External Entity Security Assessment Report Template



<EXTERNAL ENTITY NAME>Contract #: <TEXAS HHS CONTRACT NUMBER><SYSTEM NAME><ASSESSMENT DATE>Security Assessment Report<Instructions: Fill in all sections that have a bracket <> surrounding the text. All sections with a <> should be completed and the <> portions deleted prior to the Security Assessment Report being submitted to Texas HHS.>EXECUTIVE SUMMARYA security assessment for <System Name>, herein referred to as the information system, was completed on <Assessment Date>. The purpose of this report is to provide a holistic summary of the risks that affect the confidentiality, integrity and availability of the information system and Texas HHS data that the information system creates, receives, processes, maintains, stores, or transmits.Security Assessment ReportThe intent of the Security Assessment Report is to identify the current level of risk the information system poses to Texas HHS data. This report details the information system’s compliance with applicable Texas HHS security controls required per the security baseline as defined within the contract and detailed in the Texas HHS publication, Information Security Controls (IS-Controls).<Delete the below if not applicable>This security assessment is an update to the previous security assessment conducted on <Assessment Date>. Information System Security BaselineThe information system security baseline, as defined in the contract, is:Baseline:<List only one>: Low, Low Plus, Moderate, High>Overlay:<List zero or more: MARS-E, CJIS, IRS, SSA, FERPA, VA Mod, Select Agent, NCHHSTP, HIPAA, SPI, Web & Mobile><See the contract for the applicable baselines and overlays. If these are unknown contact the Texas HHS contract manager. Only Texas HHS can establish the applicable baselines.>Information System Description<Provide a high level overview of the information system being assessed. Describe the business purpose, the types of Texas HHS data it receives, and what it does with the Texas HHS data>Security Assessor<Fill in the contact information below>This assessment was conducted by:Assessor Company:Assessor Name:Assessor Phone Number:Assessor Email:Assessor Address:<The following paragraph may be deleted if the system has a low or low plus baseline>The security assessor meets the impartiality requirement stipulated in IS-Controls CA-02(01), Independent Assessors, and has no operational responsibility for the system being assessed.Security Assessment MethodologyThe overall framework used for this security assessment is found in the Texas HHS IS-Controls. <List any other assessment methodologies used to conduct the assessment>Summary of Security Assessment ResultsThe following was identified during the security assessment:Number of Security Controls Required per Baseline/Overlays:<NUMBER>Number of Security Controls Assessed:<NUMBER>Number of Security Controls Not in Place:<NUMBER>Number of Security Controls In Place:<NUMBER>Number of Not-In-Place Controls in Previous Assessment:<NUMBER OR N/A>Number of Newly Identified Not-in-Place Security Controls:<NUMBER>RESULTSThe security assessment identified <Input Number of Controls Not in Place> security controls out of <List Total Number of Controls the System Must Comply With> that were non-compliant with IS-Controls requirements. List of Non-Compliant ControlsThe following security controls were identified as non-compliant. Each non-compliant security control identifies the assessment methodology used to assess the non-compliance and whether the security control failed the previous assessment. This assessment methodologies are:E:ExamineI:InterviewT:TestSee IS-Controls section 2.4.2 and NIST 800-53AR4 for further information on security assessments.