemination and enforce consistency between access control and
information classification policies(of systems and networks)
3 All the above, plus standard access profiles were developed for common job roles and segregated d
4 All the above, plus requirements for a formal authorization, periodic review and removal are implem

0 No formal procedure for user registration exists within the organization

1 At a minimum, the company performs an annual revalidation of all user IDs
2 Above, plus ownership of the registration process is assigned to individual systems owners
3 All the above, plus there are formal documented user registration procedures in place that states th
permission is required for completion of procedure
4 All the above, plus we communicate the need to use the registration process to all users who receiv
statement of their access rights

0 No management procedures exist to allocate privileges

1 At a minimum, the privileges in all systems and the respective users are identified
2 Above, plus privileges are allocated on a need-to-use and event-by-event basis
3 All the above, plus privileges are allocated once a authorization in formal documented procedure is
4 All the above, plus whenever possible a development, use of programs/system routines is encourag
required privileges are assigned to a different user ID

0 No formal process
password
use isexists
documented
security for
exception
process
1 The
organization
has
established
a formal
password
management system(which includes a signed s
A process
exists to
identify
and gain
management
approval
that
passwords
will
remain
confidential
to
the
individual/group)
2 Above, plus exceptions are only granted by management for a limited period of time
2
plus the
allocation/issue
of passwords
by a central
function(which
verifies use
3 Above,
All the above,
plus
each exception
is based onisacontrolled
risk assessment
and a IT
corrective
action plan
before
password
delivering)
4 All the
above, plus
exceptions are reviewed regularly to control progress toward goals
3 All the above, plus allocation/issue of passwords is dependent on the requesting line manager and p
are unique and not guessable
4 All the above, plus all user(and acknowledge receipt) and manager requests and compliance statem
retained

0
1
2
3
4

Access rights are reviewed on an ad-hoc basis

User's access rights are reviewed periodically and when promotion, demotion or job termination occ
Above, plus access rights are re-allocated when moving from one job to another within the organiza
All the above, plus special privileges access rights are reviewed monthly
All the above, plus privileged allocations are reviewed against to what was approved

0 No controls for passwords usage have been implemented

1 Users are enforced to change passwords periodically and at first logon
2 Above, plus users are enforced to select strong passwords
3 All the above, plus segregation of passwords is enforced when sensitivity between business and non
purposes exist
4 All the above, plus controls have been implemented so users' passwords remain confidential

0 No guidelines for unattended user equipment have been developed

1 Guidelines explicitly state that users must lock session
2 Above, plus controls have been implemented so equipment locks automatically after a period of ina
0
policy
for clear
is in place
3 No
All the
above,
plus desk/screen
controls are policy
implemented
so equipment use is allow only by using a password
1
A
policy
for
clear
desk/screen
policy
is
developed
but no enforcement
controls
are in place
4 All the above, plus controls are implemented so log-off/lock
session occur
on servers,
mainframe co
2 Above, plus lock cabinets are in place to safeguard sensitive information in paper o electronic storag
3 All the above, plus controls are in place to protect unattended incoming/outgoing mail points and fa
machines
0
Policy
on use
of network
services
is in place
4 No
All the
above,
plus
controls(e.g.
pin code)
are in place to protect sensitive/classified information in p
1 Your policy states explicitly what networks and network services are allowed to be accessed
2 Above, plus there are procedures in place to authorize access to networks and network services
3 All the above, plus controls are in place to prevent use of unauthorized network services and networ
0
authentication
exist
for remote
4 No
All the
above, plusmethods
covers the
conditions
to users
allow access to networks and network services
1 A single factor authentication method is implemented
2 Above, dedicated private lines are in place to guarantee authorized connections
3 All the above, plus virtual private networks are place to authenticate remote users
0
authentication
exist for
your
equipment methods are in place
4 No
All the
above, plusmethods
two(or three)
factor
authentication
1 A manual registration is required per equipment in each network
2 Above, a unique identifier, in or attached to, the equipment allows the equipment to identify itself in
3 All the above, the identifier contain information about which network the equipment is authorized to
4 All the above, plus advanced techniques have been implemented for equipment authentication

0 No controls to restrict access are in place

1 Maintenance personnel have authenticated access to configuration tools
2 Above, a risk assessment is performed prior to close unnecessary ports and enable maintenance too
equipment
3 All the above, there is a process in place to grant access to maintenance personnel on a planned ba
4 All the above, physical controls are in place to enforce authorized access
0 No controls for network segregation are in place
1 Networks are segregated between public and internally accessible
2 Above, plus networks are segregated so production network is separated from test networks
3 All the above, plus a risk assessment analysis is performed to segregate networks so critical assets
by implementing routing
4 All the above, wireless networks are segregated from internal and private networks

