Critical Infrastructure Vulnerability Assessment
Uploaded by
Hussain AbbasCritical Infrastructure Vulnerability Assessment
Uploaded by
Hussain AbbasVulnerability Assessment
Framework 1.1
Prepared under contract for the
Critical Infrastructure Assurance Office
by
KPMG Peat Marwick LLP
October 1998
Peat Marwick LLP
CIAO
Notice: This document was prepared as an account of work sponsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, nor any of their contractors, subcontractors, or their
employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use will
not infringe on privately owned rights. Reference herein to any commercial product, process, or service by trade name,
trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government, any agency thereof or any of their contractors or subcontractors. The
views and opinions expressed herein do not necessarily state or reflect those of the United States Government or any
of their contractors.
/Vulnerability Assessment Framework (VAF)/Page i
CIAO
October 1998
Presidential Decision Directive 63 directs every department and agency of the Federal
Government to develop a plan by November 18, 1998, to protect its own critical
infrastructure, including but not limited to its cyber-based systems. While your
department should decide the shape of the plan best suited to your mission, you may wish
to consider basing your plan on an identification of your critical infrastructures and their
vulnerabilities, including:
n identification of mission essential telecommunications, information, and other
systems;
n identification of significant vulnerabilities of the department’s minimum essential
systems;
n internal and external interdependencies; and
n an assessment of the vulnerability of the department’s minimum essential services
to failures by private sector providers of telecommunications, electrical power, and
other infrastructure services.
The Vulnerability Assessment Framework (VAF) is designed to assist your agency’s work
on these issues. The VAF was produced by KPMG Peat Marwick LLP, under contract to
the Critical Infrastructure Assurance Office, with review and input over the last six weeks
from a wide range of agencies. Based on existing security requirements and standards, the
VAF can be applied across the federal government as well as to private sector
infrastructures.
Through a three-step process, the VAF will enable your organization to define your
Minimum Essential Infrastructure (MEI), identify and locate interdependencies and
vulnerabilities of your MEI, and provide the basis for developing your remediation plans.
The VAF has been designed with inherent scalability so that it is applicable to all levels of
government as well as broad sectors of the National infrastructure as well.
Should your department choose to do so, the VAF can be a core component of your
agency’s plan. Further assistance and guidance on overall agency planning to protect your
critical infrastructures will be forthcoming from the General Services Administration and
the Critical Infrastructure Assurance Office.
As you prepare your agency’s internal plans, and in many cases the sector plans, you will
find the VAF to be a useful tool in guiding you to find the vulnerabilities that need
remediation so that our Nation’s infrastructures are secured. The Critical Infrastructure
Assurance Office staff and I stand ready to assist agencies in their planning efforts. For
assistance with the VAF, please contact the CIAO at (703) 696-9395.
Sincerely,
Jeffrey A. Hunker
Director
/Vulnerability Assessment Framework (VAF)/Page i
CIAO
(Page Left Intentionally Blank)
/Vulnerability Assessment Framework (VAF)/Page ii
CIAO
TABLE OF CONTENTS
PREFACE………………………………………………………………………………………………... 1
I. INTRODUCTION………………………………………………………………….…………….4
ROLE OF SENIOR MANAGEMENT…………………………………………………………………...5
THE FRAMEWORK………………………………………………………………………………….6
AUDIENCE………………………………………………………………………………………….7
OBJECTIVES AND CRITICAL SUCCESS FACTORS……………………………………………………7
SCALABILITY OF THE FRAMEWORK………………………………………………………………..8
II. THE VAF APPROACH………………………………………………………………………….9
III. VAF STEP 1 - ESTABLISH THE MINIMUM ESSENTIAL
INFRASTRUCTURE (MEI)…………………………………………………………………...11
VAF STEP 1.1—IDENTIFY THE CORE MISSION(S) OF THE ORGANIZATION……………………...18
VAF STEP 1.2—IDENTIFY THE THREAT ENVIRONMENT………………………………………...19
VAF STEP 1.3—IDENTIFY THE PROCESSES SUPPORTING THE STRATEGIC OR CORE MISSION(S).22
VAF STEP 1.4—ANALYZE THE VALUE OF EACH CORE PROCESS……………………………….23
VAF STEP 1.5—IDENTIFY ORGANIZATIONAL STRUCTURE AND CUSTOMERS………………..…25
VAF STEP 1.6—IDENTIFY FACILITIES…………………………………………………………...26
VAF STEP 1.7—MAP CYBER ARCHITECTURE, DATA AND SYSTEMS………………………...…27
VAF STEP 1.8—LINK PHYSICAL, ORGANIZATIONAL, ARCHITECTURE COMPONENTS
TO THE CORE PROCESSES THAT PLAY KEY ROLES IN ACHIEVING THE MISSION………………...29
VAF STEP 1.9—IDENTIFY THE EXTERNAL RESOURCES UPON WHICH THE MEI IS DEPENDENT.30
IV. VAF STEP 2 - GATHER DATA TO IDENTIFY MEI VULNERABILITIES……………..32
VAF STEP 2.1—ASSESS AREAS OF CONTROL—ENTITY WIDE SECURITY………………………41
VAF STEP 2.2—ASSESS AREAS OF CONTROL—ACCESS CONTROLS……………………………45
VAF STEP 2.3—ASSESS AREAS OF CONTROL—SEGREGATION OF DUTIES……………………..53
VAF STEP 2.4—ASSESS AREAS OF CONTROL—CONTINUITY OF SERVICES AND OPERATIONS...55
VAF STEP 2.5—ASSESS AREAS OF CONTROL—CHANGE CONTROL & LIFE CYCLE
MANAGEMENT……………………………………………………………………………………59
VAF STEP 2.6—ASSESS AREAS OF CONTROL—SYSTEM SOFTWARE…………………………...62
V. VAF STEP 3 - ANALYZE & PRIORITIZE
VULNERABILITIES…………………………64
VAF STEP 3.1—DOCUMENT THE
IMPACT………………………………………………………..66
VAF STEP 3.2—DOCUMENT THE VULNERABILITIES…………………………………………….67
VAF STEP 3.3—SUMMARIZE THE VULNERABILITIES……………………………………………68
VAF STEP 3.4—EVALUATE THE VULNERABILITIES……………………………………………..69
VI. NEXT STEPS……………………………………………………………………………………71
/Vulnerability Assessment Framework (VAF)/Page iii
CIAO
VII. GLOSSARY OF TERMS………………………………………………………………………72
VIII. PRIMARY SOURCE DOCUMENTS…………………………………………………………77
APPENDIX A: ENTITY-WIDE SECURITY………………………………………………………...A-
1
ORGANIZATIONAL MANAGEMENT………………………………………………………………A-1
SECURITY PROGRAM PLAN……………………………………………………………………..A-3
SECURITY MANAGEMENT………………………………………………………………………A-4
HUMAN RESOURCES POLICIES………………………………………………………………….A-6
OUTSOURCING…………………………………………………………………………………..A-8
ELECTRONIC COMMERCE……………………………………………………………………….A-9
APPENDIX B: ACCESS CONTROLS……………………………………………………………….B-1
DATA TYPES…………………………………………………………………………………….B-1
ACCESS CONTROL LISTS (ACL)………………………………………………………………...B-1
PHYSICAL CONTROLS…………………………………………………………………………...B-4
DATA CENTERS………………………………………………………………………………...B-36
PHYSICAL ACCESS LISTS AND VISITOR LOGS TO DATA CENTERS…………………………….B-37
PHYSICAL KEYS, CARD KEYS AND CIPHER LOCKS……………………………………………B-39
PASSWORDS…………………………………………………………………………………....B-42
NETWORK MANAGEMENT SYSTEMS (NMS)…………………………………………………..B-44
SECURITY SOFTWARE………………………………………………………………………….B-46
DBMS………………………………………………………………………………………….B-47
REMOTE ACCESS………………………………………………………………………………B-48
ENCRYPTION AND RELATED APPLICATIONS…………………………………………………..B-50
MONITORING…………………………………………………………………………………..B-53
DATASCOPES AND SNIFFERS…………………………………………………………………..B-54
HUB MANAGEMENT………………………………………………………………………..…..B-55
VOICE OPERATIONS……………………………………………………………………………B-55
APPENDIX C: SEGREGATION OF DUTIES………………………………………………………C-1
POLICIES……………………………………………………………………………………...…C-1
ACCESS CONTROLS TO ENFORCE SEGREGATION OF DUTIES…………………………….…......C-4
OPERATING PROCEDURES, SUPERVISION, AND REVIEW…………………………………….….C-4
APPENDIX D: CONTINUITY OF SERVICE AND OPERATIONS………………………………D-1
BUSINESS CONTINUITY PLAN…………………………………………………………………...D-1
RESOURCE MANAGEMENT—COB……………………………………………………………...D-5
CONTINGENCY PLAN……………………………………………………………………………D-8
SERVICE LEVEL AGREEMENT MANAGEMENT…………………………………………………D-10
DATA CENTER MANAGEMENT…………………………………………………………...….....D-
11
BACK-UP MANAGEMENT……………………………………………………………..………..D-19
/Vulnerability Assessment Framework (VAF)/Page iv
CIAO
ALTERNATIVE SITE MANAGEMENT…………………………………………………….….…..D-21
INTERDEPENDENCY AWARENESS……………………………………………………………...D-22
MONITORING…………………………………………………………………………………..D-22
/Vulnerability Assessment Framework (VAF)/Page v
CIAO
APPENDIX E: CHANGE CONTROL & LIFE CYCLE MANAGEMENT……………………….E-1
CHANGE MANAGEMENT…………………………………………………………………………………E-1
SYSTEM DEVELOPMENT LIFE CYCLE MANAGEMENT…………………………………………………...E-3
PROJECT MANAGEMENT…………………………………………………………………………………E-9
APPLICATION ACQUISITION, MANAGEMENT, AND MAINTENANCE…………………………………….E-13
QUALITY AND ASSURANCE………………………………………………………………………….….E-16
APPENDIX F: SYSTEM SOFTWARE…………………………………………………………...….F-1
SYSTEM SOFTWARE ACCESS CONTROL………………………………………………………………….F-1
SYSTEM SOFTWARE MONITORING (ACCESS AND USE)………………………………………………….F-4
SYSTEM SOFTWARE CHANGE CONTROL…………………………………………………………………F-5
APPENDIX G: WHITE PAPER………………………………………………………………….…..G-1
/Vulnerability Assessment Framework (VAF)/Page vi
CIAO
(Page Left Intentionally Blank)
/Vulnerability Assessment Framework (VAF)/Page vii
CIAO
Preface
“A Growing Potential Vulnerability”
“The United States possesses both the world’s strongest military and its largest national economy.
Those two aspects of our power are mutually reinforcing and dependent. They are also
increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.
Critical infrastructures are those physical and cyber-based systems essential to the minimum
operations of the economy and government. They include, but are not limited to,
telecommunications, energy, banking and finance, transportation, water systems and emergency
services, both governmental and private. Many of the nation’s critical infrastructures have
historically been physically and logically separate systems that had little interdependence. As a
result of advances in information technology and the necessity of improved efficiency, however,
these infrastructures have become increasingly automated and interlinked. These same advances
have created new vulnerabilities to equipment failures, human error, weather and other natural
causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require
flexible, evolutionary approaches that span both the public and private sectors, and protect both
domestic and international security.
Because of our military strength, future enemies, whether nations, groups or individuals, may seek
to harm us in non-traditional ways including attacks within the United States. Our economy is
increasingly reliant upon interdependent and cyber-supported infrastructures and non-traditional
attacks on our infrastructure and information systems may be capable of significantly harming
both our military power and our economy.”
“President’s Intent”
“It has long been the policy of the United States to assure the continuity and viability of critical
infrastructures. President Clinton intends that the United States will take all necessary measures
to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical
infrastructures, including especially our cyber systems.”
“A National Goal”
“No later than [May 22] the year 2000, the United States shall have achieved an initial operating
capability and no later than five years from the day the President signed Presidential Decision
Directive 63, [May 22, 2003], the United States shall have achieved and shall maintain the ability
/Vulnerability Assessment Framework (VAF)/Page 1
CIAO
to protect our nation’s critical infrastructures from intentional acts that would significantly
diminish the abilities of:
n the Federal Government to perform essential national security missions and to ensure the
general public health and safety;
n state and local governments to maintain order and to deliver minimum essential public
services;
n the private sector to ensure the orderly functioning of the economy and the delivery of
essential telecommunications, energy, financial and transportation services.
Any interruptions or manipulations of these critical functions must be brief, infrequent,
manageable, geographically isolated and minimally detrimental to the welfare of the United
States.”
“A Public-Private Partnership to Reduce Vulnerability”
“Since the targets of attacks on our critical infrastructure would likely include both facilities in the
economy and those in the government, the elimination of our potential vulnerability requires a
closely coordinated effort of both the public and the private sector. To succeed, this partnership
must be genuine, mutual and cooperative. In seeking to meet our national goal to eliminate the
vulnerabilities of our critical infrastructure, therefore, the U.S. government should, to the extent
feasible, seek to avoid outcomes that increase government regulation or expand unfunded
government mandates to the private sector.”
“Protecting Federal Government Critical Infrastructures”
“Every department and agency of the Federal Government shall be responsible for protecting its
own critical infrastructure, especially its cyber-based systems. Every department and agency
Chief Information Officer (CIO) shall be responsible for information assurance. Every department
and agency shall appoint a Chief Infrastructure Assurance Officer (CIAO) who shall be
responsible for the protection of all of the other aspects of that department’s critical
infrastructure. The CIO may be double-hatted as the CIAO at the discretion of the individual
department. These officials shall establish procedures for obtaining expedient and valid
authorizations to allow vulnerability assessments to be performed on government computer and
physical systems. The Department of Justice shall establish legal guidelines for providing for such
authorizations.
No later than 180 days, [November 18, 1998], from issuance of this directive, every department
and agency shall develop a plan for protecting its own critical infrastructure, including but not
limited to its cyber-based systems. No later than two years from today, [May 22, 2000] those
plans shall have been implemented and shall be updated every two years. In meeting this
/Vulnerability Assessment Framework (VAF)/Page 2
CIAO
schedule, the Federal Government shall present a model to the private sector on how best to
protect critical infrastructure. The Principals Committee should submit to the President a
schedule for completion of a National Infrastructure Assurance Plan with milestones for
accomplishing the following subordinate and related tasks.”
“Vulnerability Analyses: For each sector of the economy and each sector of the government that
might be a target of infrastructure attack intended to significantly damage the United States, there
shall be an initial vulnerability assessment, followed by periodic updates. As appropriate, these
assessments shall also include the determination of the minimum essential infrastructure in each
sector.”
“Remedial Plan: Based upon the vulnerability assessment, there shall be a recommended remedial
plan. The plan shall identify timelines for implementation, responsibilities and funding.”
Excerpts from the
WHITE PAPER
The Clinton Administration’s Policy on
Critical Infrastructure Protection:
Presidential Decision Directive 63
May 22, 1998
/Vulnerability Assessment Framework (VAF)/Page 3
CIAO
I. Introduction
On August 18, 1998, KPMG Peat Marwick LLP commenced the task of creating a Vulnerability
Assessment Framework (VAF) under contract to the Critical Infrastructure Assurance Office in
response to Presidential Decision Directive (PDD) 63. In assuming this task, KPMG has taken a
business approach to developing this vulnerability assessment tool as opposed to a national
security approach. The former incorporates established business risk assessment measurements in
a holistic approach to assessing physical and cyber vulnerabilities. The latter has historically been
primarily driven by the known or suspected capabilities of identified adversaries.
While some suggest that penetration testing is an adequate approach to assessing cyber
vulnerabilities, KPMG’s experience clearly indicates the need for a more holistic approach.
Penetration testing is but one part—and a temporary one at that—to overall vulnerability
assessment. Identification of the root causes of vulnerabilities through other assessment criteria
enables systemic remedies, not just temporary patches. It was KPMG’s intent to propose a VAF
that would lead to systematic remedies.
Although there have been historical differences in approach to measuring business risk and
assessing threats to national security, the flexibility of the VAF developed by KPMG allows it to
be applied in either arena. The difference comes through the level of detail that agencies want to
address or national security standards to which the VAF methodology is applied. To the extent it
is possible to do so, the VAF may also be applied in the context of requirements of the Computer
Security Act of 1987 or other federal requirements.
For purposes of this effort, the approach adopted in the President’s Commission on Critical
Infrastructure Protection (PCCIP) report regarding threats and vulnerabilities has been utilized. In
a world of non-conventional threats, cyber or physical, it is not prudent to suppose that an
organization will know in advance from where a threat may arise.
As noted by the PCCIP, the right command sent over a network to a power generating station’s
control computer could be just as effective as a backpack full of explosives. However in the
former scenario, the perpetrator would be harder to identify and apprehend. The rapid growth of
a computer-literate population ensures that increasing millions of people possess the skills
necessary to consider such an attack. The wide adoption of public protocols for system
connectivity and the availability of “hacker tool” libraries make their task easier. While the
resources needed to conduct a physical attack have not changed considerably, the resources
necessary to conduct a cyber attack are now commonplace. A personal computer and a simple
telephone connection to an Internet Service Provider (ISP) anywhere in the world are enough to
cause great damage.
The PCCIP further noted that our infrastructures have substantial vulnerabilities to domestic and
international threats. For those intrusions that are known, insiders have been primarily at the root
/Vulnerability Assessment Framework (VAF)/Page 4
CIAO
of the exploitation of these vulnerabilities. Because it may be impossible to determine the nature
of a threat until after it has materialized, infrastructure owners and operators—most of whom are
in the private sector—must focus on protecting themselves against the tools of disruption, while
the government helps by collecting and disseminating the latest information about those tools and
their employment. The Commission did not discover an immediate threat sufficient to warrant a
fear of imminent national crisis. However, vulnerabilities are becoming more common with the
introduction of new technologies, the widespread use of electronic media, the inadequate
administration of technical and operational controls, the ready availability of means to exploit
those weaknesses, and the decreasing costs associated with an effective attack.