<Copy and paste the below table for each security control identified as non-compliant. The Control ID is the IS-Controls ID (e.g., AC-01) and the corresponding control name. For each control assessed enter an X in the table below to indicate the assessment methodology performed. If any of the security controls failed the previous assessment, mark Previously Failed Control as “Yes”, otherwise select “No”>ControlControl NameEITPreviously Failed Control<Control ID><Control Name>Choose an item.Finding:<Explain why the security control is non-compliant>Non-Compliance UpdateThe following security controls were identified as non-compliant within the security assessment conducted on <date of last assessment>. The following list details their current status.<List only the controls that were previously non-compliant and their current status as either changed to “In Place” or left as “Not in Place”. If this is the first assessment, state that and delete the table below.>ControlControl NamePreviousAssessmentCurrentAssessment<Control ID><Control Name>Not In PlaceChoose an item.Appendix A: Comprehensive List of Security Controls Assessed<Delete all controls that do not apply to the information system based on the security baselines and overlays as identified in the contract. See IS-Controls and the applicable security baselines for the list of required security controls. For each control assessed enter an X for the type of assessment methodology used under Examine (E), Interview (I), and/or Test (T).Additionally, for any control assessed indicate the implementation status of the control as either:In PlaceNot in PlaceControlControl NameEITStatusAC-01Access Control Policy And ProceduresChoose an item.AC-02Account ManagementChoose an item.AC-02(01)Automated System Account ManagementChoose an item.AC-02(02)Removal Of Temporary / Emergency AccountsChoose an item.AC-02(03)Disable Inactive AccountsChoose an item.AC-02(04)Automated Audit ActionsChoose an item.AC-02(07)Role-Based SchemesChoose an item.AC-03Access EnforcementChoose an item.AC-03(03)Mandatory Access ControlChoose an item.AC-03(04)Discretionary Access ControlChoose an item.AC-03(09)Controlled ReleaseChoose an item.AC-04Information Flow EnforcementChoose an item.AC-05Separation Of DutiesChoose an item.AC-06Least PrivilegeChoose an item.AC-06(01)Authorize Access To Security FunctionsChoose an item.AC-06(02)Non-Privileged Access For Nonsecurity FunctionsChoose an item.AC-06(05)Privileged AccountsChoose an item.AC-06(09)Auditing Use Of Privileged FunctionsChoose an item.AC-06(10)Prohibit Non-Privileged Users From Executing Privileged FunctionsChoose an item.AC-07Unsuccessful Logon AttemptsChoose an item.AC-07(02)Purge / Wipe Mobile DeviceChoose an item.AC-08System Use NotificationChoose an item.AC-09Previous Logon (Access) NotificationChoose an item.AC-10Concurrent Session ControlChoose an item.AC-11Session LockChoose an item.AC-11(01)Pattern-Hiding DisplaysChoose an item.AC-12Session TerminationChoose an item.AC-12(01)User-Initiated Logouts / Message DisplaysChoose an item.AC-14Permitted Actions Without Identification Or AuthenticationChoose an item.AC-16Security AttributesChoose an item.AC-17Remote AccessChoose an item.AC-17(01)Automated Monitoring / ControlChoose an item.AC-17(02)Protection Of Confidentiality / Integrity Using EncryptionChoose an item.AC-17(03)Managed Access Control PointsChoose an item.AC-17(04)Privileged Commands / AccessChoose an item.AC-17(06)Protection Of InformationChoose an item.AC-18Wireless AccessChoose an