Top 152 Security Controls Questions to Grow

What is involved in Security control

Find out what the related areas are that Security control connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Security control thinking-frame.

How far is your company on its Security Controls journey?

Take this short survey to gauge your organization’s progress toward Security Controls leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Security control related domains to cover and 152 essential critical questions to check off in that domain.

The following domains are covered:

Security control, Security controls, Access control, CIA Triad, Countermeasure, DoDI 8500.2, Environmental design, Health Insurance Portability and Accountability Act, ISAE 3402, ISO/IEC 27001, Information Assurance, Information security, OSI model, Payment Card Industry Data Security Standard, Physical Security, SSAE 16, Security, Security engineering, Security management, Security risk, Security service:

Security control Critical Criteria:

Check Security control planning and work towards be a leading Security control expert.

– Have we developed a continuous monitoring strategy for the information systems (including monitoring of security control effectiveness for system-specific, hybrid, and common controls) that reflects the organizational Risk Management strategy and organizational commitment to protecting critical missions and business functions?

– Have the it security cost for the any investment/project been integrated in to the overall cost including (c&a/re-accreditation, system security plan, risk assessment, privacy impact assessment, configuration/patch management, security control testing and evaluation, and contingency planning/testing)?

– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?

– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?

– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?

– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?

– What training is provided to personnel that are involved with Cybersecurity control, implementation, and policies?

– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?

– Is the measuring of the effectiveness of the selected security controls or group of controls defined?

– Does the cloud service provider have necessary security controls on their human resources?

– Do we monitor the Security control decisions made and fine tune them as they evolve?

– Do we have sufficient processes in place to enforce security controls and standards?

– Have vendors documented and independently verified their Cybersecurity controls?

– Do we have sufficient processes in place to enforce security controls and standards?

– Which Security control goals are the most important?

– What are the known security controls?

Security controls Critical Criteria:

Design Security controls risks and devote time assessing Security controls and its risk.

– For your Security control project, identify and describe the business environment. is there more than one layer to the business environment?

– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?

– What is the total cost related to deploying Security control, including any consulting or professional services?

Access control Critical Criteria:

Deliberate Access control outcomes and gather Access control models .

– Question to cloud provider: Does your platform offer fine-grained access control so that my users can have different roles that do not create conflicts or violate compliance guidelines?

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– what is the best design framework for Security control organization now that, in a post industrial-age if the top-down, command and control model is no longer relevant?

– Does the provider utilize Network Access Control based enforcement for continuous monitoring of its virtual machine population and virtual machine sprawl prevention?

– Access control: Are there appropriate controls over access to PII when stored in the cloud so that only individuals with a need to know will be able to access it?

– If data need to be secured through access controls (e.g. password-protected network space), how will they be applied?

– Do access control logs contain successful and unsuccessful login attempts and access to audit logs?

– Is the process actually generating measurable improvement in the state of logical access control?

– Access control: Are there appropriate access controls over PII when it is in the cloud?

– Access Control To Program Source Code: Is access to program source code restricted?

– How will you know that the Security control project has been successful?

– What is the direction of flow for which access control is required?

– Should we call it role based rule based access control, or rbrbac?

– What type of advanced access control is supported?

– What access control exists to protect the data?

– What is our role based access control?

– Who determines access controls?

– What is our Security control Strategy?

CIA Triad Critical Criteria:

Discourse CIA Triad issues and work towards be a leading CIA Triad expert.

– What other jobs or tasks affect the performance of the steps in the Security control process?

– How does the organization define, manage, and improve its Security control processes?

– What are the short and long-term Security control goals?

Countermeasure Critical Criteria:

Drive Countermeasure management and know what your objective is.

– What management system can we use to leverage the Security control experience, ideas, and concerns of the people closest to the work to be done?

– Can Management personnel recognize the monetary benefit of Security control?

DoDI 8500.2 Critical Criteria:

Have a meeting on DoDI 8500.2 visions and track iterative DoDI 8500.2 results.

– Is there a Security control Communication plan covering who needs to get what information when?

– Meeting the challenge: are missed Security control opportunities costing us money?

– Who will provide the final approval of Security control deliverables?

Environmental design Critical Criteria:

Nurse Environmental design failures and research ways can we become the Environmental design company that would put us out of business.

– How do we Lead with Security control in Mind?

Health Insurance Portability and Accountability Act Critical Criteria:

Talk about Health Insurance Portability and Accountability Act decisions and innovate what needs to be done with Health Insurance Portability and Accountability Act.

– Where do ideas that reach policy makers and planners as proposals for Security control strengthening and reform actually originate?

– Who will be responsible for documenting the Security control requirements in detail?

– Are there recognized Security control problems?

ISAE 3402 Critical Criteria:

Meet over ISAE 3402 decisions and adjust implementation of ISAE 3402.

– Is the scope of Security control defined?

ISO/IEC 27001 Critical Criteria:

Analyze ISO/IEC 27001 quality and gather practices for scaling ISO/IEC 27001.