Thus, the traditional security approach of monitoring the activities of known or potential attackers
or intruders breaks down. The first line of infrastructure defense must now be to identify and
resolve vulnerabilities before they are exploited. Protecting our infrastructures into the 21st
Century requires that we develop greater understanding of their vulnerabilities and act decisively
to reduce them.
Role of Senior Management
In a recently-published study of leading organizations, the U.S. General Accounting Office (GAO)
found that senior executive recognition of information security risks and interest in taking steps to
understand and manage these risks are the most important factors in prompting development of
more formal information security programs. Such high-level interest helps ensure that information
security is taken seriously at lower organizational levels and that security specialists have the
resources needed to implement an effective program.
The study further noted that business managers, usually referred to as program managers in
federal agencies, must bear the primary responsibility for determining the level of protection
needed for information resources that support business operations. In this regard, business
managers should be held accountable for managing the information security risks associated with
their operations, much as they would for any other type of business risk. However, security
specialists play a strong educational and advisory role and have the ability to elevate discussions
to higher management levels when they believe that risks are not being adequately addressed.
Business managers are generally in the best position to determine which of their information
resources are the most sensitive and what the business impact of a loss of integrity, confidentiality,
or availability would be.
GAO’s survey also determined that business or program managers are in the best position to
determine how security controls may impair their operations. For this reason, involving them in
selecting controls can help ensure that controls are practical and will be implemented.
Accordingly, security specialists have assumed the role of educators, advisors, and facilitators
who help to ensure that business managers are aware of risks and of control techniques that have
/Vulnerability Assessment Framework (VAF)/Page 5
CIAO
been or could be implemented to mitigate the risks. For several of the organizations, these roles
represent a dramatic reversal from past years, when security personnel were viewed as rigid,
sometimes overly protective enforcers who often did not adequately consider the effect of security
controls on business operations.
The PCCIP characterized its infrastructure assurance initiatives as the beginning of a long process,
but one that may never be concluded. The organizations in GAO’s survey emphasized the
importance of continuous attention to security to ensure that controls are appropriate and
effective. They stressed that constant vigilance and frequent reassessment are needed to ensure
that controls remain appropriate--addressing current risks and not unnecessarily hindering
operations--and that individuals who use and maintain information systems comply with
organizational policies. Such attention is important for all types of internal controls, but it is
especially important for security over computerized information, because, as mentioned
previously, the factors that affect cyber security are constantly changing in today’s dynamic
environment.
The Framework
Numerous reference documents have been identified and reviewed for possible relevance. Upon
analysis, and on the basis of actual experience in the assurance/audit arena, the KPMG VAF
methodology has drawn heavily from several different current processes for measuring
information technology (IT) system controls. These include: the April 1998 Control Objectives
for Information Technology (COBIT) process of the Information Systems Audit and Control
Foundation (ISACF); the May 1998 publication “Executive Guide Information Security
Management” of the United States General Accounting Office (GAO); and GAO’s standards for
auditing federal information systems (Federal Information Systems Control Audit Manual
(FISCAM)).
Of course, the above approaches above were not designed to fully apply to the issues that surface
when attempting to assess infrastructure vulnerabilities. Nonetheless, parts of each of these were
considered relevant for several reasons. First, each represents a current approach to system
controls used by IT auditors. Second, each has drawn extensively from other sources, some both
national and international, resulting in a broader base of expertise in IT governance practices.
Third, although suggested for applicability to cyber system controls, at least part of the control
standards defined in each document can apply to the physical vulnerabilities as well.
Finally, the KPMG VAF methodology has also drawn from the report of the PCCIP. In
particular, the PCCIP findings concerning the issue of interdependencies and their approach to
threat and vulnerability issues have been incorporated. PDD 63 instructed that the government
and sectoral vulnerability assessment plans include a particular focus on interdependencies. So, it
is important to understand what the term “interdependency” means and how it should apply to the
/Vulnerability Assessment Framework (VAF)/Page 6
CIAO
vulnerability assessment plans of government departments and agencies. Since PDD 63
specifically states that the VAF “shall include the determination of minimum essential
infrastructure” (MEI), it will also be important to understand what it means and how it applies.
If your organization is already performing vulnerability assessments, the team should examine the
process being used against the VAF process and determine if gaps between the two exist. The
intent of the VAF process is to use, if available, existing data gathering and analysis techniques in
the identification and documentation of vulnerabilities in the infrastructure. The intent is not to
duplicate existing efforts.
Audience
The initial audience for the VAF template consists of the departments and agencies of the federal
government. Additionally, the VAF should be able to address the needs of the private sector, for
which the government should be a model. We envision that this plan will be used to assist
management in analyzing their Minimum Essential Infrastructure (MEI), its strengths,
weaknesses, and external dependencies.
In order to implement the VAF process, a leadership team should be formed. This team will
consist of the agency CIAO, CIO, a person familiar with the audit and oversight outputs of the
Inspector General and persons responsible for information and data security, physical security,
and personnel security. The precise skill sets required are defined in greater detail in section III.F.
In addition to management, the plan is designed to be used by security professionals and internal
auditors. It will serve as a common language and facilitate communication, expectations, and
cooperation among the three groups. This will aid them in effectively working together as a team,
understanding the tasks to be accomplished, and achieving the common goal of minimizing
vulnerabilities that may diminish the agency’s ability to achieve its mission or the robustness of the
National MEI (e.g. the critical national infrastructures).
Objectives and Critical Success Factors
The objectives and critical success factors of the VAF are as follows:
n The VAF must apply to infrastructure vulnerabilities in both physical and cyber
dimensions.
n The VAF must be scalable, capable of being applied by large, sophisticated government
organizations, as well as by small government entities with little, or no, experience with
infrastructure vulnerability issues.
/Vulnerability Assessment Framework (VAF)/Page 7
CIAO
n The VAF must be flexible, allowing the user to give emphasis to those areas of the VAF
of greatest importance to the individual agency.
n The VAF should be able to address two audiences: the government agencies that would
initially apply it, and the private sector for which the government should be a model.
n The VAF should incorporate a delivery mechanism that is readily acceptable to both
government and the business world, and not one that would require new government
regulation or structures. (The VAF can be implemented by an auditor, both within the
context of business risk assessment, and the growing accountancy requirement to assess
risks and adequacy of controls over information technology systems.)
n The VAF must be flexible enough to draw from other sources of expertise for updated
analytical information. Just as many of the concepts of this VAF are drawn from
COBIT, GAO, OMB, other similar guidance, the VAF must be able to be updated with
additional relevant information in the future.
n The VAF must be an integral part of long term physical and cyber investment strategies.
Remediation costs become more manageable if part of an informed and comprehensive
investment strategy.
n The VAF process must be repeatable over time. Today’s VAF outcomes must be valid in
tomorrow’s investment climate.
n Senior Executive support in each Agency is crucial to making the VAF process a success.
n The VAF is not synonymous with penetration testing. Penetration testing may be a sub-
element of the overall VAF procedures but should not be considered the recommended
method for identifying vulnerabilities.
Scalability of the Framework
The VAF process is designed to be scalable, and the concepts applicable, to the identification of
vulnerabilities at the National level, the Agency and Department level, and the internal process
level of the organization. The questionnaires utilized in the VAF are best applied once the VAF
team has clearly defined the processes in the organization that are considered the Mission
Essential Processes. The scalability applies to a process whether the process is between the
government and industry partners or internal to an agency.
/Vulnerability Assessment Framework (VAF)/Page 8
CIAO
II. The VAF Approach
In order to identify the critical infrastructure vulnerabilities that exist in, or impact upon, your
organization, the assessment team should follow the assessment methodology detailed below.
The methodology primarily consists of three major steps, as shown in Figure 1. Each step
consists of a series of activities, which are outlined in the following sections. Using these
assessment steps, the assessment team will compile a list of vulnerabilities for the organization to
evaluate and determine appropriate next steps. Next steps include determining the order in which
vulnerabilities should be addressed, the resources required, and the level of investment necessary
to meet the President’s objectives.
VAF Step 1
Establish the
Agency MEI
VAF Step 2
Gather Data to
Identify MEI
Vulnerabilities
VAF Step 3
Analyze & Prioritize
Vulnerabilities
Figure 1. The VAF Steps
In Step 1 the assessment team will define the Minimum Essential Infrastructure for the
organization. The focus is on the specific infrastructure components that support Mission
Essential Processes (MEP) that are absolutely fundamental to achieving an organization’s core
mission. Once the MEI is identified, the vulnerabilities that potentially affect it are the most
important starting points for infrastructure vulnerability minimization plans.
During Step 2 the VAF evaluation will review actions, devices, procedures, techniques and other
measures that potentially place the organization’s MEI resources at risk. The outcome will be the
identification and reporting of flaws or omissions in controls (e.g. vulnerabilities) that may affect
the integrity, confidentiality, accountability, and/or the availability of resources that are essential
to achieving the organization’s core mission(s).
Finally in Step 3, the team will define and analyze the vulnerabilities identified in VAF Step 2 and
MEI external dependencies from VAF Step 1, thereby enabling at least a first order of
prioritization for purposes of remediation or minimization. This step will move the process from
/Vulnerability Assessment Framework (VAF)/Page 9
CIAO
the vulnerability assessment phase into the first steps of the remediation planning process, with its
accompanying funding estimates and timelines.
At a minimum, it is recommended that the first vulnerability assessment process consist of the
broad, department- or agency-level macro vulnerability assessment of both the internal agency
Minimum Essential Infrastructure (MEI), and the agency’s relationship to, and connection with,
the National MEI. Once the scope and MEI(s) are defined, the assessment team then can target
VAF Steps 2 and 3 and focus on the appropriate core processes that are considered components
of the critical infrastructure.
This detailed guide will serve as a scalable template for vulnerability assessment. The assessment
team will determine the level of detail to which it should be applied and the analysis required to
assess the MEI and its vulnerabilities.
Each step of the VAF will be outlined in the following format:
n Objectives
n Critical Success Factors
n Expected Outcomes
n Activities
Throughout this methodology, the assessment team will gather information through a number of
data gathering activities including:
n Facilitated sessions
n On-site surveys
n Interviews
n Document reviews
n Validation activities to include procedural checks, system and process tests and
simulations
The VAF assessment team has a responsibility to apply sound judgement in the data gathering
process and to determine the usefulness and applicability of the questions and the control
measures being reviewed. The questionnaires are derived from existing federal guidance and
requirements already being used in the government. Most of the questions reflect a requirement
or an audit control measure already being reviewed by the Agency or Department. The
questionnaires are to be reviewed for applicability to the particular organization being assessed.
If the team deems the measure or question does not apply, the rationale should be documented
briefly and the question or control measure passed over.
/Vulnerability Assessment Framework (VAF)/Page 10
CIAO
III. VAF Step 1 - Establish the Minimum Essential Infrastructure (MEI)
VAF Step 1
Establish the
Agency MEI
VAF Step 2
Gather Data to
Identify MEI
Vulnerabilities
VAF Step 3
Analyze & Prioritize
Vulnerabilities
Figure 2. VAF Step 1
A. Objective
The objective of this step is to define the MEI for an organization. Let’s first examine what MEI
is, then what it is not, and finally, why the identification of MEI is the best starting point for this
first-ever national vulnerability assessment process.
First, what does MEI mean? There are two levels that must be considered and assessed for this
national VAF process to have value – the National MEI and the Agency MEI.
/Vulnerability Assessment Framework (VAF)/Page 11
CIAO
Telecommunications
Marketing/Sales
Warehouse Electric
Supplier Power
Store
Bank/Credit
Supplier
Catalog Store
Sales Store
Critical Emergency Services
Figure 3. The National MEI
The National MEI is defined as the framework of critical organizations, personnel, systems, and
facilities that provide a flow of goods and services that are absolutely essential to the economic
well-being and national security of the United States, to the smooth functioning of governments at
all levels, and to society as a whole.
The Agency MEI is the framework of critical organizations, personnel, systems, and facilities that
are absolutely required in order to provide the inputs and outputs necessary to support the core
processes, essential to accomplishing an organization’s core mission as they relate to national
security, national economic security or continuity of government services. In other words, the
Agency MEI focuses on the specific infrastructure components that support Mission Essential
Processes (MEP) as depicted in Figure 4 below that are absolutely fundamental to achieving an
organization’s core mission.
/Vulnerability Assessment Framework (VAF)/Page 12
CIAO
Future State
Organizational
Mission
Core Process 2
Process Core Process Process
1 4 5
Core Process "n"
Core Process
3
Strategic MEI (High Level) Tactical MEI (Resource Elements)
n Missions n Systems Specific
n Organizational Structure n Facility Specific
n Governance n Personnel Specific
n Critical Components n Process Specific
Figure 4. Defining MEI based on Core Processes of the Organization
Next, let’s look at what the definition of MEI is not meant to include. In most cases the MEI is
intended to be the absolute core component of what government agencies sometimes refer to as
mission critical elements (MCE). Most agencies have defined their mission critical elements
(MCE). The MCE are the resources needed to address each and every mission of the department
or agency, regardless of their relevance to the core national security, national economic security
requirements or continuity of government services of the United States.
The assessment team must determine the scope of the assessment in order to decide whether a
National MEI, an Agency MEI or both need to be defined. Once the scope and MEI(s) are
defined, the MEI(s) will allow the assessment team to target VAF Steps 2 and 3 and focus on the
appropriate core processes that are considered components of the critical infrastructure.
Finally, why does the VAF process commence with an identification of the MEI? The answer is
because it is the logical starting point. This will be discussed in greater detail below. In summary,
by its very definition, the MEI represents the most essential elements supporting department or
agency missions. So, once the MEI is identified, the vulnerabilities that potentially affect it are the
most important starting points for infrastructure vulnerability minimization plans.
/Vulnerability Assessment Framework (VAF)/Page 13
CIAO
B. Scope
In KPMG’s initial meeting with the Critical Infrastructure Assurance Office staff following the
award of the contract, it was emphasized that the VAF process must be scalable so that even
inexperienced agencies would be able to use VAF, even if only at a very broad macro level. This
VAF process lends itself to either such a macro level approach, or a detailed examination of every
infrastructure issue within a department or agency.
At a minimum, it is recommended that this first vulnerability assessment process consist of the
broad, department/agency level macro vulnerability assessment of both the internal agency MEI,
and the agency’s relationship to, and connection with, the National MEI. Once the scope and
MEI(s) are defined, the MEI(s) will allow the assessment team to target VAF Steps 2 and 3 and
focus on the appropriate core processes that are considered components of the critical
infrastructure.
C. Process
In order to establish either type of MEI, the assessment team must first determine the strategic
MEI which consists of a high level review of the:
n Mission(s),
n Organizational Structure,
n Governance, and
n High Level Definition of the Critical Components/Systems/Facilities/Processes.
Once the strategic level MEI is established, the MEI resource elements (or as some may say, the
tactical MEI) can be examined. Essential resource elements include the following:
People Staff, management, and executives necessary to plan, organize, acquire,
deliver, support, and monitor mission related services, information
systems, and facilities. This includes groups and individuals external to
the organization involved in the fulfillment of the organization’s mission.
Security management personnel should also be included.
Technology All hardware and software, connectivity, countermeasures and/or
safeguards that are utilized in support of the core process.
Applications All application systems, internal and external, utilized in support of the
core process.
/Vulnerability Assessment Framework (VAF)/Page 14
CIAO
Data All data (electronic and hard copy) and information required to support
the core process. This includes numbers, characters, images or other
method of recording, in a form which can be assessed by a human or
(especially) input into a computer, stored and processed there, or
transmitted on some digital/communication’s channel.
Facilities All facilities required to support the core processes, including the
resources to house and support information technology resources, and
the other resource elements defined above.
Subsets of resource elements are those elements critical to supporting the MEI. These are MEI
resource elements.
D. Critical Success Factors
In order for this step to be successful, the following elements need to exist:
ü Organizational commitment to the principles of PDD 63
ü Application and assignment of the appropriate and knowledgeable personnel to the process of
defining the MEI
ü A solid understanding of the definitions of MEI
ü A trained assessment team capable of assembling the information
E. Outcomes
The result of VAF Step 1 will be a comprehensive definition of the MEI for which the
vulnerability assessment process will be applied.
/Vulnerability Assessment Framework (VAF)/Page 15
CIAO
F. Team Composition
In order to carry out the execution of this framework, the organization should establish a group of
at least ten experts that could be broken into two teams based on the requirements and size of the
effort. The minimal team should be comprised of the following experts:
Expertise Description Number
Required
Project/Team Leader Skilled in IT Auditing methodologies 2
Personnel Security, Training Past experience with personnel 1
and Education security issues such as background
investigations, training and awareness
issues
Mainframes Skilled in CA-Examine auditing tool 1
with either RACF or ACF2 security
front-end for MVS.
Database Management Skilled in DBMS administration in 1
Systems products such as Oracle, Sybase,
DB2, Informix, etc.
Telecommunications/Unix Should be trained Unix administrator 2
and knowledgeable of TCP/IP, X.400
protocols
Information Security Should be knowledgeable in Orange 1
Book requirements, life cycle
management, continuity of
operations, and security
administration with some experience
in using tools such as KAS, ISS,
COPS, etc.
Networks Skilled in LAN applications (i.e. 2
Novell, NT, Banyan, etc) preferably
trained in Systems Administration
/Vulnerability Assessment Framework (VAF)/Page 16
CIAO
G. Activities Overview
There are primarily nine activities necessary to complete this step.