item.AC-18(01)Authentication And EncryptionChoose an item.AC-18(05)Antennas / Transmission Power LevelsChoose an item.AC-19Access Control For Mobile DevicesChoose an item.AC-19(05)Full Device / Container-Based EncryptionChoose an item.AC-20Use Of External Information SystemsChoose an item.AC-20(01)Limits On Authorized UseChoose an item.AC-20(02)Portable Storage DevicesChoose an item.AC-20(03)Non-Organizationally Owned Systems / Components / DevicesChoose an item.AC-21Information SharingChoose an item.AC-22Publicly Accessible ContentChoose an item.AC-23Data Mining ProtectionChoose an item.AT-01Security Awareness And Training Policy And ProceduresChoose an item.AT-02Security Awareness TrainingChoose an item.AT-02(02)Insider ThreatChoose an item.AT-03Role-Based Security TrainingChoose an item.AT-04Security Training RecordsChoose an item.AU-01Audit And Accountability Policy And ProceduresChoose an item.AU-02Audit EventsChoose an item.AU-02(03)Reviews And UpdatesChoose an item.AU-03Content Of Audit RecordsChoose an item.AU-03(01)Additional Audit InformationChoose an item.AU-04Audit Storage CapacityChoose an item.AU-05Response To Audit Processing FailuresChoose an item.AU-05(01)Audit Storage CapacityChoose an item.AU-05(02)Real-Time AlertsChoose an item.AU-06Audit Review, Analysis, And ReportingChoose an item.AU-06(01)Process IntegrationChoose an item.AU-06(03)Correlate Audit RepositoriesChoose an item.AU-07Audit Reduction And Report GenerationChoose an item.AU-07(01)Automatic ProcessingChoose an item.AU-08Time StampsChoose an item.AU-08(01)Synchronization With Authoritative Time SourceChoose an item.AU-09Protection Of Audit InformationChoose an item.AU-09(02)Audit Backup On Separate Physical Systems / ComponentsChoose an item.AU-09(04)Access By Subset Of Privileged UsersChoose an item.AU-10Non-RepudiationChoose an item.AU-11Audit Record RetentionChoose an item.AU-12Audit GenerationChoose an item.AU-12(01)System-Wide / Time-Correlated Audit TrailChoose an item.AU-13Monitoring For Information DisclosureChoose an item.AU-16Cross-Organizational AuditingChoose an item.CA-01Security Assessment And Authorization Policy And ProceduresChoose an item.CA-02Security AssessmentsChoose an item.CA-02(01)Independent AssessorsChoose an item.CA-03System InterconnectionsChoose an item.CA-03(01)Unclassified National Security System ConnectionsChoose an item.CA-03(02)Classified National Security System ConnectionsChoose an item.CA-03(05)Restrictions On External System ConnectionsChoose an item.CA-05Plan Of Action And MilestonesChoose an item.CA-05(01)Automation Support For Accuracy / CurrencyChoose an item.CA-06Security AuthorizationChoose an item.CA-07Continuous MonitoringChoose an item.CA-07(01)Independent AssessmentChoose an item.CA-08Penetration TestingChoose an item.CA-09Internal System ConnectionsChoose an item.CM-01Configuration Management Policy And ProceduresChoose an item.CM-02Baseline ConfigurationChoose an item.CM-02(01)Reviews And UpdatesChoose an item.CM-02(03)Retention Of Previous ConfigurationsChoose an item.CM-02(07)Configure Systems, Components, Or Devices For High-Risk AreasChoose an item.CM-03Configuration Change ControlChoose an item.CM-03(01)Automated Document / Notification / Prohibition Of ChangesChoose an item.CM-03(02)Test / Validate / Document ChangesChoose an item.CM-03(04)Security RepresentativeChoose an item.CM-04Security Impact AnalysisChoose an item.CM-04(01)Separate Test EnvironmentsChoose an item.CM-04(02)Verification Of Security FunctionsChoose an item.CM-05Access Restrictions For ChangeChoose an item.CM-05(01)Automated Access Enforcement / AuditingChoose an item.CM-05(02)Review System