0
1
2
3
4

No controls for network connection exist

Some controls are in place to limit connection to network services
Above, plus some network access rights are managed in accordance with access control policy
All the above, plus all network access rights are managed in accordance with access control policy
All the above, network access rights are reviewed and maintained as part or the access control polic

0
1
2
3
4

There is no network documentation within the organization

A documented inventory of installed network components exists and is kept up-to-date
Above, plus connections with external networks are tracked
All the above, plus a description of the network topology is maintained
All the above, plus details on protocols, frame formats, and encryption are kept up-to-date

0
1
2
3
4

Public network connection controls are addressed as requested

Connections are restricted only to remote company sites
Above, plus connections are restricted only to remote company sites and remote employees
All the above, plus separate connections are used between trusted and untrusted sites/users
All the above, plus sensitive communications are encrypted over all public networks

0 No controls for network routing exist

1 Some routing controls exist so computer connections do not breach access control policies
2 Above, plus routing controls exist so information do not flow breaching access control policies of bus
applications
3 All the above, plus security gateways are implemented so source and destination are validated
4 All the above, plus network address transaction technologies are used whenever a risk assessment
recommends to do so

0 No controls are in place for secure log-on on operating systems

1 No information is shown until log-on is completed, a general notice is displayed stating that only aut
users are permitted
2 Above, plus no information is displayed that may help unauthorized users and the limit of log-on att
limited to 3
3 All the above, plus limit the maximum and minimum time allowed for log-on procedure and on comp
log-on display: last time of successful log-on and unsuccessful attempts since last log-on
4 All the above, plus passwords are hidden on screen and transmitted encrypted over the network

0 No controls are in place to provide appropriate identification and authentication

1 Unique IDs have been chosen and the existence of group IDs have not been formally approved or do
2 Above, plus approval by management(supported by strong business benefit) is documented for grou
controls exist to maintain accountability
3 All the above, plus regular user activities are not performed from privileged accounts
0
password
management
system just enforce
uniqueness with the sensitivity of the information
4 The
All the
above, plus
strong authentication
is used ID
in accordance
1
The
system
allows
users
to
select
their
own
passwords
and have controls to prevent input errors
accessed
2 Above, plus forces user to change temporary password
3 All the above, plus enforce password changes and kept a record of previous passwords to prevent re
4 All the above, plus store password files separately from application system data, in addition passwo
stored and transmitted protected(encrypted or hashed)

0 At minimum access to system utilities requires authentication and authorization

1 There is a process in place to grant access to system utilities
2 Above, the process in place permit access, access to system utilities is forbidden at all times(system
are disabled)
3 All the above, plus availability of system utilities enforce authorized access for the duration of autho
change(s)
4 All the above, plus segregation of duties is in place so users with access to business applications can
system utilities

0 No controls are in place to handle inactive sessions

1 After a period of inactivity inactive sessions screens are cleared
2 Above, plus time-out delay is set in accordance with the risk assessment of the area
3 All the above, plus time-out delay is set in accordance with the information being used and the user
use it
4 All the above, plus screens are cleared but no applications or network sessions are closed
0 No controls are in place limit connection time
1 Predetermined time slots are in place for certain activities
2 Above, plus connection times are restricted to normal office hours
3 All the above, plus a process is in place to authorized exceptions or when overtime/extended-hours
occur
4 All the above, plus re-authentication is considered at timed intervals
0
1
2
3
4

No controls are in place restrict access to information

Menus exist to control access to applications' system functions
Above, plus controls are in place to control users' access rights
All the above, plus a access rights of other applications are controlled
All the above, plus outputs from applications contain only useful and necessary information

0 No controls are in place to isolate sensitive systems

1 The sensitivity of an application system is explicitly identified and documented by the application ow
2 Above, plus a risk assessment is performed prior to put sensitive application systems in a shared
enviroment(physical or logical)
3 All the above, plus the owner of the application must accept the risk associated and the acceptance
documented
4 All the above, plus a process is in place to assure that sensitive application only shares an environm
other trusted applications

0 No policy for mobile computing and telecommunications is in place

1 The policy address the risks involved in using mobile facilities and usage in unprotected environmen
2 Above, plus the policy address requirements for physical protection, access controls, cryptographic t
back-ups and virus protection
3 All the above, plus remote access to business information across networks only occur after successf
authentication and authorization
4 All the above, plus physical controls are in place to protect mobile facilities from theft, training is ava
personnel using mobile computing

0 No policy is in place to manage teleworking activities

1 The policy in place states that teleworking and teleworking activities are only granted after manage
approval
2 Above, plus suitable communication equipment and methods for secure access are in place
3 All the above, plus a risk assessment is performed prior to enable new work permitted, work hours,
authorization over information and systems/services authorized
4 All the above, plus there are rules/guidelines to equipment and information and a clear process for r
access rights

Previous

Progress

Goal

Por Cumplir Description Status

0

Evidence

Task forces

Entregables