1.1 Identify the core mission(s) of the organization
1.2 Identify the threat environment
1.3 Identify the core processes supporting the core mission(s)
1.4 Analyze the value of each core process, categorizing them as Code Red, Code Amber, and
Code Green
1.5 Identify organizational structure and customers as well as roles and responsibilities
1.6 Identify facilities
1.7 Map architecture and systems
1.8 Link physical, organizational and architecture components to core processes valued “Code
Red”
1.9 Identify external resources upon which the department/agency MEI is dependent
/Vulnerability Assessment Framework (VAF)/Page 17
CIAO
VAF Step 1.1 – Identify the core mission(s) of the organization
Description:
In order to assess the vulnerabilities of and protect its critical infrastructure, the organization must
understand and clearly define its mission(s).
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
ü Facilitated Sessions Executive Leadership
ü Interviews Executive Leadership
ü Document reviews Strategic Plan
Validation activities to
include procedural checks,
system and process tests and
simulations
.
Outcomes:
The core mission(s) of the organization is/are clearly defined and agreed upon by executive
management.
/Vulnerability Assessment Framework (VAF)/Page 18
CIAO
VAF Step 1.2 – Identify the threat environment
Description:
The identification of the agency’s high level threat in order to focus management on security
environment in which it must operate. At a minimum, a definition of threat should include any
circumstance or event with the potential to cause harm to an essential resource element through,
at least, the following criteria:
n Denial of access to essential resource elements, i.e., denial of service
n Disruption of any service provided by essential resource elements to the extent that its
availability is no longer assured
n Destruction of essential resource elements
n Deception – creating lack of confidence in essential resource elements
n Espionage or other harmful disclosure through or about resource elements , to include
sensitive information or essential resource elements passed to, used or accessed by
unauthorized persons/processes or in an unauthorized manner
The focus here is to develop or heighten the level of awareness by senior management of the
potential threats to which the agency may be exposed. The evaluation of threats should include
the general as well as the unique threats to which a particular agency is exposed.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
ü Facilitated Sessions Executive Leadership
Security Management
ü Interviews Executive Leadership
Security Management
ü Document reviews Existing Threat Assessments
Existing Vulnerability Risk
Assessments
Validation activities to
include procedural checks,
system and process tests and
simulations
.
/Vulnerability Assessment Framework (VAF)/Page 19
CIAO
Outcomes:
Awareness by senior management of the threats that exist to their strategic mission(s) and the
motivations which may cause individuals, groups, or nations to take actions that may threaten this
mission(s). This awareness will contribute to the analysis of the vulnerabilities identified in VAF
Step 2. Also, this awareness will play a role in the development of the agency’s strategic plan and
the assessment of the agency’s strategic and tactical MEI.
As with the PCCIP, PDD 63 is intended to address vulnerabilities to intentional acts. When
considering the threat environment for such intentional acts, consideration should be given to
potential threat sources and potential threat motivations. At a minimum, this step should include
consideration of at least the following areas, plus any others more directly linked to
department/agency missions and responsibilities.
Potential Threat Sources
n Nations (hostile or otherwise)
n Intelligence Services/Economic Competitors
n Sub or Transnational Groups
Terrorism/Damage
Organized Crime
n Non Traditional Threats
Weapons of Mass Destruction
Information Warfare
n Malicious Code, intentionally transferred or otherwise
n Threats to Personal Privacy
n Environmental Factors (debris, smoke, water, heat, electrical)
n Unwitting Third Parties
n Disgruntled Insiders
Employees
Contractors
Service Personnel
n Hackers and Vandals
n Common Crime, i.e., Fraud, Theft, etc.
/Vulnerability Assessment Framework (VAF)/Page 20
CIAO
Potential Threat Motivations
n Economic Gain
n Revenge
n Political Objectives
n Extortion
n Competitive Advantage
n Invasion of Privacy
n Meet a Challenge
The following may provide some structure in estimating both the probability and the impact of the
potential threats a department or agency may consider in VAF Step 1.2.
Type of Threat Probability Impact
Very Low – Very High Low-Medium-High
Very Low – Very High Low-Medium-High
Very Low – Very High Low-Medium-High
Very Low – Very High Low-Medium-High
This analysis is a very high level analysis. The main intent of this activity is to increase awareness
of the organization concerning the threat environment. The product of this threat analysis will be
used in VAF Step 3.4 to review and analyze identified vulnerabilities in relation to the threat
environment.
/Vulnerability Assessment Framework (VAF)/Page 21
CIAO
VAF Step 1.3 – Identify the processes supporting the strategic or core mission(s)
Description:
The core processes that support the core mission(s) must be identified whether strategic,
operational, administrative or otherwise. The appropriate team of knowledgeable individuals
must be involved in this task.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
ü Facilitated Sessions Executive Leadership
Security Management
Functional Management
Technical Management
ü Interviews Executive Leadership
Security Management
Functional Management
Technical Management
ü Document reviews Tactical Plans
Continuity of Operations
Plan
Response Plans
Modernization Plans
Personnel Policies and Plans
Validation activities to
include procedural checks,
system and process tests and
simulations
The facilitated sessions should validate the critical components of each core process considered.
Outcomes:
Supporting processes are defined and linked to mission(s) they support.
/Vulnerability Assessment Framework (VAF)/Page 22
CIAO
VAF Step 1.4 – Analyze the value of each core process
Description:
This activity refines the list of core processes down to those processes, which if not available,
would cripple the organization to the point it could not achieve its mission.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
ü Facilitated Sessions Executive Leadership
Security Management
Functional Management
Technical Management
ü Interviews Executive Leadership
Security Management
Functional Management
Technical Management
Document reviews
Validation activities to
include procedural checks,
system and process tests and
simulations
1. Analyze each core process and identify its value to the organization
After the core processes have been identified in VAF Step 1.3, a designated group of
knowledgeable, management-level individuals should further analyze each core process. The
analysis should consider whether each individual process, if lost, would:
n Code Red: Prevent the Agency from fulfilling its mission, critical national security or
national economic security functions or from providing continuity of core government
services. From the perspective of an attacker, this would constitute a “Kill.”
n Code Amber: Significantly debilitate or interfere with the ability of the Agency to fulfill its
mission, critical national security or national economic security functions or provide
continuity of core government services.
n Code Green: No appreciable impact on agency missions.
/Vulnerability Assessment Framework (VAF)/Page 23
CIAO
2. After categorizing the core processes utilizing the above criteria, review the categorization to
perfect the value assignment. Then, examining all the processes categorized as Code Amber
or Code Green, assess whether in aggregate within the respective category, a series of these
disabled processes would prevent the Agency from fulfilling its mission or supporting the
national MEI, thus making them in the aggregate a Code Red.
3. The organization must also consider the time variable. The agency must review the processes
categorized or valued at the Amber or Green level against a variable of time. If the process
escalates to next higher value over time, the agency should consider whether the process
should be included in the MEI. For example, a process may be valued at Amber if in the first
few hours of loss it will significantly debilitate or interfere with the ability of the Agency to
fulfill its mission. If over the next few hours or days, loss of the process will prevent the
Agency from fulfilling its mission, critical national security or national economic security
functions or from providing continuity of core government services, the value of the process
should be considered Code Red.
Outcomes:
A list of core processes that have the highest priority in order to fulfill the mission of the
organization or support the National MEI.
/Vulnerability Assessment Framework (VAF)/Page 24
CIAO
VAF Step 1.5 – Identify organizational structure and customers
Description:
The human element is always a critical consideration. This is not only because of the value our
society places on human life, but because certain personnel are in key positions with key skills
who may not have appropriate backup and may not be easy to replace. This activity strives to
identify those people who are involved in each core process and the role they play. The focus
here is to highlight the key roles in the organization.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
Facilitated Sessions
ü Interviews Security Management
Functional Management
Technical Management
ü Document reviews Disaster Recovery Plan
Personnel Security Plans
Clearance Process
Key Personnel Listing
Organizational Structure
Continuity of Operations
Access Rosters
Validation activities to
include procedural checks,
system and process tests and
simulations
Having evaluated each core process in VAF Step 1.4, this VAF Step provides a framework for
assessing the role of specific personnel in supporting those core processes. One essential
analytical function is to determine whether there is sufficient trained staff to perform core
processes in the threat environment of the department or agency. Just as there can be single
points of failure for equipment and facilities, there can be human resource single points of failure.
This analytical step should address that issue.
Outcomes:
Key players in core processes and security management are defined.
/Vulnerability Assessment Framework (VAF)/Page 25
CIAO
VAF Step 1.6 – Identify facilities
Description:
This activity identifies the facilities upon which the organization depends and the role those
facilities play in supporting core processes. These facilities may be owned and operated by the
organization or may be outsourced and maintained by a third party.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
Facilitated Sessions
ü Interviews Facility Management
Security Management
ü Document reviews Disaster Recovery Plans
COOP
Physical Layouts
Modernization Plans
Response Plans
Validation activities to
include procedural checks,
system and process tests and
simulations
The purpose of this analysis is to assess the impact of loss on core mission functions of each
facility individually, or two or more linked facilities.
Outcomes:
Facilities are identified and their roles in support of the core processes are defined.
/Vulnerability Assessment Framework (VAF)/Page 26
CIAO
VAF Step 1.7 – Map cyber architecture, data and systems
Description:
Identifying and defining the components in the organization’s system, data, and information
architecture aids in the full depiction of the organization’s resources.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
Facilitated Sessions
ü Interviews Technical Management
Security Management
ü Document reviews Information Architecture
Network Architecture
Information Security Plans
Training Plans
System Inventory
Data Inventory
Validation activities to
include procedural checks,
system and process tests and
simulations
The architecture and mapping should include documentation of:
n Major applications – Systems that perform clearly defined functions. A major application
might comprise hardware, software and telecommunications components. These components
can be a single software application or a combination of hardware/software focused on
supporting a specific mission related function. A major application may also consist of
multiple individual applications, related to a single mission function (e.g. payroll or personnel).
If a system is defined as a major application and the application is run on another
organization’s general support system” than the interdependencies should be defined.
/Vulnerability Assessment Framework (VAF)/Page 27
CIAO
n General Support Systems – Interconnected systems that share common functionality. A
general support system normally includes hardware, software, information, data, applications,
communications, facilities, and people; and provides support for a variety of users and
applications. A general support system, for example, can be a:
n LAN
n Backbone
n Communications network
n Departmental data processing center including its operations center and utilities
n Tactical radio network
n Sharing information processing service organization
n Sensitivity of the Information Handled – documentation of the sensitivity and criticality of
the information stored within, processed by, or transmitted by a system provides a basis for
the value of the system. The sensitivity of the information handled should be evaluated based
on:
n Confidentiality – the system contains information that requires protection from
unauthorized disclosure.
n Integrity – the system contains information, which must be protected from unauthorized,
unanticipated or unintentional modification.
n Availability – the system contains information or provides services which must be available
on a timely basis to meet mission requirements or to avoid substantial losses.
n Interfaces and Information Sharing – a detailing of the types of interfaces between systems
and the types of information flowing between the internal applications and with external
systems. Documentation of the authorizations for this type of information sharing should also
be included.
Outcomes:
The organization’s architecture and its components are defined.
/Vulnerability Assessment Framework (VAF)/Page 28
CIAO
VAF Step 1.8 – Link physical, organizational, architecture components to the core
processes that play key roles in achieving the mission
Description:
This activity pulls together the information gathered in activities 1.5, 1.6, and 1.7 and sorts it by
the definitions and criteria for Codes Red, Amber, and Green in activity 1.4. The intent is to
narrow the scope to the minimum essential resource elements necessary to support the core
processes from the larger scope of all the resource elements that support the whole organization
and all of its processes.
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
Facilitated Sessions
ü Interviews Executive Leadership
Security Management
Technical Management
Functional Management
ü Document reviews Documents from VAF Step
1 – Activities 1.5, 1.6, and
1.7
Validation activities to
include procedural checks,
system and process tests and
simulations
The analytical process in Step 1.8 comes after the results of Steps 1.4, 1.5, 1.6, and 1.7 are
compared. The purpose of the analysis is to identify those physical, cyber and human resources
that are so crucial to the ability of the department or agency to perform its core mission that the
mission cannot be performed without them. This analysis should result in the identification of a
department or agency’s MEI.
Outcomes:
An accurate representation of the minimum essential resource elements that support each of the
core processes essential to performing the core mission(s) of the department or agency.
/Vulnerability Assessment Framework (VAF)/Page 29
CIAO
VAF Step 1.9 – Identify the external resources upon which the MEI is dependent.
Description:
Presidential Decision Directive (PDD) 63 instructed that the government and sectoral
vulnerability assessment plans include a particular focus on interdependencies. So, it is important
to understand what the term “interdependency” means and how it should apply to the vulnerability
assessment plans of government departments and agencies.
The term “interdependencies” was used by the PCCIP primarily as a verbal shorthand for the way
in which interconnected networks have made infrastructure components dependent upon one
another in ways not heretofore experienced.
Historically, the nation’s critical infrastructures have primarily been physically separate systems.
Today, these infrastructures are increasingly dependent upon the automated control networks that
link them together, sometimes controlling how they interact with each other. Thus, the failure of
a component in one infrastructure may cause a cascade of failure into one or more other
infrastructures. As a result, these linkages between and among infrastructures have created a new
dimension of vulnerability, e.g., interdependence. These interdependencies, combined with the
new environment of unconventional threats, pose a new, mostly unrecognized, area of national
and business risk.
There a number of new forces in the marketplace that the PCCIP believed potentially increase the
potential negative impact of infrastructure interdependencies. One is system complexity, and a
second is deregulation.
The complexities of interconnected infrastructure control systems add to the challenge of
recognizing interdependencies. Complex system control software, network architecture and/or
other related factors can mask flaws that will contribute to cascading failures across multiple
infrastructures. For example, in the energy infrastructure, this could mean that a rather minor or
routine disturbance would cascade into a regional outage. Without electric power, other critical
infrastructures, such as telecommunications and banking and finance begin to feel the impact,
particularly if the period of outage continues beyond a short period. In fact, nearly every
infrastructure may begin to feel the impact of what began as a relatively minor problem.
In addition to complexities, deregulation can introduce new interdependencies to an industry’s
traditional risk management models. In telecommunications and, increasingly, electrical power,
multiple intermediaries have been inserted into what once were end-to-end service systems that—
when combined with decreases in reserve capacity margins in these industries resulting from
competitive cost pressures—make the operational interdependency among these two gigantic
infrastructures even more opaque and complicated.
/Vulnerability Assessment Framework (VAF)/Page 30
CIAO
Necessary Data Gathering:
Data Gathering Activity Targeted Participants and
Products
ü Facilitated Sessions Executive Leadership
Security Management
Technical Management
Functional Management
Interviews
Document reviews
Validation activities to
include procedural checks,
system and process tests and
simulations
Once the MEI resource elements have been clearly defined through the preceding activities, this
activity will force the organization to identify where the MEI is dependent on resources and
services outside the organization’s control. For the purposes of VAF Step 1, the issue of
interdependencies is addressed at the high-end macro level. However, particular attention should
be paid to the MEI resource elements that may be outsourced, and, thus, may be partially under
the control of the Agency through contractual means. When MEI resource elements are identified
that are completely outside the control of the Agency, they should be carefully evaluated in VAF
Step 3 in light of the other vulnerabilities that come out of VAF Step 2.
MEI Dependencies
Internal Resources External Resources External Resources
(control) (no control)
People
Technology
Applications
Data
Facilities
Outcomes:
Internal and External Interdependencies are identified for consideration in VAF Step 2 and
analysis in VAF Step 3.
/Vulnerability Assessment Framework (VAF)/Page 31
CIAO
IV. VAF Step 2 - Gather Data to Identify MEI Vulnerabilities
VAF Step 1
Establish the
Agency MEI
VAF Step 2
Gather Data to
Identify MEI
Vulnerabilities
VAF Step 3
Analyze & Prioritize
Vulnerabilities
Figure 5. VAF Step 2
A. Objective
The objective of this step is to identify the vulnerabilities in the organization related specifically to
the MEI identified through VAF Step 1.
Areas of Potential
Compromise
ity
ty
bil
rity
ility
ali
ta
nti
eg
ab
un
de
Int
ail
co A F
nfi
Av
Ac
Co
p a
T p c
e l i
Entity-Wide Security D
c i l
P h a
Access Controls c i
e n t
a t
Areas of
o
Control
o a
Segregation of Duties t i
p l i e
l o
Continuity of Services & Operations o s
e g n
Change Control & Life Cycle y s
ts e
Management
en urc
em o
El Res
System Software
EI
M
Figure 6. The VAF Cube
/Vulnerability Assessment Framework (VAF)/Page 32
CIAO
As noted previously, some suggest that penetration testing is an adequate approach to the cyber
portion of VAF. As will be seen from this VAF process, a much broader approach is necessary to
produce a comprehensive cyber vulnerability identification mechanism. Penetration testing has its
place in that process, but falls well short of being a “silver bullet” for infrastructure vulnerability
assessments. A review of root causes of infrastructure vulnerability is necessary before any
meaningful effort to minimize those vulnerabilities can be undertaken.
The criteria used to identify these vulnerabilities are depicted in Figure 6 – The VAF Cube.
The cube consists of three faces, defined as follows:
Areas of Control: Collectively, controls consist of the policies, procedures,
practices and organizational structures designed to provide
reasonable assurance that business objectives will be
achieved and that undesired events will be prevented or
detected and corrected. The control areas set out in the
KPMG VAF process have been modified from GAO’s
FISCAM standards for auditing federal information systems.
The FISCAM definitions of the control areas have been
expanded for this VAF process to incorporated
infrastructure vulnerability issues.
MEI Resource Elements: As previously discussed, these are the broad categories of
resources, all or portions of which, constitute the minimal
essential infrastructure necessary for a department, agency
or organization to conduct its core mission(s). These
resource elements are very similar to, but modified
somewhat from, the COBIT framework used by ISACF.