ChangesChoose an item.CM-05(05)Limit Production / Operational PrivilegesChoose an item.CM-05(06)Limit Library PrivilegesChoose an item.CM-06Configuration SettingsChoose an item.CM-06(01)Automated Central Management / Application / VerificationChoose an item.CM-07Least FunctionalityChoose an item.CM-07(01)Periodic ReviewChoose an item.CM-07(02)Prevent Program ExecutionChoose an item.CM-07(03)Registration ComplianceChoose an item.CM-07(04)Unauthorized Software / BlacklistingChoose an item.CM-07(05)Authorized Software / WhitelistingChoose an item.CM-08Information System Component InventoryChoose an item.CM-08(01)Updates During Installations / RemovalsChoose an item.CM-08(03)Automated Unauthorized Component DetectionChoose an item.CM-08(05)No Duplicate Accounting Of ComponentsChoose an item.CM-09Configuration Management PlanChoose an item.CM-10Software Usage RestrictionsChoose an item.CM-10(01)Open Source SoftwareChoose an item.CM-11User-Installed SoftwareChoose an item.CP-01Contingency Planning Policy And ProceduresChoose an item.CP-02Contingency PlanChoose an item.CP-02(01)Coordinate With Related PlansChoose an item.CP-02(02)Capacity PlanningChoose an item.CP-02(03)Resume Essential Missions / Business FunctionsChoose an item.CP-02(05)Continue Essential Missions / Business FunctionsChoose an item.CP-02(08)Identify Critical AssetsChoose an item.CP-03Contingency TrainingChoose an item.CP-04Contingency Plan TestingChoose an item.CP-04(01)Coordinate With Related PlansChoose an item.CP-06Alternate Storage SiteChoose an item.CP-06(01)Separation From Primary SiteChoose an item.CP-06(03)AccessibilityChoose an item.CP-07Alternate Processing SiteChoose an item.CP-07(01)Separation From Primary SiteChoose an item.CP-07(02)AccessibilityChoose an item.CP-07(03)Priority Of ServiceChoose an item.CP-08Telecommunications ServicesChoose an item.CP-08(01)Priority Of Service ProvisionsChoose an item.CP-08(02)Single Points Of FailureChoose an item.CP-09Information System BackupChoose an item.CP-09(01)Testing For Reliability / IntegrityChoose an item.CP-10Information System Recovery And ReconstitutionChoose an item.CP-10(02)Transaction RecoveryChoose an item.CP-11Alternate Communications ProtocolsChoose an item.IA-01Identification And Authentication Policy And ProceduresChoose an item.IA-02Identification And Authentication (Organizational Users)Choose an item.IA-02(01)Network Access To Privileged AccountsChoose an item.IA-02(02)Network Access To Non-Privileged AccountsChoose an item.IA-02(03)Local Access To Privileged AccountsChoose an item.IA-02(04)Local Access To Non-Privileged AccountsChoose an item.IA-02(05)Group AuthenticationChoose an item.IA-02(08)Network Access To Privileged Accounts - Replay ResistantChoose an item.IA-02(09)Network Access To Non-Privileged Accounts - Replay ResistantChoose an item.IA-02(11)Remote Access - Separate DeviceChoose an item.IA-02(12)Acceptance Of Piv CredentialsChoose an item.IA-02(13)Out-Of-Band AuthenticationChoose an item.IA-03Device Identification And AuthenticationChoose an item.IA-03(01)Cryptographic Bidirectional AuthenticationChoose an item.IA-03(04)Device AttestationChoose an item.IA-04Identifier ManagementChoose an item.IA-04(02)Supervisor AuthorizationChoose an item.IA-04(04)Identify User StatusChoose an item.IA-05Authenticator ManagementChoose an item.IA-05(01)Password-Based AuthenticationChoose an item.IA-05(02)Pki-Based AuthenticationChoose an item.IA-05(03)In-Person Or Trusted Third-Party RegistrationChoose an item.IA-05(05)Change Authenticators Prior To DeliveryChoose an item.IA-05(06)Protection Of AuthenticatorsChoose an item.IA-05(07)No Embedded Unencrypted Static