– Marketing budgets are tighter, consumers are more skeptical, and social media has changed forever the way we talk about Security control. How do we gain traction?

– Have all basic functions of Security control been defined?

– What are our Security control Processes?

Information Assurance Critical Criteria:

Survey Information Assurance management and correct better engagement with Information Assurance results.

– What may be the consequences for the performance of an organization if all stakeholders are not consulted regarding Security control?

– What prevents me from making the changes I know will make me a more effective Security control leader?

– Does our organization need more Security control education?

Information security Critical Criteria:

Depict Information security results and define what our big hairy audacious Information security goal is.

– Does mgmt communicate to the organization on the importance of meeting the information security objectives, conforming to the information security policy and the need for continual improvement?

– Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the information security function)?

– Consider your own Security control project. what types of organizational problems do you think might be causing or affecting your problem, based on the work done so far?

– Is there an information security policy to provide mgmt direction and support for information security in accordance with business requirements, relevant laws and regulations?

– Are information security policies and other relevant security information disseminated to all system users (including vendors, contractors, and business partners)?

– Does the ISMS policy provide a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security?

– Do we have an official information security architecture, based on our Risk Management analysis and information security strategy?

– Does your company have a current information security policy that has been approved by executive management?

– What is true about the trusted computing base in information security?

– How do we Identify specific Security control investment and emerging trends?

– Is there a business continuity/disaster recovery plan in place?

– Is an organizational information security policy established?

– Are damage assessment and disaster recovery plans in place?

– How to achieve a satisfied level of information security?

– Does your company have an information security officer?

– What is the goal of information security?

OSI model Critical Criteria:

Steer OSI model results and reduce OSI model costs.

– Who will be responsible for deciding whether Security control goes ahead or not after the initial investigations?

– How do mission and objectives affect the Security control processes of our organization?

– What are the Key enablers to make this Security control move?

Payment Card Industry Data Security Standard Critical Criteria:

Disseminate Payment Card Industry Data Security Standard tactics and slay a dragon.

– What knowledge, skills and characteristics mark a good Security control project manager?

– Are accountability and ownership for Security control clearly defined?

Physical Security Critical Criteria:

Match Physical Security adoptions and budget the knowledge transfer for any interested in Physical Security.

– Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber assets?

– Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack?

– Secured Offices, Rooms and Facilities: Are physical security for offices, rooms and facilities designed and applied?

– Is the security product consistent with physical security and other policy requirements?

– How will we insure seamless interoperability of Security control moving forward?

SSAE 16 Critical Criteria:

Study SSAE 16 outcomes and revise understanding of SSAE 16 architectures.

– What vendors make products that address the Security control needs?

– Are we Assessing Security control and Risk?

Security Critical Criteria:

Infer Security visions and look in other fields.

– Does the information security function actively engage with other critical functions, such as it, Human Resources, legal, and the privacy officer, to develop and enforce compliance with information security and privacy policies and practices?

– During the last 3 years, have you received a complaint or an injunction arising out of intellectual property infringement, content or advertising?

– Is the risk assessment approach defined and suited to the ISMS, identified business information security, legal and regulatory requirements?

– Is there any open source personal cloud software which provides privacy and ease of use 1 click app installs cross platform html5?

– Will we be inclusive enough yet not disruptive to ongoing business, for effective Cybersecurity practices?

– Do you utilize retained private information in any other way than originally intended or disclosed?

– Is there a person at our organization who assesses vulnerabilities, consequences, and threats?

– Are responsibilities for handling PII stated in the cloud service agreement?

– What has the company done to bolster its Cybersecurity program?

– What role do your security and compliance teams have in DevOps projects?

– Who will provide, i.e., own, the hardware/software needed?

– Is Return on Security Investment (ROSI) Impossible?

– How much to invest in Cybersecurity?

– How to create secure Passwords?

– How often are locks changed?

– What algorithms are used?

– How do we define risk?

Security engineering Critical Criteria:

Focus on Security engineering issues and work towards be a leading Security engineering expert.

– What are the success criteria that will indicate that Security control objectives have been met and the benefits delivered?

– In what ways are Security control vendors and us interacting to ensure safe and effective use?

– Is Supporting Security control documentation required?

Security management Critical Criteria:

Investigate Security management failures and do something to it.

– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?

– If our security management product supports access control based on defined rules, what is the granularity of the rules supported: access control per user, group, or role?

– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?

– What are the key elements of your Security control performance improvement system, including your evaluation, organizational learning, and innovation processes?

– Does the service agreement have metrics for measuring performance and effectiveness of security management?

– So, how does security management manifest in cloud services?

Security risk Critical Criteria:

Mine Security risk goals and plan concise Security risk education.

– How do you monitor your Cybersecurity posture on business IT systems and ICS systems and communicate status and needs to leadership?

– What performance goals do we adopt to ensure our ability to provide essential services while managing Cybersecurity risk?

– Does the company have a log monitoring capability with analytics and alertingalso known as continuous monitoring?

– Do you have a process for looking at consequences of cyber incidents that informs your risk management process?