The definitions have been expanded to incorporate physical
infrastructure vulnerability areas.
Areas of Potential Compromise: These broad topical areas represent categories where losses
can occur that will impact both a department or agency’s
MEI and its ability to conduct core missions.
The KPMG VAF process examines the adequacy of department or agency Areas of Control set
out on the VAF cube Face 1. The process is designed to measure an organization’s effectiveness
in protecting the MEI Resource Elements listed on VAF cube Face 2. This mechanism will result
in the identification of Areas of Potential Compromise listed on VAF cube Face 3. The result will
be categorized vulnerability listings, directly related to the MEI and for which minimization
strategies may be necessary, probably to include modifications to organizational control
mechanisms.
/Vulnerability Assessment Framework (VAF)/Page 33
CIAO
Stated another way, the VAF evaluation will review actions, devices, procedures, techniques and
other measures that potentially place the organization’s MEI resources at risk. The outcome will
be the identification and reporting of flaws or omissions in controls (e.g. vulnerabilities) that may
affect the integrity, confidentiality, accountability, and/or the availability of resources that are
essential to achieving the organization’s core mission(s).
The three-way cross cut of issues represented by the VAF cube, which incorporates both physical
and cyber issues, represents a unique approach to the process of identifying vulnerabilities created
by systemic flaws in control and management of critical resources. The identification of such
systemic flaws allows remedies to be applied at a systemic level, thereby maximizing the impact of
remediation efforts.
Face One – Areas of Control
n Entity-Wide Security - Planning and management that provides a framework and continuing
cycle of activity for managing risk, developing security policies, assigning responsibilities, and
monitoring the adequacy of the entity’s physical and cyber security controls.
n Access Controls - Procedures and controls that limit or detect access to MEI Resource
Elements (People, Technology, Applications, Data and/or Facilities) thereby protecting these
resources against loss of Integrity, Confidentiality Accountability and/or Availability.
n Segregation of Duties - Policies, procedures, and an organizational structure established so
that one individual cannot control key aspects of physical and/or computer-related operations
and thereby conduct unauthorized actions or gain unauthorized access to MEI Resource
Elements.
n Continuity of Service and Operations - Controls to ensure that, when unexpected events
occur, departmental/agency MEI services and operations, including computer operations,
continue without interruption or are promptly resumed and critical and sensitive data are
protected through adequate contingency and business recovery plans and exercises.
n Change Control & Life Cycle Management - Procedures and controls that prevent
unauthorized programs or modifications to an existing program from being implemented.
n System Software - Controls that limit and monitor access to the powerful programs and
sensitive files that (1) control the computer hardware and (2) secure applications supported by
the system.
/Vulnerability Assessment Framework (VAF)/Page 34
CIAO
Face Two – MEI Resource Elements
These Resource Elements have been defined earlier in the process, but will be repeated here for
continuity purposes. They are:
n People - Staff, management, and executives necessary to plan, organize, acquire, deliver,
support, and monitor mission related services, information systems, and facilities. This
includes groups and individuals external to the organization involved in the fulfillment of the
organization’s mission. Security management personnel should also be included.
n Technology - All hardware and software, connectivity, countermeasures and/or safeguards
that are utilized in support of the core process.
n Applications - All application systems, internal and external, utilized in support of the core
process.
n Data - All data (electronic and hard copy) and information required to support the core
process. This includes numbers, characters, images or other method of recording, in a form
which can be assessed by a human or (especially) input into a computer, stored and processed
there, or transmitted on some digital/communication’s channel.
n Facilities - All facilities required to support the core processes, including the resources to
house and support information technology resources, and the other resource elements defined
above.
Face Three – Areas of Potential Compromise
In reviewing the areas of control against the MEI resource elements, if vulnerabilities are
identified, it would mean controls are not in place to ensure the following:
n Integrity - The accuracy, completeness and reliable transmission and reception of information
and its validity in accordance with business values and expectations; the adequacy and
reliability of processes assuring personnel selection, access and safety; and the adequacy and
reliability of processes assuring authorized access to and the safety of physical facilities.
n Confidentiality - The protection of sensitive information from unauthorized disclosure and
sensitive facilities from physical, technical or electronic penetration or exploitation.
/Vulnerability Assessment Framework (VAF)/Page 35
CIAO
n Availability - The ability to have access to MEI Resource Elements when required by the
mission and core supporting process(s), both now and in the future. It also concerns the
safeguarding of those resources and associated capabilities.
n Accountability - The explicit assignment of responsibilities for ownership and/or oversight of
the process, system, as well as inputs and outputs. Accountability may be assigned at various
levels within the organization to include executives, managers, staff, system, information or
facilities owners, providers, and users of MEI Resource Elements. These assignments are
reviewed for effectiveness and appropriateness in the areas of control listed on VAF Cube
Face 1. In the management of vulnerabilities, accountability is imperative and as an area of
compromise is highlighted in VAF Step 3.
/Vulnerability Assessment Framework (VAF)/Page 36
CIAO
VAF Step 2 – Inputs
n Policy
n Procedures
n Plans
n Organization of Agency
n Architecture Components (Physical and Cyber)
VAF Step 2 – Input Examples
The following items are representative of the types of documentation needed to conduct the
assessment:
n Physical Security Plans
- Facility
- Vulnerability Risk Assessment
- Threat Analysis
- Procedures and Policies
- Modernization Plans
- Response Plans and Capabilities
- Continuity of Operations Plans
n Personnel Security Plans
- Clearance Process
- Key Personnel Identification
- Organizational Structure
- Continuity of Operations Cross Training and Practice
- Access Controls Rosters
- Key Element Analysis
n Training Plans
- Inventory of Classes
- Physical and Cyber Security Awareness Training
- Certification and Accreditation Program
- Emergency Response and Crisis Management Training
/Vulnerability Assessment Framework (VAF)/Page 37
CIAO
n Security
- Security Concept of Operations (CONOPS) and Practice (specific to applications and
facilities)
- Security Mode Determination
- Security Test and Evaluation
- Emergency Response Capabilities and Practice
n Cyber Plans
- Architecture and Access
- Security and Oversight
- Training and Awareness
- Systems Inventory and Access Control
- Data Inventory and Access Control
- Continuity of Operations and Reconstitution
- Proactive system integrity monitoring and emergency response capabilities
B. Critical Success Factors
In order to successfully use the cube, the assessment team must:
ü Have full support from executive management
ü Use a clearly defined MEI
ü Have access to the appropriate staff and existing documentation (plans, policies and
procedures)
C. Outcomes
A list of vulnerabilities:
n Classified by Core process and by Area of potential compromise
n Illustrating interdependencies and potential impact
D. Scalability of the Process
The VAF process was designed to be scalable, and the concepts applicable, to the identification of
vulnerabilities at the National Level, the Agency/Department Level and internall process level of
the organization. The questionnaires utilized in VAF Step 2 are best applied once the VAF team
has clearly defined the process to be examined and the associated MEI Resource Elements. The
scalability applies to the process whether the process is maintaining EC between the government
and industry trading partners or maintaining communications within an agency.
/Vulnerability Assessment Framework (VAF)/Page 38
CIAO
The questionnaires in VAF Step 2 are derived from existing federal guidance and requirements
already being utilized in the government. Most of the questions reflect a requirement or an audit
control measure being reviewed by the Agency/Department auditors. The questionnaires are to
be reviewed for applicability to the particular organization being assessed. The VAF team has a
responsibility to apply sound judgement in the data gathering process and determining the
usefulness and applicability of the questions and the control measures being reviewed. If the team
deems the measure or question does not apply, the rationale should be documented briefly and the
question or control measure passed over.
E. Activities
The activities that comprise this step are essentially the data gathering and analyses necessary to
evaluate each of the six areas of control. Each area of control has an assessment questionnaire
designed to gather information pertinent to that area of control. The assessment team would
perform the data gathering and analysis required in the six areas of control detailed in the
following pages.
Each control area questionnaire is structured based on the following outline:
Topical Areas: A grouping of related control objectives.
Control Objectives: A statement of the desired result or purpose to be achieved by
implementing control procedures in a particular IT activity.
Questions On Controls: The policies and procedures and practices and organizational
structures designed to provide reasonable assurance that business
objectives will be achieved and that undesired events will be
prevented or detected and corrected.
The questionnaires for each control area are provided in Appendices A-F of this guideline
document.
The VAF team based on VAF Step 1 will have documented each process and the associated MEI
Resource Elements. Based on the process list, the VAF team should examine each process
utilizing the VAF cube approach. The six questionnaires that are used in this step are scalable.
The VAF team should approach using each questionnaire based on the MEI level and
organization being examined.
/Vulnerability Assessment Framework (VAF)/Page 39
CIAO
The team should apply best judgement in the detail required from the questionnaires provided.
The questionnaires are comprehensive and assume a team who is well versed in the required level
and format of documentation as well as the terminology being applied.
The team should apply greater scrutiny using certain sections of the questionnaire based on the
type of process being reviewed. For example, if the team is examining a process utilizing or
consisting of a predominant cyber component, the sections of the questionnaire, which addresses
physical/facility, control measures should be minimized.
If the organization is already performing vulnerability assessments, the team should examine the
process being used against the VAF process and determine if gaps between the two exist. The
intent of the VAF process is to use, if available, existing data gathering and analysis techniques in
the identification and documentation of vulnerabilities in the infrastructure. The intent is not to
duplicate existing efforts.
The results of the questionnaires should be gathered in a secure database for future analysis.
/Vulnerability Assessment Framework (VAF)/Page 40
CIAO
VAF Step 2.1 – Assess Areas of Control – Entity Wide Security
Description:
Planning and management that provides a framework and continuing cycle of activity for
managing risk, developing security policies, assigning responsibilities, and monitoring the
adequacy of the entity’s computer-related controls and physical security controls.
An entity-wide program for security planning and management is the foundation of an entity’s
security control structure and a reflection of senior management’s commitment to addressing
security risks. The program should establish a framework and continuing cycle of activity for
assessing risk, developing and implementing effective security procedures, and monitoring the
effectiveness of these procedures. Without a well-designed program, security controls may be
inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and
controls may be inconsistently applied. Such conditions may lead to insufficient protection of
sensitive or critical resources, e.g. vulnerabilities and disproportionately high expenditures for
controls over low-risk resources.
Interviews and Data Gathering:
See Questionnaire in Appendix A.
To gather the information required in the questionnaire, the VAF team would review existing
documentation and perform interviews. These two activities will provide the team insights as the
team identifies and validates stated process and procedures and their current implementation
within the organization. The interviews may serve as data gathering or as validation meetings.
At the beginning of the assessment, the VAF team should review the questionnaire and compile a
list of documents required for review. The VAF team should also determine the individuals
required for interviews. The policy staff may differ from the functional and technical staff
responsible for the execution of policy. Initially, the VAF team should meet with the staff
responsible for setting policy and procedures and to identify those policies and procedures that are
defined. The VAF team should then follow up with the functional and technical staff responsible
for carrying out the policy and procedures to verify they are being followed.
/Vulnerability Assessment Framework (VAF)/Page 41
CIAO
Areas of Concern:
It is essential that the security program planning and management organization provides a
framework and continuing cycle of activity for managing risk, developing security policies,
assigning responsibilities, and monitoring the adequacy of the entity’s computer-related controls.
The critical elements in developing and implementing an entity-wide security program involve
factors that are essential to several internal control components, including the control
environment. Therefore, these critical elements help ensure the effectiveness of the entity’s
overall internal control. The relevant factors include supportive attitudes and actions by senior
management, ongoing assessments of risk and monitoring of related policies, and effective
communications between management and staff. All internal control components should be
present and functioning effectively to conclude that internal control is effective. However, the
control environment sets the tone of the organization. Generally, a specific control technique,
including penetration testing, or group of techniques cannot be relied on to be effective on an
ongoing basis unless it is supported by a strong control environment. For this reason, the auditor
should be cognizant of control environment factors throughout the audit and adjust audit
procedures accordingly.
Control Objectives:
Risk Management
Risk assessments should consider data sensitivity and the need for integrity and the range of risks
that an entity’s MEI resource elements may be subject to, including those risks posed by
authorized internal and external users, as well as unauthorized outsiders who may try to “break
into” the cyber systems. Such analyses should also draw on reviews of system and network
configurations and observations and testing of existing security controls for cyber systems, as well
as reviews and testing of controls for the other resource elements.
Entity-Wide Security Program Plan
Entities should have a written plan that clearly describes the entity’s security program and policies
and procedures that support it. At a minimum, the plan and related policies should cover all MEI
resource elements and outline the duties of those who are responsible for overseeing security (the
security management function) as well as those who own, use, or rely on the entity’s computer
and physical resources.
Security Management Structure
Senior management should establish a structure to implement the security program throughout the
entity. The structure generally consists of a core of personnel who are designated as security
/Vulnerability Assessment Framework (VAF)/Page 42
CIAO
managers. These personnel play a key role in developing, communicating, and monitoring
compliance with security polices and reporting on these activities to senior management. The
security management function also serves as a focal point for others who play a role in evaluating
the appropriateness and effectiveness of computer-related controls on a day-to-day basis. These
include program managers who rely on the entity’s computer systems, system administrators, and
system users.
However, because security is not an end in itself, senior managers should balance the emphasis on
security with the larger objective of achieving the entity’s mission. To do this effectively, top
management should understand the entity’s security risks and actively support and monitor the
effectiveness of the entity’s security policies. If senior management does not monitor the security
program, it is unlikely that others in the organization will be committed to properly implementing
it.
Effective Security-Related Personnel Policies
Policies related to personnel actions, such as hiring and termination, and employee expertise are
important factors for information and facility security. If personnel policies are not adequate, an
entity runs the risk of:
(1) hiring unqualified or untrustworthy individuals,
(2) providing terminated employees opportunities to sabotage or otherwise impair entity
operations or assets,
(3) failing to detect continuing unauthorized employee actions,
(4) lowering employee morale, which may in turn diminish employee compliance with controls,
and;
(5) allowing staff expertise to decline.
Outsourcing
Vendor management controls involve the definition of procedures, the services to be provided,
adherence to agreements and service levels, and qualifications of personnel.
Electronic Commerce
Electronic commerce controls involve the management of contractual, standards for transactional
security, and authentication using certificate authorities.
Interdependencies
Important considerations in managing entity-wide security are the resultant risks to organizational
entities as the result of interdependencies of forces both internal and external to the organization.
Examples of internal and external interdependencies are labor strikes for outsourced service
/Vulnerability Assessment Framework (VAF)/Page 43
CIAO
providers or contractual difficulties by service providers, in addition to externally provided utilities
and other critical infrastructures.
Control Objective Topical Areas:
n Organizational Management
n Risk Assessment
n Security Plans
- Security Policy
- Current State of Security
- Requests for Access
- Accountability
- Update on Plan
- Organizational Goals
- Commitment to Security
- Limits of Security
n Security Management Structure & Responsibilities
n Security-Related Personnel Policies
- Ensure Personnel Have Proper Security Clearances and/or Access Authorizations
- Ensure Users Are Educated in Security Responsibilities
- Maintain Records of Valid Security Clearances and/or Access Authorizations
- Ensure Maintenance Personnel Have Proper Clearances and Access
n Security Program Effectiveness
- Be Aware of Directives, Regulations, Policies and Guidelines
- Participate in Developing Site Specific Documents
- Provide Input to Other Security Documents (incident reports, inventories, vulnerability
reports, response plans, COOP plans, etc.)
n Security Awareness
- Ensure All Personnel Have Security Awareness Training
- Ensure Users Are Trained in Proper Use of Passwords
- Ensure Users Monitor Their Logins
- Ensure Users Know How to Report Problems
- Promulgate Awareness Information
Outcomes:
The identification of control weaknesses or vulnerabilities within one or more core processes.
/Vulnerability Assessment Framework (VAF)/Page 44
CIAO
VAF Step 2.2 – Assess Areas of Control – Access Controls
Description:
Procedures and controls that prevent unauthorized programs or modifications to an existing
program from being implemented, or physical procedures and controls that prevent unauthorized
access to or within physical facilities.
Access controls provide reasonable assurance that resources (data files, application programs, and
computer-related facilities and equipment) are protected against unauthorized modification,
disclosure, loss, or impairment. Such controls include physical controls, such as keeping
computers in locked rooms to limit physical access, and technical controls, such as security
software programs designed to prevent or detect unauthorized access to sensitive files.
Interviews and Data Gathering:
See Questionnaire in Appendix B.
To gather the information required in the questionnaire, the VAF project team would review
existing documentation and perform interviews. These two activities will provide the team
insights as the team identifies and validates stated processes and procedures and their current
implementation within the organization. The interviews may serve as data gathering or as
validation meetings.
At the beginning of the assessment, the VAF project team should review the questionnaire and
compile a list of documents required for review. The VAF team should also determine the
individuals required for interviews. The policy staff may differ from the functional and technical
staff responsible for the execution of policy. Initially, the project team should meet with the staff
responsible for setting policy and procedures and identify those policies and procedures that are
defined. The project team should then follow up with the functional and technical staff
responsible for carrying out the policy and procedures to verify that they are being followed.
Areas of Concern:
Access is based on one or more of three user characteristics:
n Something a person knows – password, Personal Identification Number (PIN)
n Something a person has – smart card, bank card, key, pass card
n Something a person is – based on personal characteristics (biometrics)
/Vulnerability Assessment Framework (VAF)/Page 45
CIAO
The objectives of limiting access are to ensure that:
n users have only the access needed to perform their duties,
n access to very sensitive resources, such as security software programs or the main console in
the data center, is limited to very few individuals, and
n employees are restricted from performing incompatible functions or functions beyond their
responsibility.