AuthenticatorsChoose an item.IA-05(08)Multiple Information System AccountsChoose an item.IA-05(11)Hardware Token-Based AuthenticationChoose an item.IA-06Authenticator FeedbackChoose an item.IA-07Cryptographic Module AuthenticationChoose an item.IA-08Identification And Authentication (Non-Organizational Users)Choose an item.IA-08(01)Acceptance Of Piv Credentials From Other AgenciesChoose an item.IA-08(02)Acceptance Of Third-Party CredentialsChoose an item.IA-08(03)Use Of Ficam-Approved ProductsChoose an item.IA-08(04)Use Of Ficam-Issued ProfilesChoose an item.IR-01Incident Response Policy And ProceduresChoose an item.IR-02Incident Response TrainingChoose an item.IR-03Incident Response TestingChoose an item.IR-03(02)Coordination With Related PlansChoose an item.IR-04Incident HandlingChoose an item.IR-04(01)Automated Incident Handling ProcessesChoose an item.IR-04(03)Continuity Of OperationsChoose an item.IR-04(04)Information CorrelationChoose an item.IR-05Incident MonitoringChoose an item.IR-06Incident ReportingChoose an item.IR-06(01)Automated ReportingChoose an item.IR-06(02)Vulnerabilities Related To IncidentsChoose an item.IR-07Incident Response AssistanceChoose an item.IR-07(01)Automation Support For Availability Of Information / SupportChoose an item.IR-07(02)Coordination With External ProvidersChoose an item.IR-08Incident Response PlanChoose an item.IR-09Information Spillage ResponseChoose an item.MA-01System Maintenance Policy And ProceduresChoose an item.MA-02Controlled MaintenanceChoose an item.MA-03Maintenance ToolsChoose an item.MA-03(01)Inspect ToolsChoose an item.MA-03(02)Inspect MediaChoose an item.MA-03(03)Prevent Unauthorized RemovalChoose an item.MA-04Nonlocal MaintenanceChoose an item.MA-04(01)Auditing And ReviewChoose an item.MA-04(02)Document Nonlocal MaintenanceChoose an item.MA-04(03)Comparable Security / SanitizationChoose an item.MA-04(06)Cryptographic ProtectionChoose an item.MA-04(07)Remote Disconnect VerificationChoose an item.MA-05Maintenance PersonnelChoose an item.MA-05(04)Foreign NationalsChoose an item.MA-06Timely MaintenanceChoose an item.MP-01Media Protection Policy And ProceduresChoose an item.MP-02Media AccessChoose an item.MP-03Media MarkingChoose an item.MP-04Media StorageChoose an item.MP-05Media TransportChoose an item.MP-05(04)Cryptographic ProtectionChoose an item.MP-06Media SanitizationChoose an item.MP-06(01)Review / Approve / Track / Document / VerifyChoose an item.MP-06(02)Equipment TestingChoose an item.MP-06(03)Nondestructive TechniquesChoose an item.MP-07Media UseChoose an item.MP-07(01)Prohibit Use Without OwnerChoose an item.MP-CMS-01Media Related RecordsChoose an item.PE-01Physical And Environmental Protection Policy And ProceduresChoose an item.PE-02Physical Access AuthorizationsChoose an item.PE-02(01)Access By Position / RoleChoose an item.PE-02(03)Restrict Unescorted AccessChoose an item.PE-03Physical Access ControlChoose an item.PE-03(02)Facility / Information System BoundariesChoose an item.PE-03(03)Continuous Guards / Alarms / MonitoringChoose an item.PE-04Access Control For Transmission MediumChoose an item.PE-05Access Control For Output DevicesChoose an item.PE-06Monitoring Physical AccessChoose an item.PE-06(01)Intrusion Alarms / Surveillance EquipmentChoose an item.PE-08Visitor Access RecordsChoose an item.PE-09Power Equipment And CablingChoose an item.PE-10Emergency ShutoffChoose an item.PE-11Emergency PowerChoose an item.PE-12Emergency LightingChoose an item.PE-13Fire ProtectionChoose an item.PE-13(01)Detection Devices / SystemsChoose an item.PE-13(02)Suppression Devices / SystemsChoose an item.PE-13(03)Automatic Fire