– Are we specifically expressing Cybersecurity requirements to our partners, suppliers, and other third parties?

– Has your Cybersecurity plan been reviewed in the last year and updated as needed?

– How do we define and assess risk generally and Cybersecurity risk specifically?

– What are the security information requirements of Cybersecurity stakeholders?

– Does your organization destroy data according to policies in place?

– Are Cybersecurity criteria used for vendor and device selection?

– Are our Cybersecurity capabilities efficient and effective?

– Are records kept of successful Cybersecurity intrusions?

– How do the actors compromise our systems?

– Are there beyond-compliance activities?

– How do you report cyberattacks?

Security service Critical Criteria:

Read up on Security service governance and intervene in Security service processes and leadership.

– Follow-up: Follow-up should include regular status reporting, describing new controls and lessons learned to improve future performance. The most important element of the follow-up stage is performing a postmortem analysis of the response procedure itself. Exactly what happened and at what times?

– Record-keeping requirements flow from the records needed as inputs, outputs, controls and for transformation of a Security control process. ask yourself: are the records needed as inputs to the Security control process available?

– Encryption helps to secure data that may be stored on a stolen laptop but what about the sensitive data that is sent via e-mail or downloaded to a USB device?

– What is your estimated recovery time for critical systems to restore operations after a cyber attack or other loss/corruption?

– Is data (i.e. personal information) encrypted on laptops and other mobile devises used for storing and transferring data?

– If you provide a technology service, do you test products for malicious code or other security flaws?

– Do you require that sub contractors submit proof of insurance separate from the primary?

– Do you ensure that all private information is encrypted whether at rest or in transit?

– Do you have a formal procedure in place for handling customer complaints?

– Is your security policy reviewed and updated at least annually?

– Do you have a document retention and destruction policy?

– Who has authority to commit the applicant to contracts?

– Who has a role in the it security service life cycle?

– What percent of time are contracts not used?

– What is the funding source for this project?

– Who has authority to customize contracts?

– What type of IDS system are you using?

– Do you have a privacy policy?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Security Controls Self Assessment:

Author: Gerard Blokdijk

CEO at The Art of Service |

Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Security control External links:

AZ Security Control – Remote Dealer Access

Security controls External links:

[PDF]Demilitarization and Trade Security Controls

Access control External links:

Linear Pro Access – Professional Access Control Systems

What is Access Control? – Definition from Techopedia

CIA Triad External links:

CIA Triad of Cybersecurity – InfoSec Resources

CIA Triad Flashcards | Quizlet

what is CIA triad? – 12148 – The Cisco Learning Network

Countermeasure External links:

ACT Cert: Attack Countermeasures Training and …

DoDI 8500.2 External links:

DoDI 8500.2 – Intelsat General Corporation

[PDF]DoDI 8500.2 Solution Brief

Environmental design External links:

LEED | Leadership in Energy & Environmental Design

T. Lake Environmental Design | Landscaping Macon …

Health Insurance Portability and Accountability Act External links:

Health Insurance Portability and Accountability Act …

[PDF]Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act …

ISAE 3402 External links:

22. What are SSAE 16 and ISAE 3402? What happened to …

ISAE 3402 – Overview

[PDF]AccountChek™ Level Security SSAE 16/ISAE 3402 …

ISO/IEC 27001 External links:

ISO/IEC 27001 certification standard

ISO/IEC 27001 Information Security | BSI America

ISO/IEC 27001:2013
ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

Information Assurance External links:

Information Assurance Training Center

Information Assurance Training Center

Title Information Assurance Jobs, Employment |

Information security External links:

Federal Information Security Management Act of 2002 – NIST

Title & Settlement Information Security

Information Security

OSI model External links:

The OSI Model – CompTIA Network+ N10-005 – 1.1 – YouTube

Troubleshooting Along the OSI Model – Pearson IT …

The OSI Model’s Seven Layers Defined and Functions …

Payment Card Industry Data Security Standard External links:

Payment Card Industry Data Security Standard – CyberArk

Physical Security External links:

Army COOL Summary – ASI H3 – Physical Security Operations

ADC LTD NM Leader In Personnel & Physical Security

UAB – Business and Auxiliary Services – Physical Security

SSAE 16 External links:

SSAE-18 – An Update to SSAE 16 (Coming 2017)

SSAE 16 Auditing and Reporting Services – A-LIGN

SSAE 16 – Overview

Security External links:

Home Security

What You Can Do Online | Social Security Administration

my Social Security | Social Security Administration

Security engineering External links:

Master of Science in Cyber Security Engineering – UW …

Security Engineering – Covenant Security Solutions

Security management External links:

Security Management and Intelligence | Microsoft

Endpoint Security Management Software and Solutions – Promisec

Personnel Security Management Office for Industry …

Security risk External links:

Security Risk (eBook, 2011) []

Security Risk (1954) – IMDb

Security service External links:

Defense Security Service – Official Site

Contact Us: Questions, Complaints | Security Service

Contact Us | Security Service