If these objectives are met, the risk of inappropriate modification or disclosure of data can be
reduced without interfering with the practical needs of users. However, establishing the
appropriate balance between user needs and security requires a careful analysis of the criticality
and sensitivity of information resources available and the tasks performed by users.
Discretionary control is the most common type of access control mechanism implemented in
computer systems today. The basis of this kind of security is that an individual user, or program
operating on the user’s behalf, is allowed to specify explicitly the types of access other users (or
programs executing on their behalf) may have to information under the user’s control.
Discretionary security differs from mandatory security in that it implements the access control
decisions of the user. Mandatory controls are driven by the results of a comparison between the
user’s trust level or clearance and the sensitivity designation of the information.
Discretionary controls are not a replacement for mandatory controls. In any environment in
which information is protected, discretionary security provides for a finer granularity of control
within the overall constraints of the mandatory policy. Both discretionary and mandatory controls
can be used to implement an access control policy to handle multiple categories or types of
information, such as proprietary, financial, personnel or classified information. Such information
can be assigned different sensitivity designations and those designations enforced by the
mandatory controls. Discretionary controls can give a user the discretion to specify the types of
access other users may have to information under the user’s control, consistent with the
overriding mandatory policy restrictions. In a classified environment, no person may have access
to classified information unless: (a) that person has been determined to be trustworthy, i.e.,
granted a personnel security clearance – MANDATORY, and (b) access is necessary for the
performance of official duties, i.e., determined to have need-to-know – DISCRETIONARY. (For
a further discussion of these concepts refer to the Department Of Defense Standard, Department
Of Defense Trusted Computer System Evaluation Criteria, December 1985.)
Control Objectives: Security policies defined for systems, including those that are used to process
classified or other sensitive information, should include provisions for the enforcement of
discretionary access control rules. That is, they must include a consistent set of rules for
controlling and limiting access to identified users who have been appropriately authorized to have
access to particular resources.
/Vulnerability Assessment Framework (VAF)/Page 46
CIAO
Data Classification
Resource owners should determine the level of protection that is most appropriate for the
resources for which they are responsible. These determinations should flow directly from the
results of risk assessments that identify threats, vulnerabilities, and the potential negative effects
that could result from disclosing confidential data or failing to protect the integrity of data
supporting critical transactions or decisions. All resource classifications should be reviewed and
approved by an appropriate senior official, maintained on file, and periodically reviewed to ensure
that they reflect current conditions.
Implementing adequate access controls involves first determining what level and type of
protection is appropriate for individual resources and who needs access to those resources. The
resource owners should perform these tasks. For example, program managers should determine
how valuable their program data resources are and what access is appropriate for personnel who
must use an automated system to carry out, assess, and report on program operations. Similarly,
managers in charge of system development and modification should determine the sensitivity of
hardware and software resources under their control and the access needs of systems analysts and
programmers. System administration officials should determine the access needs of system
administration personnel.
Policies specifying classification categories and related criteria can help resource owners classify
their resources according to their need for protective controls. The Computer Security Act
requires agencies to identify systems that process “sensitive” data. “Sensitive” data is defined as
“any information, the loss, misuse, or unauthorized access to or modification of which could
adversely affect the national interest or the conduct of Federal programs, or the privacy to which
individuals are entitled under [the Privacy Act.]” OMB Circular A-130, Appendix III, directs
federal agencies to assume that all major systems contain some sensitive information that needs to
be protected, but to focus extra security controls on a limited number of particularly high-risk or
major applications.
Broad or special access privileges, such as those associated with operating system software that
allow normal controls to be overridden, are only appropriate for a small number of users who
perform system maintenance or handle emergency situations. Such special privileges may be
granted on a permanent or temporary basis. However, any such access should also be approved
by a senior security manager, written justifications should be kept on file, and the use of highly
sensitive files or access privileges should be closely monitored by management.
Access Control Lists (ACL)
An entity should institute policies and procedures for authorizing access to information resources
and documenting such authorizations. These policies and procedures should cover user access
/Vulnerability Assessment Framework (VAF)/Page 47
CIAO
needed for routine operations, emergency access, and the sharing and disposition of data with
individuals or groups outside the entity.
The computer resource owner should identify the specific user or class of users that are
authorized to obtain direct access to each resource for which he or she is responsible. This
process can be simplified by developing standard profiles, which describe access needs for groups
of users with similar duties, such as accounts payable clerks.
The owner should also identify the nature and extent of access to each resource that is available to
each user. This is referred to as the user’s profile. In general, users may be assigned one or more
of the following types of access to specific computer resources:
n Read access, which is the ability to look at and copy data or a software program.
n Update access, which is the ability to change data or a software program.
n Delete access, which is the ability to erase or remove data or programs.
n Merge access, which is the ability to combine data from two separate sources.
n Execute access, which is the ability to execute a software program.
Access may be permitted at the file, record, or field level. Files are composed of records, typically
one for each item or transaction. Individual records are composed of fields that contain specific
data elements relating to each record. Access authorizations should be documented on standard
forms, maintained on file, approved by senior managers, and securely transferred to security
managers. Owners should periodically review access authorization listings and determine whether
they remain appropriate.
Listings of authorized users and their specific access needs and any modifications should be
approved by the appropriate senior manager and directly communicated in writing by the resource
owner to the security management function. A formal process for transmitting these
authorizations, including the use of standardized access request forms, should be established to
reduce the risk of mishandling, alterations, and misunderstandings. The security manager should
review authorizations for new or modified access privileges and discuss any questionable
authorizations with the authorizing official. Approved authorizations should be maintained on
file.
It is equally important to notify the security function immediately when an employee is terminated
or, for some other reason, is no longer authorized access to information resources. Who is
responsible for notification? Policies should be in place clearly assigning responsibility for
notifications whether it is the human resources department or another group. Terminated
employees who continue to have access to critical or sensitive resources pose a major threat,
especially those individuals who may have left under acrimonious circumstances.
/Vulnerability Assessment Framework (VAF)/Page 48
CIAO
Physical Controls
Physical controls are imposed by the organization upon the determination that specified resources
require a certain level of protection. Overall, physical security should be reviewed based on the
type of facility, i.e. geographic location, fragmented facilities, and public access facilities, as well
as the location within the facility, i.e. lobbies, parking facilities, utility facility, and trash disposal
facility. Special circumstances should also be considered, i.e. a facility is under construction or
houses different types of personnel, in the case of a day care center.
Different facilities require different physical security controls related to interior, perimeters,
entries, barriers and openings, protective lighting, intrusion detection systems (IDS) and key
controls. Certain procedures and policy should be in place and appropriate techniques applied,
i.e. security systems, electronic monitoring, and security screening.
The review of physical controls should also consider security, contract and custodial personnel,
equipment, vehicles, communication techniques and training.
Data Centers
For a data center, controls should be in place to ensure that the identification and access rights of
users as well as the identity of system and data ownership are established and managed in a unique
and central manner to obtain consistency and efficiency of global access control.
Physical Access Lists and Visitor Logs to Data Centers
For a data center, controls should be in place to ensure that adequate control measures are
imposed to safeguard equipment and facilities.
Physical keys, Card keys and Cipher locks
For all designated facilities, controls should be in place to ensure that adequate physical security
measures are imposed to safeguard equipment and facilities.
Passwords
The use of passwords, tokens, or other devices are used to identify and authenticate users that
have been designated a specific level of access. Procedures for maintenance and monitoring of
passwords is imperative for secure access to be ensured.
Network Management Systems (NMS)
Security over local area networks (LAN) is required to adequately protect the resources that are
utilized. In the same vein as a mainframe platform, a systems administrator must implement
adequate controls to protect LAN resources from unauthorized use. This includes setting up user
profiles and appropriately limiting dial-up or remote access to authorized personnel.
/Vulnerability Assessment Framework (VAF)/Page 49
CIAO
Security Software/Access Control Software
Security software can be used to ensure logical controls over data files and software programs. It
can also be used to manage physical access over entry points to facilities, i.e. card keys.
Database Management Systems (DBMS)
DBMS have built in utilities and access features. The use of logical controls over a database in
combination with capabilities provided through Network Management Systems (NMS) may
provide power access control capabilities.
Remote Access
For systems that can be accessed through public telecommunications lines, some users may be
granted dial-up access. This means that these individuals can use a modem to access and use the
system from a remote location, such as their home or a field office. Because such access can
significantly increase the risk of unauthorized access, it should be limited and the associated risks
weighed against the benefits. To help manage the risk of dial-up access, justification for such
access should be documented and approved by owners. Management must control resources and
assets, under their responsibility, by implementing a formal process that tracks access granted and
services/property distributed. It also applies to outsourced functions. Other telephony related
topics include platforms relating to PBX, Voicemail and Call Detail Reporting systems.
Encryption and Related Applications
For certain types of data, the use of cryptographic tools may be imperative to ensure the
protection of data during transport. In parallel, transaction authorization and cryptographic key
management are applications that can be applied to certain communications and types of data.
Cryptography involves the use of algorithms (mathematical formulae) and combinations of keys
(strings of bits) to do any or all of the following:
§ Encrypt, or electronically scramble, a message or file so that it is unintelligible to those
who do not have the secret key needed to decrypt it, thus keeping the contents of the
message or file confidential.
§ Provide an electronic signature that can be used to:
− determine if any changes have been made to the related file, thus ensuring the file’s
integrity, and
− link a message or document to a specific individual’s or group’s key, thus ensuring
that the “signer” of the file can be identified.
Cryptographic tools are especially valuable for any application that involves “paperless”
transactions or for which the users want to avoid relying on paper documents to substantiate data
integrity and validity. Examples include:
/Vulnerability Assessment Framework (VAF)/Page 50
CIAO
• electronic commerce, where purchase orders, receiving reports, and invoices are created,
approved, and transmitted electronically,
• travel administration, where travel orders and travel vouchers are created, approved, and
transmitted electronically, and
• protection of documents or digital images, such as contracts, personnel records, or diagrams,
that are stored on electronic media.
Monitoring/Auditing
Monitoring measures need to be established to detect and ensure correction of security breaches,
such that all actual and suspected breaches are promptly identified, investigated, and acted upon,
and to ensure ongoing compliance with policy, standards, and minimum acceptable security
practices. Monitoring should occur on a continuous basis to assess performance of implemented
controls over time and ensure that identified deficiencies are reported to senior management in a
timely manner.
Compliance with access authorizations should be monitored by periodically comparing
authorizations to actual access activity. Access control software typically provides a means of
reporting user access authorizations and access activity.
Monitoring activities may include maintenance of audit trails, continuous review of actual or
attempted unauthorized, unusual, or sensitive access, investigation of and response to suspicious
access activity as well as ongoing security surveillance activities.
Datascopes and Sniffers
Network monitoring is a valuable tool in maintenance and review of access controls. Data
entered at a workstation attached to a LAN is normally transmitted in clear text over the network.
Any user on the network is able to use a “sniffer” program to view and capture data transmitted
over the LAN. Consider implementing encryption software to protect confidential or sensitive
data stored on the server or a workstation, or data being transmitted over the network.
Encryption software protects data by making it unreadable. Encryption software uses an
algorithm to scramble data. Only a person with the appropriate encryption key can unscramble
the data to make it readable.
/Vulnerability Assessment Framework (VAF)/Page 51
CIAO
Hub Management
Proper controls need to be implemented to appropriately manage an organization’s hubs.
Management tools can make this task easier. A current inventory should include all active hubs,
the configuration for each, and a listing of ports and port settings.
Voice Operations
When security is an issue, an area that commonly lacks attention is the telecommunications
networks that include all of the voice operations, PBXs, and other hardware and software. The
focus typically is on modem lines, not voicemail systems, long distance capabilities, public access
to phones, etc. Access controls are necessary to adequately protect voice operations from misuse
and intrusion to more sensitive areas of an organization.
Outcomes:
The identification of control weaknesses or vulnerabilities within one or more core processes.
/Vulnerability Assessment Framework (VAF)/Page 52
CIAO
VAF Step 2.3 – Assess Areas of Control – Segregation of Duties
Description:
Policies, procedures, and an organizational structure established so that no one individual can
control key aspects of computer-related operations or physical security and thereby conduct
unauthorized actions or gain unauthorized access to assets, records, or other MEI resource
elements.
Segregation of duties is defined as the process of segregating work responsibilities to ensure
critical stages of a process are not under the control of a single individual. Segregation of duties is
achieved by dividing responsibilities for critical process stages between two or more individuals or
groups. Dividing duties allows for the activities of one group or individual to serve as a check on
the activities of the other and reduces the probability of errors and wrongful acts going
undetected.
Interviews and Data Gathering:
See Questionnaire in Appendix C.
To gather the information required in the questionnaire, the VAF team would review existing
documentation and perform interviews. These two activities will provide the team insights as the
team identifies and validates stated process and procedures and their current implementation
within the organization. The interviews may serve as data gathering or as validation meetings.
At the beginning of the assessment, the VAF team should review the questionnaire and compile a
list of documents required for review. The VAF team should also determine the individuals
required for interviews. The policy staff may differ from the functional and technical staff
responsible for the execution of policy. Initially, the VAF team should meet with the staff
responsible for setting policy and procedures and to identify those policies and procedures that are
defined. The VAF team should then follow up with the functional and technical staff responsible
for carrying out the policy and procedures to verify they are being followed.
Areas of Concern:
Key areas of concern during a vulnerability assessment involve the segregation of duties among
major operating and programming activities, including duties performed by users, application
programmers, and data center staff. The policies outlining the responsibilities of these groups and
related individuals should be fully documented, communicated, and enforced. Effective
supervision and management reviews are essential to ensuring policies and procedures are
enforced. This holds especially true for procedures pertaining to the duties of computer
operators, where segregation of duties alone does not ensure personnel only perform authorized
activities.
/Vulnerability Assessment Framework (VAF)/Page 53
CIAO
Control Objectives:
Conducting a vulnerability assessment on the effectiveness of segregating duties involves
assessing the entity’s efforts to perform each of the following critical elements: Policies; Access
Controls to Enforce Segregation of Duties; and Operating Procedures, Supervision, and Review.
Policies
Policies should be defined and implemented to ensure incompatible duties are identified and
segregated. In addition to segregating duties, these policies should clearly define employee duties
and responsibilities.
Access Controls to Enforce Segregation of Duties
Management reviews must be performed to determine the effectiveness of established control
techniques for segregating incompatible duties, in terms of both logical and physical access.
These reviews should reveal whether or not control techniques are maintaining risks within
acceptable levels.
Operating Procedures, Supervision, and Review
Formal operating procedures should be defined and implemented to provide guidance for the
performance of personnel activities. Active supervision and review should be provided for all
personnel to ensure procedures are being properly followed.
Interdependencies
When performing a vulnerability assessment of segregation of duties, it is important to consider
the possible risks resulting from interdependencies. An example of risks resulting from
interdependencies is the use of third party maintenance agreements by an outsourcing services
firm.
Control Objective Topical Areas:
n Identify and segregate incompatible duties and establish policies
n Establish, implement, and enforce access controls to segregate duties appropriately
n Control personnel activities through formal operating procedures and supervision and review
Outcomes:
The identification of control weaknesses or vulnerabilities within one or more core processes.
/Vulnerability Assessment Framework (VAF)/Page 54
CIAO
VAF Step 2.4 – Assess Areas of Control – Continuity of Services and Operations
Description:
Controls to ensure that when unexpected events occur, critical business operations, including
computer operations, continue without interruption or are promptly resumed and critical and
sensitive data are protected.
Service continuity controls provide reasonable assurance that the elements supporting processes
will be maintained. By taking steps to prevent and minimize potential damage and interruption,
users of functional systems can rely on continuous service. Developing and documenting a
comprehensive contingency plan creates procedures to resolve uncontrollable changes to systems.
By maintaining and testing the contingency plan system, administrators can have confidence in the
ability to provide continuous service.
The objectives of service continuity controls are to ensure that:
n the organization does not lose the capability to process, retrieve, and protect information
maintained electronically,
n there are procedures in place to protect information resources and minimize the risk of
unplanned interruptions,
n a plan exits to recover critical operations should interruptions occur, and
n recovery plans will work as intended, and are tested periodically in disaster simulation
exercises.
If the objectives of the controls are met, the risk of loss of service is reduced. Adequate policies
and procedures allow users to have confidence in the reliability and availability of the system they
depend on.
Interviews and Data Gathering:
See Questionnaire in Appendix D.
To gather the information required in the questionnaire, the VAF team would review existing
documentation and perform interviews. These two activities will provide the team insights as the
team identifies and validates stated process and procedures and their current implementation
within the organization. The interviews may serve as data gathering or as validation meetings.
At the beginning of the assessment, the VAF team should review the questionnaire and compile a
list of documents required for review. The VAF team should also determine the individuals
/Vulnerability Assessment Framework (VAF)/Page 55
CIAO
required for interviews. The policy staff may differ from the functional and technical staff
responsible for the execution of policy. Initially, the VAF team should meet with the staff
responsible for setting policy and procedures and to identify those policies and procedures that are
defined. The VAF team should then follow up with the functional and technical staff responsible
for carrying out the policy and procedures to verify they are being followed.
Areas of Concern:
Controls to ensure service continuity should address the entire range of potential disruptions.
This includes the entire range of service interruptions from relatively minor interruptions to major
disasters, such as fires or natural disasters. Service continuity controls may also include having
procedures to reestablish operations at a remote location. Service continuity controls help
prevent relatively minor interruptions from resulting in the loss or incorrect processing data,
which could end in financial loss, expensive recovery efforts, or inaccurate financial or
management information. For some operations, such as those involving health care or safety,
system interruptions could also result in injuries or loss of life.
Control Objectives:
Business Continuity Plan
Business continuity plan (BCP) controls provide assurance that the BCP is adequate and
addresses all areas necessary to support business processes. The BCP controls help ensure that
critical resources are identified, emergency procedures are established, the BCP is continuously
updated to address changes in structure or function, personnel is properly trained, and the plan is
properly tested.