SuppressionChoose an item.PE-14Temperature And Humidity ControlsChoose an item.PE-15Water Damage ProtectionChoose an item.PE-16Delivery And RemovalChoose an item.PE-17Alternate Work SiteChoose an item.PE-18Location Of Information System ComponentsChoose an item.PE-18(01)Facility SiteChoose an item.PE-19Information LeakageChoose an item.PE-20Asset Monitoring And TrackingChoose an item.PL-01Security Planning Policy And ProceduresChoose an item.PL-02System Security PlanChoose an item.PL-02(03)Plan / Coordinate With Other Organizational EntitiesChoose an item.PL-04Rules Of BehaviorChoose an item.PL-04(01)Social Media And Networking RestrictionsChoose an item.PL-07Security Concept Of OperationsChoose an item.PL-08Information Security ArchitectureChoose an item.PL-09Central ManagementChoose an item.PS-01Personnel Security Policy And ProceduresChoose an item.PS-02Position Risk DesignationChoose an item.PS-03Personnel ScreeningChoose an item.PS-03(01)Classified InformationChoose an item.PS-03(02)Formal IndoctrinationChoose an item.PS-03(03)Information With Special Protection MeasuresChoose an item.PS-04Personnel TerminationChoose an item.PS-05Personnel TransferChoose an item.PS-06Access AgreementsChoose an item.PS-06(02)Classified Information Requiring Special ProtectionChoose an item.PS-07Third-Party Personnel SecurityChoose an item.PS-08Personnel SanctionsChoose an item.RA-01Risk Assessment Policy And ProceduresChoose an item.RA-02Security CategorizationChoose an item.RA-03Risk AssessmentChoose an item.RA-05Vulnerability ScanningChoose an item.RA-05(01)Update Tool CapabilityChoose an item.RA-05(02)Update By Frequency / Prior To New Scan / When IdentifiedChoose an item.RA-05(03)Breadth / Depth Of CoverageChoose an item.RA-05(05)Privileged AccessChoose an item.SA-01System And Services Acquisition Policy And ProceduresChoose an item.SA-02Allocation Of ResourcesChoose an item.SA-03System Development Life CycleChoose an item.SA-04Acquisition ProcessChoose an item.SA-04(01)Functional Properties Of Security ControlsChoose an item.SA-04(02)Design / Implementation Information For Security ControlsChoose an item.SA-04(09)Functions / Ports / Protocols / Services In UseChoose an item.SA-04(10)Use Of Approved Piv ProductsChoose an item.SA-05Information System DocumentationChoose an item.SA-08Security Engineering PrinciplesChoose an item.SA-09External Information System ServicesChoose an item.SA-09(01)Risk Assessments / Organizational ApprovalsChoose an item.SA-09(02)Identification Of Functions / Ports / Protocols / ServicesChoose an item.SA-09(05)Processing, Storage, And Service LocationChoose an item.SA-10Developer Configuration ManagementChoose an item.SA-11Developer Security Testing And EvaluationChoose an item.SA-11(01)Static Code AnalysisChoose an item.SA-11(02)Threat And Vulnerability AnalysesChoose an item.SA-11(05)Penetration TestingChoose an item.SA-11(08)Dynamic Code AnalysisChoose an item.SA-12Supply Chain ProtectionChoose an item.SA-12(02)Supplier ReviewsChoose an item.SA-14Criticality AnalysisChoose an item.SA-15Development Process, Standards, And ToolsChoose an item.SA-17Developer Security Architecture And DesignChoose an item.SA-22Unsupported System ComponentsChoose an item.SC-01System And Communications Protection Policy And ProceduresChoose an item.SC-02Application PartitioningChoose an item.SC-02(01)Interfaces For Non-Privileged UsersChoose an item.SC-03Security Function IsolationChoose an item.SC-04Information In Shared ResourcesChoose an item.SC-05Denial Of Service ProtectionChoose an item.SC-05(01)Restrict Internal UsersChoose an item.SC-05(02)Excess Capacity / Bandwidth / RedundancyChoose an