Resource Management
Resource management controls provide assurance that system capacity is maintained. Workload
forecasting and system monitoring procedures help to ensure peak system performance.
Scheduling policies reduce the impact of system maintenance on operations.
Contingency Plan
A contingency plan identifies procedures to account for loss of critical system processes or
components. Contingency plan controls provide assurance that the contingency plan reflects
current conditions, has been properly approved, addresses all components, and is properly tested.
Service Level Agreement Management
/Vulnerability Assessment Framework (VAF)/Page 56
CIAO
Service level agreement controls provide assurance that frameworks for service level agreements
have been defined. The agreements should cover such aspects as availability, reliability,
performance, security, and levels of support. Service level agreement controls also provide for
monitoring service and reviewing agreement and contracts.
Data Center Management
Data center management controls provide assurance that the data center facility is constructed and
maintained so that service continuity disruptions are reduced. These controls address issues such
as data center organization, location, and construction. Media library management provides
assurance toward the control of physical data storage media.
Backup Management
Backup management controls provide assurance that backup policies and procedures are
adequate. The controls ensure that the backup site is properly located, constructed, and
maintained, that data and program procedures are properly implemented, and restoration
strategies are adequate.
Alternative Site Management
Alternative site management controls provide assurance that alternative site procedures support
all necessary business processes. These controls assess such components as site management
policies, contracts and agreements, and alternate service arrangements.
Interdependency Awareness
Interdependency awareness controls provide assurance that management is aware of areas of
dependency that are out of the organization’s control. Interdependency awareness controls also
ensure that management has considered constructing redundancy in areas that are critical to the
continuity of critical business processes.
/Vulnerability Assessment Framework (VAF)/Page 57
CIAO
Control Objective Topical Areas:
n Assess the criticality and sensitivity of computerized operations and identify supporting
resources
n Prevent and minimize potential damage and interruption
n Develop a comprehensive contingency plan.
n Test contingency plan
n Problem & Performance Management
Outcomes:
The identification of control weaknesses or vulnerabilities within one or more core processes.
/Vulnerability Assessment Framework (VAF)/Page 58
CIAO
VAF Step 2.5 – Assess Areas of Control – Change Control & Life Cycle Management
Description:
Procedures and controls that prevent unauthorized programs or modifications to an existing
program being implemented.
Change control and life cycle management (LCM) policies provide reasonable assurance that
changes to applications will not interrupt the business process. Life cycle management policies
provide direction toward software specifications, implementation, and testing. Change control
policies provide assurance toward application and system modifications for in-house and
commercial packages or patches. By instituting policies, procedures, and techniques, all program
modifications are properly authorized, tested, and approved. In addition, access to and
distribution of programs is carefully controlled.
The objectives of managing programs and program modifications are to ensure that:
n developers are deterred from modifying program code to provide a means of bypassing
controls to gain access to sensitive data,
n program versions are controlled, limiting erroneous processing due to out of date versions;
and
n proper testing takes place, limiting the implementation of non-functional programs.
If the objectives of the controls are met, the risk of incorrect modification is reduced and
disruption of service avoided. Adequate implementation of control policies and procedures can
have a large effect on the availability and reliability of both systems and applications.
Interviews and Data Gathering:
See Questionnaire in Appendix E.
To gather the information required in the questionnaire, the VAF team would review existing
documentation and perform interviews. These two activities will provide the team insights as the
team identifies and validates stated process and procedures and their current implementation
within the organization. The interviews may serve as data gathering or as validation meetings.
At the beginning of the assessment, the VAF team should review the questionnaire and compile a
list of documents required for review. The VAF team should also determine the individuals
required for interviews. The policy staff may differ from the functional and technical staff
responsible for the execution of policy. Initially, the VAF team should meet with the staff
/Vulnerability Assessment Framework (VAF)/Page 59
CIAO
responsible for setting policy and procedures and to identify those policies and procedures that are
defined. The VAF team should then follow up with the functional and technical staff responsible
for carrying out the policy and procedures to verify they are being followed.
Areas of Concern:
Life cycle management and change controls focus primarily on controlling the development
process, and the update, maintenance, and modification of existing software systems. These
controls are also effective in managing changes in systems under development.
Conducting a vulnerability assessment of life cycle management and change controls involves
assessing current policies and procedures involving software development, changes, updates, and
modifications. This may include examining polices involving software library management,
change management, life cycle management, project management, and application management.
Control Objectives:
Change Management
Change management controls provide assurance that modification to software systems is
conducted in a way that will limit impact on business processes. Change management policies
include requiring authorization for software modification, controlling changes through testing to
final approval, emergency change procedures, and control of the impact of changes on a
functional system.
Life Cycle Management
Life cycle management controls provide assurance that software controlled properly from design
to removal. LCM includes procedures for documentation, communication, implementation, and
conversion.
Project Management
Project management controls provide assurance that software development projects will meet user
and system requirements. Project management monitors and documents software development
from design through production and implementation. Proper project management will ensure that
developed software is complete and meets user requirements.
/Vulnerability Assessment Framework (VAF)/Page 60
CIAO
Application Acquisition, Management, and Maintenance
Application Acquisition, Management, and Maintenance controls provide assurance that
processes are in place to control software distribution, version management, and documentation
and manuals. Policies including distribution restriction, software version control, program library
access and control, and maintenance of documents help ensure that appropriate software is
accessible.
Quality and Assurance
Quality and assurance controls provide assurance that changes to software are validated and meet
specifications. Quality and assurance policies include procedures for system, application, and
operational tests, which contain processes to ensure that changes were implemented correctly and
documented appropriately.
Interdependencies
Life cycle management and change controls are dependent upon many outside factors. An
organization may be dependent upon a software vendor or third party developer to implement
application changes. Organizations may also have a dependency on the quality of a commercial
off-the-shelf product.
Control Objective Topical Areas:
n Authorization of Processing Features & Program Modifications
n Test and Approve all New and Revised Software
n Control Software Libraries
Outcomes:
The identification of control weaknesses or vulnerabilities within one or more core processes.
/Vulnerability Assessment Framework (VAF)/Page 61
CIAO
VAF Step 2.6 – Assess Areas of Control – System Software
Description:
Controls that limit and monitor access to the powerful programs and sensitive files that (1) control
the computer hardware and (2) secure applications supported by the system.
System software is a set of programs designed to operate and control the processing activities of
computer equipment. System software helps control and coordinates the input, processing,
output, and data storage associated with all of the applications that run on a system. Examples of
system software include: operating system software, system utilities, program library systems, file
maintenance software, security software, data communications systems, and database
management systems.
Interviews and Data Gathering:
See Questionnaire in Appendix F.
To gather the information required in the questionnaire, the VAF team would review existing
documentation and perform interviews. These two activities will provide the team insights as the
team identifies and validates stated process and procedures and their current implementation
within the organization. The interviews may serve as data gathering or as validation meetings.
At the beginning of the assessment, the VAF team should review the questionnaire and compile a
list of documents required for review. The VAF team should also determine the individuals
required for interviews. The policy staff may differ from the functional and technical staff
responsible for the execution of policy. Initially, the VAF team should meet with the staff
responsible for setting policy and procedures and to identify those policies and procedures that are
defined. The VAF team should then follow up with the functional and technical staff responsible
for carrying out the policy and procedures to verify they are being followed.
Areas of Concern:
It is essential that controls over access to and modification of system software are in place to
ensure operating system-based security controls are not compromised and the system will not be
impaired.
Conducting a vulnerability assessment of system software involves assessing the agency’s efforts
to perform each of the following critical elements: System Software Access Control, System
Software Monitoring, and System Software Change Control.
/Vulnerability Assessment Framework (VAF)/Page 62
CIAO
Control Objectives:
System Software Access Control
System software access control is the process of limiting and controlling system software access
authorizations. Key to controlling access is the identification of all access paths and the
implementation of controls to prevent or detect access for all paths.
System Software Monitoring
System software monitoring is performed to detect and track the use of system software utilities.
System software monitoring, policies and techniques are implemented that govern the use and
monitoring the use of system software utilities. Inappropriate or unusual activity that is detected
through system software monitoring should be investigated and result in appropriate disciplinary
actions.
System Software Change Control
System software change control is the process of controlling system software changes that result
from installation and maintenance activities. All system software changes must be authorized,
tested, and approved before implementation. Installation of system software must be fully
documented and reviewed to ensure software change control can be maintained. System software
maintenance must be performed in accordance with system software change control procedures.
Interdependencies
When performing a vulnerability assessment of system software it is important to consider the
possible risks resulting from interdependencies. An example of system software risks resulting
from interdependencies is the use of third party programming or maintenance resources by a
system software vendor.
Control Objective Topical Areas:
n Limit Access to System Software
n Monitor Access & Use of System Software
n Control System Software Changes
n Limit Access to Data Center by System Software Personnel
Outcomes:
The identification of control weaknesses or vulnerabilities within one or more core processes.
/Vulnerability Assessment Framework (VAF)/Page 63
CIAO
V. VAF Step 3 – Analyze & Prioritize Vulnerabilities
VAF Step 1
Establish the
Agency MEI
VAF Step 2
Gather Data to
Identify MEI
Vulnerabilities
VAF Step 3
Analyze & Prioritize
Vulnerabilities
Figure 7. VAF Step 3
A. Objective
The objective of this step is to define and analyze the vulnerabilities identified in VAF Step 2 and
MEI external dependencies from VAF Step 1, thereby enabling at least a first order of
prioritization for purposes of remediation or minimization. This step will move the process from
the vulnerability assessment phase into the first steps of the remediation planning process, with its
accompanying funding estimates and timelines.
Outputs from Step 3.1
VAF Step 2 Each vulnerability Reassess
Mapped across Strategic MEI
Core Processes and Tactical
List of MEI
MEI
Vulnerabilities Step 3.2
List of Remediation
Vulnerabilities by
List of
MEI External
Core Process A Prioritized Planning Process
List of Agency n Funding Estimates
Dependencies
Vulnerabilities
Step 3.3 n Timelines
Summary of
Vulnerabilities
n Long Term Capital
Outputs from by Core Process Funding Strategy
VAF Step 1
Relate the
Step 3.4 impact of
Potential Threats Analysis of vulnerabilities
from Threat Vulnerabilities In to the
Assessment Light of Potential National
Threats MEI
Figure 8. Activities in VAF Step 3
/Vulnerability Assessment Framework (VAF)/Page 64
CIAO
B. Critical Success Factors
In order for this step to be successful, the following elements need to exist:
ü Application and assignment of the appropriate, knowledgeable personnel to the process of
mapping vulnerabilities to core processes
ü A solid understanding of the relationship between core processes and critical agency missions
ü An understanding of the relationship between agency MEI issues and the National MEI
ü Access to outputs from Steps 1 and 2
C. Measurements in the four areas of compromise
For the areas of compromise, integrity, confidentiality and availability, the VAF team will assign a
value of Code Red, Code Amber or Code Green to indicate the impact if the vulnerability is
exploited.
However, for accountability, a Code Red is assigned if:
n a vulnerability is caused by a lack of accountability i.e. if ownership of the process, system or
inputs/outputs is not clearly or appropriately defined; or
n a vulnerability is exploited and controls are not in place to warn those accountable.
This measurement will complement the review of the other areas of compromise and alert
management to review the assignment of ownership and/or oversight to the particular process or
system affected.
D. Outcomes
Each vulnerability will be examined to determine if it impacts more than one MEI core process
and the level of impact (potential for loss) across the four areas of potential compromise. This
will yield a cross cutting analysis of MEI impacts.
Second, vulnerabilities will be sorted by core process, presenting each identified vulnerability
within that core process.
Third, a graphical summary of the number of vulnerabilities by core process will be generated.
Fourth, an analysis of the likelihood that a vulnerability will be exploited considering the potential
threats to the agency will be performed.
/Vulnerability Assessment Framework (VAF)/Page 65
CIAO
E. Activities
VAF Step 3.1 – Document the Impact
First, for each vulnerability, document the impact on each core process and the interdependencies
between and among core processes. The outcome is indicated by the Code Red, Amber, Green
criteria defined in Step 1.4. The Figure 9 is a representative example of how this can be done.
Worksheet for Each Vulnerability or Control Weakness Noted
Title: Passwords
Description: System access passwords are not aged.
Location: Desktop PCs with network connections
ity
ility
ial
tab
y
nt
ilit
ity
ide
un
ab
gr
co
ail
nf
te
Co
Core Processes
Av
Ac
In
Core Process 1 Green Amber Red Green
Core Process 2 Amber Red Red Amber
Core Process 3 Red Amber Green Red
Core Process 4 Amber Green Red Amber
Core Process "n" Red Green Amber Amber
Figure 9. Vulnerability Analysis Across MEI Core Processes
Objective: Evaluate each vulnerability and determine if the vulnerability impacts more than
one MEI core process and the level of impact (potential for loss) across the four areas of
compromise.
Outcome: Detailed analyses of vulnerabilities with crosscutting impacts in the MEI.
/Vulnerability Assessment Framework (VAF)/Page 66
CIAO
VAF Step 3.2 – Document the Vulnerabilities
Second, for each core process, document the vulnerabilities or control weaknesses noted and the
impact in terms of each area of compromise. The outcome is again indicated by the Code
Red, Amber, Green criteria defined in Step 1.4. The Figure 10 is a representative worksheet.
Example: Worksheet for Each Core Process
Title: Core Process Name
Description: MEI Documentation
ity
ity
ial
bil
y
nt
ta
ilit
ity
ide
un
ab
gr
co
ail
nf
te
Co
Core Processes
Av
Ac
In
Vulnerability 1 Green Amber Red Green
Vulnerability 2 Amber Red Red Red
Vulnerability 3 Red Amber Green Amber
Vulnerability 4 Amber Red Red Green
Vulnerability 5 Red Red Amber Green
Vulnerability "n" Red Green Red Amber
Figure 10. All Vulnerabilities Per Core Process
Objective: Evaluate the vulnerabilities associated with a single core process and determine the
level of impact (potential for loss) across the four areas of compromise.
Outcome: Detailed analyses of the vulnerabilities with the highest impact in each core
process.
/Vulnerability Assessment Framework (VAF)/Page 67
CIAO
VAF Step 3.3 – Summarize the Vulnerabilities
Third, graphically summarize the number of vulnerabilities in each priority category per core
process. This time, the number of vulnerabilities in each category indicates the outcome. The
following worksheet is a representative example of how this can be done.
Example:
Summary of Impact of Vulnerabilities
Priority
Core Processes Code Red Code Amber Code Green
Core Process 1 12 20
Core Process 2 1 18 11
Core Process 3 27
Core Process 4 43 15
Core Process 5 21 9
Core Process "n"
Figure 11. Total Vulnerabilities Per Core Process
Objective: Prepare a report of all the vulnerability impact assessments across core processes.
Outcome: Detailed analyses of those core processes with the greatest number of
vulnerabilities in the Code Red and Code Amber categories.
/Vulnerability Assessment Framework (VAF)/Page 68
CIAO
VAF Step 3.4 – Evaluate the Vulnerabilities
Fourth, evaluate the vulnerabilities associated with a single core process and determine the
likelihood that they may be exploited by the threats that were initially identified in the threat
assessment, VAF Step 1.2. The following worksheet is a representative example of how this can
be done.
Example: Worksheet of Potential Threat Impact
Title: Core Process Name
Description: Threat Assessment Documentation
4
1
at
at
at
at
re
re
re
re
Potential Threats
Th
Th
Th
Th
Vulnerability 1 LOW MEDIUM HIGH HIGH
Vulnerability 2 HIGH MEDIUM LOW LOW
Vulnerability 3 MEDIUM HIGH LOW LOW
Vulnerability 4 HIGH MEDIUM HIGH MEDIUM
Vulnerability 5 LOW LOW MEDIUM HIGH
Vulnerability "n" LOW HIGH LOW HIGH
Figure 12. Vulnerabilities & Threats
Objective: Evaluate the vulnerabilities associated with a single core process and determine the
likelihood that they may be exploited by the threats that were initially identified in
the threat assessment, VAF Step 1.2.
Outcome: Analysis of vulnerabilities in terms of the likelihood that they will be exploited in
view of certain threat considerations.
Using these four metrics, the assessment team must now use its expert subjective judgement,
based on agency cyber and physical security business process experience to assign priorities for
vulnerability remediation or minimization. This rank order of vulnerabilities leads to three
additional steps.
/Vulnerability Assessment Framework (VAF)/Page 69
CIAO
First, the remediation priority list will form the basis for the remediation planning process.
Funding estimates and timelines will flow from the examination of the specific vulnerabilities that
need to be addressed.
Next, because infrastructure vulnerability assessment must become a cyclical, regularly repeated
function, the outputs from Step 3 need to be fed back into the VAF process for reassessment of
strategic and tactical MEI elements in the next vulnerability assessment period.
Finally, the impacts of the vulnerabilities identified, and the priorities for remediation or
minimization, need to be compared to the national MEI and forwarded to the Critical
Infrastructure Assurance Office for inclusion in the National Plan process.
/Vulnerability Assessment Framework (VAF)/Page 70
CIAO
VI. Next Steps
The VAF will result in the identification and prioritization of vulnerabilities for the organization.
From this process, the organization will have established a list of vulnerabilities that require
attention internally as well as those that affect the national critical infrastructure. Moving from
execution of this framework, the organization should shift focus into the remediation phase.
Similar to the activities and procedures necessary to execute the VAF, to prepare for remediation,
the organization must:
n Establish a management team or team(s) representing the areas to be affected and the
functional expertise required (cyber and physical) to address high priority vulnerabilities.
n Identify budget requirements for establishing a remediation initiative and specific remediation
activities
n Identify resource requirements – define government resources and contractor resources
required
n Identify technical and physical impacts of remediation i.e. determine architectural
considerations
n Establish a schedule and milestones to be achieved
n Involve the audit and QA component to ensure the effort is continuously monitored and on
track.
/Vulnerability Assessment Framework (VAF)/Page 71
CIAO
VII. Glossary of Terms
Term Definition
access controls Procedures and controls that limit or detect access to MEI
Resource Elements (People, Technology, Applications, Data
and/or Facilities) thereby protecting these resources against
loss of Integrity, Confidentiality Accountability and/or
Availability.
accountability The explicit assignment of responsibilities for oversight of
areas of control to executives, managers, staff, owners,
providers, and users of MEI Resource Elements.
ACL Access Control Lists
ANSI American National Standards Institute
applications All application systems, internal and external, utilized in
support of the core process.
areas of control Collectively, controls consist of the policies, procedures,
practices and organizational structures designed to provide
reasonable assurance that business objectives will be
achieved and that undesired events will be prevented or
detected and corrected. The control areas set out in the
KPMG VAF process have been modified from GAO’s
FISCAM standards for auditing federal information systems.
The FISCAM definitions of the control areas have been
expanded for this VAF process to incorporate infrastructure
vulnerability issues.
areas of potential compromise These broad topical areas represent categories where losses
can occur that will impact both a department or agency’s
MEI and its ability to conduct core missions.
ARS Automatic Route Selection
availability The ability to have access to MEI Resource Elements when
required by the mission and core supporting process(s), both
now and in the future. It also concerns the safeguarding of
those resources and associated capabilities.
BCP Business continuity plan
CCTV Closed Circuit Television
CDR Call Detail Report
CEO Chief Executive Officer
CFO Chief Financial Officer
/Vulnerability Assessment Framework (VAF)/Page 72
CIAO
Term Definition
Change control & life cycle Procedures and controls that prevent unauthorized programs
management or modifications to an existing program from being
implemented.
CIAO Chief Infrastructure Assurance Officer; also, Critical
Infrastructure Assurance Office
CICG Critical Infrastructure Coordination Group
CIO Chief Information Officer
CMS Call Management System
CO/DO Central Office/Direct Outdial
COB Continuity of Business
COBIT Control Objectives for Information Technology
Code Amber Significantly debilitate the ability of the Agency to fulfill its
mission, critical national security or national economic
security functions or provide continuity of government
services.
Code Green No appreciable impact on agency missions.
Code Red Prevent the Agency from fulfilling its mission, critical
national security or national economic security functions or
from providing continuity of core government services.
From the perspective of an attacker, this would constitute a
“Kill.”
confidentiality The protection of sensitive information from unauthorized
disclosure and sensitive facilities from physical, technical or
electronic penetration or exploitation.
CONOPS Concept of Operations
continuity of services & Controls to ensure that, when unexpected events occur,
operations departmental/agency MEI services and operations, including
computer operations, continue without interruption or are
promptly resumed and critical and sensitive data are
protected through adequate contingency and business
recovery plans and exercises.
control objectives A statement of the desired result or purpose to be achieved
by implementing control procedures in a particular IT
activity.
COO Chief Operations Officer
COOP Continuity of Operations
/Vulnerability Assessment Framework (VAF)/Page 73
CIAO
Term Definition
COR Class of Restriction
COS Class of Service
data All data (electronic and hard copy) and information required
to support the core process. This includes numbers,
characters, images or other method of recording, in a form
which can be assessed by a human or (especially) input into a
computer, stored and processed there, or transmitted on
some digital/communication’s channel.
DBMS Database Management System
DBU Dial Backup
DD Data Dictionary
delete access the ability to erase or remove data or programs
DES Data Encryption Standard
DISA Direct Inward System Access
entity-wide security Planning and management that provides a framework and
continuing cycle of activity for managing risk, developing
security policies, assigning responsibilities, and monitoring
the adequacy of the entity’s physical and cyber security
controls.
execute access the ability to execute a software program
facilities All facilities required to support the core processes,
including the resources to house and support information
technology resources, and the other resource elements
defined above.
FEMA Federal Emergency Management Agency
FIPS Federal Information Processing Standard
FISCAM Federal Information Systems Control Audit Manual
FMFIA Federal Manager’s Financial Integrity Act
FRL Facility Restriction Level
FTP File Transfer Protocol
GAO General Accounting Office
HR Human Resources
/Vulnerability Assessment Framework (VAF)/Page 74
CIAO
Term Definition
integrity The accuracy, completeness and reliable transmission and
reception of information and its validity in accordance with
business values and expectations; the adequacy and reliability
of processes assuring personnel selection, access and safety;
and the adequacy and reliability of processes assuring only
authorized access to, and safety of, physical facilities.
IPL Initial Program Load
IS Information System
ISACF Information Systems Audit and Control Foundation
ISP Internet Service Provider
IT Information Technology
LAN Local Area Network
LCM Life Cycle Management
life cycle management See change control and life cycle management
MAC Moves Adds Changes
MEI Minimum Essential Infrastructure
MEI resource elements As previously discussed, these are the broad categories of
resources, all or portions of which constitute the minimal
essential infrastructure necessary for a department, agency
or organization to conduct its core mission(s). These
resource elements are very similar to, but modified
somewhat from, the COBIT framework used by ISACF.
The definitions have been expanded to incorporate physical
infrastructure vulnerability areas.
MEP Mission Essential Processes
merge access the ability to combine data from two separate sources
NMS Network Management Systems
OMB Office of Management and Budget
PBX Public Branch Exchange
PCCIP Presidential Commission on Critical Infrastructure
Protection
PCM Procedures Control Manual
PDD Presidential Decision Directive
/Vulnerability Assessment Framework (VAF)/Page 75
CIAO
Term Definition
people Staff, management, and executives necessary to plan,
organize, acquire, deliver, support, and monitor mission
related services, information systems, and facilities. This
includes groups and individuals external to the organization
involved in the fulfillment of the organization’s mission.
Security management personnel should also be included.
PIN Personal Identification Number
questions on controls The policies and procedures and practices and organizational
structures designed to provide reasonable assurance that
business objectives will be achieved and that undesired
events will be prevented or detected and corrected.
read access the ability to look at and copy data or a software program
segregation of duties Policies, procedures, and an organizational structure
established so that one individual cannot control key aspects
of physical and/or computer-related operations and thereby
conduct unauthorized actions or gain unauthorized access to
MEI Resource Elements.
SLA Service Level Agreement
system software Controls that limit and monitor access to the powerful
programs and sensitive files that (1) control the computer
hardware and (2) secure applications supported by the
system.
TAC Trunk Access Codes
technology All hardware and software, connectivity, countermeasures
and/or safeguards that are utilized in support of the core
process.
topical areas A grouping of related control objectives.
TSO Time Share Option
update access the ability to change data or a software program
UPS Uninterrupted Power Supply
VAF Vulnerability Assessment Plan
VDN Vector Directory Number
VRU Voice Response Unit
WAN Wide Area Network
/Vulnerability Assessment Framework (VAF)/Page 76
CIAO
VIII. Primary Source Documents
Davis, Beth. “Eye on the Spies.” InformationWeek/Ernst & Young Security Survey (September
1997).
COBIT, 2nd Edition. Information Systems Audit and Control Foundation. Control Objectives
for Information and Related Technology. Rolling Meadows, Illinois, 1998.
Gartner Group Report. Information Security Strategies. Security Vulnerabilities in Emerging
Technologies (October 1995).
Gartner Group Report. Information Security Strategies. Enterprise Client/Server Security - An
Illusion of Grandeur (November 1995).
Gartner Group Report. Information Security Strategies. Strategic Analysis Report: Internet
Security for the Enterprise (September 1995).
Gartner Group Report. Information Security Strategies. Security: The Never-Ending
Challenge (September 1995).
Gartner Group Report. Information Security Strategies. ISS Internet Scanner (July 1996).
Gartner Group Report. Information Security Strategies. 1997 Information Security Key Issues
(March 1997).
Gartner Group Report. Information Security Strategies, The Internetworking Security
Scenario: 1998 to 2001 (September 1997).
Gartner Group Report. Information Security Strategies. Information Warfare (December
1996).
Gartner Group Report. Internet Strategies. Best Practices for Web Site Security (January
1997).
Koprowski, Gene. “Hacking the Power Grid.” Information Week Online (June 1998).
National Research Council. Commission on Physical Sciences, Mathematics, and Applications.
Computer Science and Telecommunications Board. Committee on Maintaining Privacy and
Security in Health Care Applications of the National Information Infrastructure. Protecting
Electronic Health Information. Washington, D.C., 1997.
/Vulnerability Assessment Framework (VAF)/Page 77
CIAO
National Security Telecommunications Advisory Committee. Information Assurance Task
Force. Electric Power Risk Assessment Executive Summary of the Electric Power Information
Assurance Risk Assessment Report. Washington, D.C., 1997.
Neumann, Peter G. “Security Risks in the Emerging Infrastructure.” Congressional Testimony
(August 1997).
Neumann, Peter G. “Computer-Related Infrastructure Risks for Federal Agencies.” Testimony
for the U.S. Senate Committee on Governmental Affairs (May 1998).
New York Law School. Communications Media Center. Computer Crime Survey. New York,
1997.
Polk, Timothy. Automated Tools for Testing Computer System Vulnerability. 1992.
Rathmell, Andrew, Lorenzo Valeri and John Gearson. “The Threat from Sub-State Groups:
an Interdisciplinary Approach.” Third International Symposium on Command and Control
Research and Technology, Institute for National Strategic Studies, National Defense University,
June 1997.
U.S. Department of Commerce. National Institute of Standards and Technology. Generally
Accepted Principles and Practices for Securing Information Technology Systems. Washington,
D.C., 1996.
U.S. Department of Commerce. National Institute of Standards and Technology. An
Introduction to Computer Security: The NIST Handbook. Washington, D.C.
U.S. Department of Commerce. President’s Commission on Critical Infrastructure Protection.
Critical Foundations - Protecting America’s Infrastructures, Washington, D.C., October 1996.
U.S. Department of Commerce. President’s Commission on Critical Infrastructure Protection.
Critical Foundations Protecting America’s Infrastructures, The Report of the President’s
Commission on Critical Infrastructure Protection. Washington, D.C., 1997.
U.S. Department of Defense. Protection of DoD Personnel and Activities Against Acts of
Terrorism and Political Turbulence, Washington DC February 1993
U.S Department of Energy. Safeguards and Security Central Training Academy, Vulnerability
Assessment Fundamentals, Washington DC May 1994
U.S. Department of Justice. Vulnerability Assessment of Federal Facilities, Washington, DC
June 1995
/Vulnerability Assessment Framework (VAF)/Page 78
CIAO
U.S. General Accounting Office. GAO Executive Guide. Information Security Management,
Learning from Leading Organizations. Washington, D.C., May 1998.
U.S. General Accounting Office. GAO Federal Information Systems Control Audit Manual
(FISCAM). Washington, D.C., Draft, Summer 1998.
U.S. General Accounting Office. GAO Information Security. Report to Congressional
Requesters: Opportunities for Improved OMB Oversight of Agency Practices. Washington,
D.C., September 1996.
U.S. General Accounting Office. General Services Administration. Many Building Security
Upgrades Made But Problems Have Hindered Program Implementation. Washington D.C., June
1998.
/Vulnerability Assessment Framework (VAF)/Page 79
CIAO
Web Sites:
Australian CERT [Link]/
NIST [Link]/
CERT Coordination Center [Link]/
Risks Forum Digest [Link]/Risks
Naval Surface Warfare Center Info Sec [Link]/ISSEC/
International Computer Security Assn [Link]
Computer Crimes & Investigation Center [Link]/~dckinder/crime
COAST [Link]/coast/
Defense Information Systems Agency [Link]
CIAC [Link]/ciac/
National Security Institute [Link]
GartnerGroup [Link]
NSA [Link]
/Vulnerability Assessment Framework (VAF)/Page 80
CIAO
Appendix A:
Entity-Wide Security
Control Control Technique Compliance Procedures
Objectives
Organizational Management
1.1 Maintain a Does Management create a framework Interview CEO, COO, CFO, CIO,
positive information and an awareness program fostering a Security Officer, IS Senior
control positive control environment Management, IS planning/steering
environment. throughout the entire organization by committee members.
addressing aspects such as: integrity, Review related policies and
ethical values and competence of the procedures.
people; management philosophy and
operating style; and accountability, Review Senior Management roles
attention and direction provided by the and responsibilities.
board of directors? Review objectives and long/short
range plans.
1.2 Periodically Are independent risk assessments Review risk assessment policies.
assess risks performed and documented on a
regular basis?
Is a security plan documented and Review the most recent high-level
approved? Has independent advice and risk assessment.
comment been solicited on the plan
before it’s implementation?
Does the risk assessment consider data Review the objectivity of
sensitivity and integrity and the range of personnel who performed and
risks to the entity’s systems and data? reviewed the assessment.
1.3 A policy on Does management provide and Review related policies.
intellectual implement a written policy on
property, privacy intellectual property rights covering in-
and data flow house as well as contract-developed
exists. software?
Does management ensure compliance Interview Senior Management.
with privacy, intellectual property, Review external requirements.
transborder data flow and
cryptographic regulations applicable to
the information technology practices of
the organization?
/Vulnerability Assessment Framework (VAF)/Page A–1
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
1.4 Proactive Audit Does Information Technology Interview IT Senior Management.
Involvement management seek audit involvement in
a proactive manner before finalizing
information technology service
solutions?
Do the managers’ whose missions they Review accreditation statements.
support accredit major systems and
applications?
1.5 Management Does top management initiate prompt Review documentation related to
ensures that action to correct deficiencies? corrective actions.
corrective actions
are effectively
implemented
Are corrective actions tested after they Review the status of prior year
have been implemented and monitored audit recommendations and
on a continuing basis? determine if implemented
corrective actions have been
tested.
Review recent FMFIA reports.
/Vulnerability Assessment Framework (VAF)/Page A–2
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
Security Program Plan
2.1 A security plan Is a security program plan documented? Review the security plan
is documented and If so, does it cover the following:
approved.
n covers all major facilities and Determine whether the plan covers
operations, the topics prescribed by OMB
n has been approved by key Circular A-130.
affected parties, and
n covers the topics prescribed by
OMB Circular A-130 (general
support systems/major
applications)
Rules of the system/Application
rules
Training/Specialized training
Personnel controls/Personnel
security
Incident response capability/
Continuity of
support/Contingency planning
Technical security/Technical
controls
System
interconnection/Information
sharing
Public access controls
2.2 The plan is kept Is the plan reviewed periodically and Review the security plan and any
current adjusted to reflect current conditions related documentation indicating
and risks? that it has been reviewed and
updated, and is current.
/Vulnerability Assessment Framework (VAF)/Page A–3
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
2.3 Compliance Does management ensure that Interview Senior Management.
with Policies, appropriate procedures are in place to Review policies and procedures.
Procedures and determine whether personnel
Standards understand the implemented policies Interview staff.
and procedures, and that the policies
and procedures are being followed?
Are compliance procedures for ethical,
security and internal control standards
set by top management and promoted
by example?
Do your security plans adequately Review security plan and any
address regulations on classified related documentation indicating
systems? that regulations on classified
systems are addressed.
Security Management
3.1 Establish a Does the security program plan Review the security plan, and the
security establish a security management entity’s organization chart.
management structure with adequate independence,
Interview security management
structure, and authority, and expertise?
staff.
clearly assign
security
responsibilities
3.2 A security Has an information systems security Review pertinent organization
management manager been appointed at an overall charts and job descriptions.
structure has been level and at appropriate subordinate Interview the security manager.
established levels?
/Vulnerability Assessment Framework (VAF)/Page A–4
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
3.3 Information Does the security plan clearly identify Review the security plan.
security who owns computer-related resources
responsibilities are and who is responsible for managing
clearly assigned access to computer resources? Are
security responsibilities and expected
behaviors clearly defined for (1)
information resource owners and users,
(2) information resources management
and data processing personnel, (3)
senior management, and (4) security
administrators?
3.4 Owners and Has an ongoing security awareness Review documentation supporting
users are aware of program been implemented? Does it or evaluating the awareness
security policies include first time training for all new program.
employees, contractors, and users, and
Observe a security briefing.
periodic refresher training thereafter?
Interview data owners and system
Are security policies distributed to all
users.
affected personnel, including
system/application rules and expected Review memos, electronic mail
behaviors? files or other policy distribution
mechanisms.
Review personnel files to test
whether security awareness
statements are current.
Interview personnel to determine if
they are aware of their security-
related responsibilities.
/Vulnerability Assessment Framework (VAF)/Page A–5
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
3.5 An incident Has an incident response capability Interview security manager,
response capability been implemented? response team members, and
has been system users.
implemented Review documentation supporting
incident handling activities.
Determine qualifications of
response team members.
(Note: See also Critical Element
on monitoring access and security
violations.)
Human Resources Policies
4.1 Hiring, transfer, Does management implement and Interview Senior Management.
termination, and regularly assess the needed processes to
Review relevant personnel
performance ensure that personnel recruiting and
processes.
policies address promotion practices are based on
security objective criteria and consider
education, experience and
responsibility?
For prospective employees, are Review hiring policies.
references contacted and background
For a selection of recent hires,
checks performed?
inspect personnel records and
determine whether references have
been contacted and background
checks have been performed.
Does Management of the information Review hiring, transfer, and
services function ensure that their promotion policies.
personnel are subjected to security For a selection of hired,
clearance before they are hired, transferred, and promoted
transferred or promoted, depending on employees, inspect personnel
the sensitivity of the position? records and determine whether
appropriate security clearances
have been performed.
/Vulnerability Assessment Framework (VAF)/Page A–6
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
Are confidentiality agreements required Review policies on confidentiality
for employees and contractors assigned agreements.
to work with confidential information? For a selection of such users,
determine whether confidentiality
agreements are on file.