item.SC-05(03)Detection / MonitoringChoose an item.SC-06Resource AvailabilityChoose an item.SC-07Boundary ProtectionChoose an item.SC-07(03)Access PointsChoose an item.SC-07(04)External Telecommunications ServicesChoose an item.SC-07(05)Deny By Default / Allow By ExceptionChoose an item.SC-07(07)Prevent Split Tunneling For Remote DevicesChoose an item.SC-07(08)Route Traffic To Authenticated Proxy ServersChoose an item.SC-07(11)Restrict Incoming Communications TrafficChoose an item.SC-07(12)Host-Based ProtectionChoose an item.SC-07(13)Isolation Of Security Tools / Mechanisms / Support ComponentsChoose an item.SC-07(14)Protects Against Unauthorized Physical ConnectionsChoose an item.SC-07(18)Fail SecureChoose an item.SC-07(19)Blocks Communication From Non-Organizationally Configured HostsChoose an item.SC-08Transmission Confidentiality And IntegrityChoose an item.SC-08(01)Cryptographic Or Alternate Physical ProtectionChoose an item.SC-08(02)Pre / Post Transmission HandlingChoose an item.SC-10Network DisconnectChoose an item.SC-11Trusted PathChoose an item.SC-12Cryptographic Key Establishment And ManagementChoose an item.SC-12(01)AvailabilityChoose an item.SC-12(02)Symmetric KeysChoose an item.SC-12(03)Asymmetric KeysChoose an item.SC-13Cryptographic ProtectionChoose an item.SC-15Collaborative Computing DevicesChoose an item.SC-15(01)Physical DisconnectChoose an item.SC-16Transmission Of Security AttributesChoose an item.SC-16(01)Integrity ValidationChoose an item.SC-17Public Key Infrastructure CertificatesChoose an item.SC-18Mobile CodeChoose an item.SC-18(01)Identify Unacceptable Code / Take Corrective ActionsChoose an item.SC-18(02)Acquisition / Development / UseChoose an item.SC-18(03)Prevent Downloading / ExecutionChoose an item.SC-18(04)Prevent Automatic ExecutionChoose an item.SC-19Voice Over Internet ProtocolChoose an item.SC-20Secure Name / Address Resolution Service (Authoritative Source)Choose an item.SC-21Secure Name / Address Resolution Service (Recursive Or Caching Resolver)Choose an item.SC-22Architecture And Provisioning For Name / Address Resolution ServiceChoose an item.SC-23Session AuthenticityChoose an item.SC-23(01)Invalidate Session Identifiers At LogoutChoose an item.SC-23(03)Unique Session Identifiers With RandomizationChoose an item.SC-24Fail In Known StateChoose an item.SC-28Protection Of Information At RestChoose an item.SC-28(01)Cryptographic ProtectionChoose an item.SC-31Covert Channel AnalysisChoose an item.SC-32Information System PartitioningChoose an item.SC-36Distributed Processing And StorageChoose an item.SC-37Out-Of-Band ChannelsChoose an item.SC-37(01)Ensure Delivery / TransmissionChoose an item.SC-38Operations SecurityChoose an item.SC-39Process IsolationChoose an item.SC-40Wireless Link ProtectionChoose an item.SC-43Usage RestrictionsChoose an item.SC-44Detonation ChambersChoose an item.SC-ACA-01Electronic MailChoose an item.SC-ACA-02Fax UsageChoose an item.SI-01System And Information Integrity Policy And ProceduresChoose an item.SI-02Flaw RemediationChoose an item.SI-02(01)Central ManagementChoose an item.SI-02(02)Automated Flaw Remediation StatusChoose an item.SI-02(03)Time To Remediate Flaws / Benchmarks For Corrective ActionsChoose an item.SI-03Malicious Code ProtectionChoose an item.SI-03(01)Central ManagementChoose an item.SI-03(02)Automatic UpdatesChoose an item.SI-04Information System MonitoringChoose an item.SI-04(01)System-Wide Intrusion Detection SystemChoose an item.SI-04(02)Automated Tools For Real-Time AnalysisChoose an item.SI-04(04)Inbound And Outbound Communications TrafficChoose an item.SI-04(05)System-Generated AlertsChoose an item.SI-04(07)Automated Response To Suspicious EventsChoose an item.SI-04(09)Testing Of Monitoring ToolsChoose an item.SI-04(11)Analyze Communications Traffic AnomaliesChoose an item.SI-04(12)Automated AlertsChoose an item.SI-04(14)Wireless Intrusion DetectionChoose an item.SI-04(15)Wireless To Wireline CommunicationsChoose an item.SI-04(23)Host-Based DevicesChoose an item.SI-05Security Alerts, Advisories, And DirectivesChoose an item.SI-05(01)Automated Alerts And AdvisoriesChoose an item.SI-06Security Function VerificationChoose an item.SI-07Software, Firmware, And Information IntegrityChoose an item.SI-07(01)Integrity ChecksChoose an item.SI-07(07)Integration Of Detection And ResponseChoose an item.SI-08Spam ProtectionChoose an item.SI-08(01)Central ManagementChoose an item.SI-08(02)Automatic UpdatesChoose an item.SI-10Information Input ValidationChoose an item.SI-11Error HandlingChoose an item.SI-12Information Handling And RetentionChoose an item.SI-16Memory ProtectionChoose an item.PM-01Information Security Program PlanChoose an item.PM-02Senior Information Security OfficerChoose an item.PM-03Information Security ResourcesChoose an item.PM-04Plan Of Action And Milestones ProcessChoose an item.PM-05Information System InventoryChoose an item.PM-06Information Security Measures Of PerformanceChoose an item.PM-07Enterprise ArchitectureChoose an item.PM-08Critical Infrastructure PlanChoose an item.PM-09Risk Management StrategyChoose an item.PM-10Security Authorization ProcessChoose an item.PM-11Mission/Business Process DefinitionChoose an item.PM-12Insider Threat ProgramChoose an item.PM-13Information Security WorkforceChoose an item.PM-14Testing, Training, And MonitoringChoose an item.PM-15Contacts With Security Groups And AssociationsChoose an item.PM-16Threat Awareness ProgramChoose an item.AP-01Authority To CollectChoose an item.AP-02Purpose SpecificationChoose an item.AR-01Governance And Privacy ProgramChoose an item.AR-02Privacy Impact And Risk AssessmentChoose an item.AR-03Privacy Requirements For Contractors And Service ProvidersChoose an item.AR-04Privacy Monitoring And AuditingChoose an item.AR-05Privacy Awareness And TrainingChoose an item.AR-06Privacy ReportingChoose an item.AR-07Privacy-Enhanced System Design And DevelopmentChoose an item.AR-08Accounting Of DisclosuresChoose an item.DI-01Data QualityChoose an item.DI-01(01)Validate PiiChoose an item.DI-02Data Integrity And Data Integrity BoardChoose an item.DI-02(01)Publish Agreements On WebsitesChoose an item.DM-01Minimization Of Personally Identifiable InformationChoose an item.DM-01(01)Minimization Of Personally Identifiable InformationChoose an item.DM-02Data Retention And DisposalChoose an item.DM-02(01)System ConfigurationChoose an item.DM-03Minimization Of Pii Used In Testing, Training, And ResearchChoose an item.DM-03(01)Risk Minimization TechniquesChoose an item.IP-01ConsentChoose an item.IP-01(01)Mechanisms Supporting Itemized Or Tiered ConsentChoose an item.IP-02Individual AccessChoose an item.IP-03RedressChoose an item.IP-04Complaint ManagementChoose an item.IP-04(01)Response TimesChoose an item.SE-01Inventory Of Personally Identifiable InformationChoose an item.SE-02Privacy Incident ResponseChoose an item.TR-01Privacy NoticeChoose an item.TR-01(01)Real-Time Or Layered NoticeChoose an item.TR-02System Of Records Notices And Privacy Act StatementsChoose an item.TR-02(01)Public Website PublicationChoose an item.TR-03Dissemination Of Privacy Program InformationChoose an item.UL-01Internal UseChoose an item.UL-02Information Sharing With Third PartiesChoose an item. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download