Are regularly scheduled vacations Review vacation policies.
exceeding several days required? Inspect personnel records to
If so, is the individual’s work is identify individuals who have not
temporarily reassigned? taken vacation or sick leave in the
past year.
Determine who performed
vacationing employee’s work
during vacation.
Are regular job or shift rotations Review job rotation policies.
required? Review staff assignment records
and determine whether job and
shift rotations occur.
Do termination and transfer procedures Review pertinent policies and
include procedures.
n exit interview procedures;
For a selection of terminated or
n return of property, keys,
transferred employees, examine
identification cards, passes, etc.;
documentation showing
n notification to security compliance with policies.
management of terminations
and prompt revocation of IDs Compare a system-generated list
and passwords; of users to a list of active
n immediately escorting employees obtained from
terminated employees out of the personnel to determine if IDs and
entity’s facilities; and passwords for terminated
employees exist.
n a period during which
non-disclosure requirements
remain in effect
/Vulnerability Assessment Framework (VAF)/Page A–7
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
4.2 Employees have Are skill needs accurately identified and Review job descriptions for
adequate training included in job descriptions, and security management personnel,
and expertise employees meet these requirements? and for a selection of other
personnel.
For a selection of employees,
compare personnel records on
education and experience with job
descriptions.
Has a training program has been Review training program
developed? documentation.
Does management provide for Review training program
sufficient cross-training or back up of documentation.
identified key personnel to address
when that key personnel is not
available?
Are employee training and professional Review training records and
development documented and related documentation showing
monitored? whether such records are
monitored and whether employees
are receiving the appropriate
training.
Outsourcing
5. Third-Party Does management ensure that all third- Review vender selection policies.
Management party providers’ services are properly Interview Senior Management.
identified and that the technical and
organizational interfaces with suppliers Review documentation.
are documented?
Does management define specific Review contracts.
procedures to ensure that for each Review procedures.
relationship with a third-party service
provider a formal contract is defined
and agreed upon?
/Vulnerability Assessment Framework (VAF)/Page A–8
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
Does management ensure that, before Review selection policies.
selection, potential third parties are Review third-party assessment
properly qualified through an procedures.
assessment of their capability to deliver
the required service (due diligence)?
Are specific organizational procedures Review relevant procedures.
defined that ensure the contract
Review contracts.
between the facilities management
provider and the organization is based Review third-party requirements.
on required processing levels, security,
monitoring and contingency
requirements, and other stipulations as
appropriate?
With regard to relationships with third- Review contracts.
party service providers, does
Review legal and regulatory
management ensure that security
requirements.
agreements (e.g., non-disclosure
agreements) are identified and explicitly
stated and agreed to, and conform to
universal business standards in
accordance with legal and regulatory
requirements, including liabilities?
Does a continuous process for Review relevant policies and
monitoring third-party adherence to procedures.
contract agreements exist?
Electronic Commerce
6. Electronic Does management ensure that formal Review applicable contracts.
Commerce contracts are in place establishing Interview Senior Management.
agreement between trading partners on
communication processes and on
standards for transaction message
security and data storage?
/Vulnerability Assessment Framework (VAF)/Page A–9
CIAO
ENTITY-WIDE SECURITY
Control Control Technique Compliance Procedures
Objectives
When trading on the Internet, does Review relevant laws and customs.
management enforce adequate controls Review policies and procedures.
to ensure compliance with local laws
and customs on a worldwide basis? Interview Senior Management.
Do policies exist regarding Review policies and procedures.
authentication using certificate Interview Senior Management.
authorities?
Appendix B:
/Vulnerability Assessment Framework (VAF)/Page A–10
CIAO
Appendix B:
Access Controls
Control Control Technique Compliance Procedures
Objectives
Data Types
1.1 Resource types Have types and criteria been Review policies and procedures.
and related criteria established and communicated to Interview resource owners.
have been resource owners?
established
1.2 Owners have Are resources classified based on Review resource classification
classified resources risk assessments? Are documentation and compare to
classifications documented and risk assessments. Discuss any
approved by an appropriate senior discrepancies with appropriate
official? Are they periodically officials.
reviewed?
1.3 Protection of Management should ensure that Review policies to determine if
Sensitive adequate protection of sensitive guidance is given reference
Information During information is provided during transmission of sensitive
Transmission and transmission and transport against information. Review and observe
Transport unauthorized access, modification individuals to determine if
and misaddressing. compliant.
Access Control Lists (ACL)
2.1 Resource Are access authorizations Review pertinent written policies
owners have documented on standard forms and and procedures.
identified maintained on file, approved by
For a selection of users (both
authorized users senior managers, and securely application user and IS personnel),
and their access transferred to security managers?
review access authorization
authorized.
documentation.
Do owners periodically review Interview and review
access authorization listings and documentation. Determine
determine whether they remain whether inappropriate access is
appropriate? removed in a timely manner.
/Vulnerability Assessment Framework (VAF)/Page B-A–1
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
2.2 User Account Do procedures include the use of Review user account management
Management an access request form for the procedures.
creation, maintenance, and deletion Review a sample of the access
of User IDs, and does the form request forms and verify that the
minimally require both the requester and supervisor have
requester and the requestor’s signed off on the forms.
supervisor to sign the form?
If the user is requesting access to Review a sample of the access
resources that belong to another request forms and verify for
system/resource owner, is that resources, which belong to another
system/resource owner also system/resource or that there are
required to approve the request in appropriate signatures to verify the
addition to the user’s supervisor? granting of access. Verify that the
Does the process include a correct Product Sponsor is
mechanism for the Security granting approvals, via the list of
Administrator to validate that the applications and data from above
appropriate parties have signed the section. Verify that there is a
access request? mechanism for Security
Administrator validation.
Do access request forms contain Sample access request forms and
sufficient detail to determine verify that the appropriate
exactly what type of access is information is present to judge
being requested? whether all requests are proper and
that unique tracking numbers are
assigned to each form.
Are unique tracking numbers Sample access request forms.
assigned to each request form?
Are rejected requests logged and Review request logs to verify
returned to users with a stated rejected requests are being logged.
reason?
Is there a monthly process and Check that a process has been
procedure to identify, remove or established and documented for
deactivate unused accounts from the removal of no-longer required
the system, according to policy and unused IDs from the system.
requirements (60 days disable, 90
days delete)?
/Vulnerability Assessment Framework (VAF)/Page B-A–2
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is security notified immediately Obtain a list of recently terminated
when system users are terminated employees from Personnel and, for
or transferred? a selection, determine whether
system access was promptly
terminated.
Is the number of users who can Review authorization and
dial into the system from remote justification for a selection of users
locations limited and justification with dial-up access.
for such access documented and
approved by owners?
Do security managers review Interview security managers, and
access authorizations and discuss review documentation provided to
any questionable authorizations them.
with resource owners?
Are all changes to security profiles Review a selection of recent
by security managers automatically profile changes and activity logs.
logged and periodically reviewed
by management independent of the
security function?
2.3 Emergency and Are emergency and temporary Review pertinent policies and
temporary access access authorizations: procedures.
authorization is
n documented on standard
controlled
forms and maintained on Compare a selection of both
file, expired and active temporary and
n approved by appropriate emergency authorizations
managers, (obtained from the authorizing
n securely communicated to parties) with a system-generated
the security function; list of authorized users.
n automatically terminated
after a predetermined Determine the appropriateness of
period? access documentation and
approvals, and the timeliness of
terminating access authorization
when no longer needed.
/Vulnerability Assessment Framework (VAF)/Page B-A–3
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
2.4 Emergency Do procedures exist that govern Review procedures for emergency
Access Control the granting of emergency or access control. Verify procedures
sensitive access? are implemented in audit trails, and
security logs.
Has the definition of an emergency Verify that the ID is only used in
ID been defined, as to whom, why, an emergency by the monitoring of
and when it is needed? Are system its use and reason for use. View a
activities and events performed by system log showing its use, and
the emergency ID monitored via those that use it, have appropriate
system generated audit trails? authorizations.
2.5 Owners Are standard forms used to Examine standard approval forms.
determine document approval for archiving,
Interview data owners.
disposition and deleting, or sharing data files?
sharing of data.
Are agreements documented Examine documents authorizing
regarding how files are to be file sharing and file sharing
protected prior to sharing data or agreements.
programs with other entities?
Physical Controls
3.1 Facility Based on factors such as size, Categorize your facility.
Categories number of employees, use, and
required access to the public how
would you categorize your facility?
Is your facility a federal building? Review documentation of facility
If yes, what level of contact does Review levels of contact with the
your facility have with the general public.
public?
Do you own or lease your facility? Review legal documentation
regarding use of facility.
Does your facility support a critical Review mission of organization
national security mission? occupying facility.
/Vulnerability Assessment Framework (VAF)/Page B-A–4
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.2 Construction What year was construction of Research and document the details
facility completed? of the facility’s construction.
Consult blueprints and current
occupancy statistics if applicable.
What material(s) were used to Review blueprints and building
construct the facility’s exterior specs.
(brick, block, concrete, metal
panels or glass exterior)?
What percentage of the external Review blueprints and building
coverage is composed of special specs.
glass (Mylar Film, Ballistic
Treatment, Polymer, or Wire
Reinforced)?
What is the total square footage of Review blueprints and building
the facility (include office, storage specs.
and circulation space)?
What is the total number of floors Review blueprints and building
above ground? specs.
What is the total number of floors Review blueprints and building
below ground (include specs.
underground parking if
applicable)?
What is the total number of Interview facilities manager and
occupants? human resources. Consult
blueprints for number of
offices/workspaces.
What is the total number of daily Interview lobby security guard.
visitors (estimate)? Review visitor sign-in
documentation.
3.3 Day Care Is there a day care center on-site? Review location and surroundings
Center of day care center if part of facility.
/Vulnerability Assessment Framework (VAF)/Page B-A–5
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
If yes, what is the location within Review blueprints and building
the facility (interior space, exterior specs.
space above ground, below
ground)?
What is the point of main entry to Review blueprints and building
the day care center (interior door, specs.
exterior door)?
Is there an outside playground Review blueprints, exterior
area? surroundings and building specs.
3.4 Interior Do you have procedures for Review procedures for securing
Security securing the control of access to the interior of the facility.
employee/visitor identification,
utilities, and occupant emergency
plans and day care centers?
3.5 Security Have intelligence sharing, training, Review security-planning
Planning tenant assignment, administrative procedures.
procedures,
construction/renovation been
considered and/or implemented at
your facility?
3.6 Fragmented Has consideration been given to Determine whether facility is
Facilities shared space and/or satellite fragmented.
offices?
3.7 Public Access What is the distance in yards from Review details of public access to
the nearest public street? facility.
What is the distance in yards from Consult city planning. Review
the building to the nearest public documentation.
on-street parking?
What is the distance in yards from Consult city planning. Review
the building to the nearest public documentation.
parking lot?
Are there public parks, plazas or Consult city planning. Review
other public areas immediately documentation.
adjacent to the building?
/Vulnerability Assessment Framework (VAF)/Page B-A–6
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are there any commercial Consult city planning. Review
businesses (e.g. restaurants, drug documentation.
stores, and banks) with
uncontrolled external access in the
building (Yes/No)?
3.8 On-Site Parking Is there parking on the property? Review blueprints and building
specs. Review parking options
and security for each.
If underground, is access Consult alarm systems
controlled? documentation.
What type of control (security Consult alarm systems
guard, automated/electronic documentation and security plan.
control, vehicle barriers)?
Is public parking available? Review blueprints and building
specs.
3.9 Perimeter Have you considered parking, Evaluate options and procedures
Security closed circuit television for securing the perimeter of the
monitoring, lighting and physical facility.
barriers in your security plan?
Is there an alarm system? Review systems that control
perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
If yes, does the alarm system cover Review systems that control
doors and windows? perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
Who monitors the system? Review systems that control
perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
/Vulnerability Assessment Framework (VAF)/Page B-A–7
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is the alarm system operational? Review systems that control
perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
Is the facility electronically Review systems that control
monitored (CCTV)? perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
If yes, is it local, remote or video Review systems that control
recording? perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
Is CCTV operational? Review systems that control
perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
Is there an exterior roving patrol? Review systems that control
perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
If yes, who performs this task? Review systems that control
perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
Is exterior roving patrol Review systems that control
operational? perimeter security, including alarm
systems, monitors, CCTV, exterior
roving patrol, etc.
What materials constitute the Identify documentation that
exterior barriers (concrete, fences, indicates the materials used in the
planters, pillars, and vehicle gate construction of the exterior
controls)? barriers.
Are exterior barriers operational? Test the exterior barriers.
Are dumpsters in a Secured Area? Review location of the dumpsters.
/Vulnerability Assessment Framework (VAF)/Page B-A–8
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.10 Entry Security What is the total number of Review security of entrances.
entrances with x-ray and metal
detector? (Indicate whether only
visitors are screened or if everyone
entering the building is screened.)
What is the total number of Review documentation indicating
entrances with metal detector security devices installed on or
only? (Indicate whether only around entrances.
visitors are screened or if everyone
entering the building is screened.)
What is the total number of Review documentation indicating
entrances with security system security devices installed on or
access (e.g., Key Card) around entrances.
What is the total number of Review documentation indicating
entrances with security guard? security personnel located on or
(Indicate whether visitors must around entrances.
sign in.)
What is the total number of Review documentation indicating
entrances without security? security devices/people
installed/located on or around
entrances.
Have you secured Review security of all entries to
receiving/shipping, access control facility. Review documentation
and entrances/exits? indicating a lapse in security.
3.11 Security Are magnetometers and/or X-rays Determine levels and locations of
Screening used in this facility at other than security screening and review
public entrances (e.g. at the effectiveness.
entrance to a specific agency or
office)? Yes/No
If so, who is screened? Everyone, Determine levels and locations of
including employees and tenants? security screening and review
Visitors only? effectiveness.
Does the facility have a screening Review documentation indicating
process for mail? that a screening process for mail
exists.
/Vulnerability Assessment Framework (VAF)/Page B-A–9
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
If so, where does the process take Review documentation that
place (public entrance, mailroom, describes the procedure for mail
garage/loading dock, other)? screening.
Does the facility have a screening Review documentation indicating
process for deliveries? that a screening process for
deliveries exists.
If so, where does the process take Review documentation that
place (public entrance, mailroom, describes the procedure for
garage/loading dock, other)? delivery screening.
Is maintenance and custodial staff Review documentation indicating
required to enter the building procedure for custodial staff entry.
through a secured area?
3.12 Bomb Threats Does the facility have an occupant Review historical and current
emergency plan? procedures and plans for action in
case of a bomb threat.
Has this building received a bomb Review documentation indicating
threat in the past five years? that a bomb threat was received.
If so, how many bomb threats has Review documentation indicating
the building received? that a bomb threat was received.
How many of the bomb threats Review documentation indicating
have resulted in a building that a bomb threat was received
evacuation? and how the crisis was resolved.
3.13 Hours of Excluding unusual overtime Document hours of operation and
Operation situations, how many days of the identify personnel with access to
week is this facility open to the facility.
employees? The public?
How many hours is this facility Document hours of operation and
open to employees? To the identify personnel with access to
public? the facility.
3.14 Security Are Duress Alarms present in the Review documentation indicating
Systems facility (perimeter/interior)? location and type of security
systems on-site.
/Vulnerability Assessment Framework (VAF)/Page B-A–10
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is CCTV present in the facility Review documentation indicating
(perimeter/interior)? location and type of security
systems on-site.
Is there a remote monitoring Review documentation indicating
facility located on-site? location and type of security
systems on-site.
Is there a security console on-site? Review documentation indicating
location and type of security
systems on-site.
If so, how many hours a day is the Review documentation indicating
security console monitored? location and type of security
systems on-site.
Is emergency power available Review documentation indicating
(generator, battery operated location and type of security
lighting)? systems on-site.
Is there a fire Review documentation indicating
detection/suppression system location and type of security
present (complete, partial, none)? systems on-site.
3.15 Protection of Are there exterior propane fuel Review procedures for protecting
Utilities tanks? utilities.
Are they protected? Review architectural plans and city
documentation.
Is the water supply to the building Review architectural plans and city
protected? documentation.
Is the main unit of the Review architectural plans and city
air/ventilation system accessible to documentation.
the public?
Is the wire closet locked? Review architectural plans and city
documentation.
Is there utility access locked? Review architectural plans and city
documentation.
Is there exterior access to the Review architectural plans and city
electric service? documentation.
/Vulnerability Assessment Framework (VAF)/Page B-A–11
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is there exterior access to the gas Review architectural plans and city
service? documentation.
Is there exterior access to the Review architectural plans and city
water service? documentation.
Is there exterior access to the Review architectural plans and city
telephone service? documentation.
Is there exterior access to other Review architectural plans and city
heating sources? documentation.
Is fuel stored within the building? Review architectural plans and city
documentation.
3.16 Electronic Are the lobbies monitored by Review location and type of
Monitoring electronic means? electronic monitoring systems
within and around facility.
Are secured corridors monitored Review documentation from
by electronic means? electric monitoring installation.
Are courtrooms monitored by Review documentation from
electronic means? electric monitoring installation.
Is parking monitored by electronic Review documentation from
means? electric monitoring installation.
Are cellblocks monitored by Review documentation from
electronic means? electric monitoring installation.
Is prisoner handling monitored by Review documentation from
electronic means? electric monitoring installation.
Are office doors monitored by Review documentation from
electronic means? electric monitoring installation.
Are stairwells monitored by Review documentation from
electronic means? electric monitoring installation.
Is the security screening post Review documentation from
monitored by electronic means? electric monitoring installation.
Is the interior security patrol Review documentation from
monitored by electronic means? electric monitoring installation.
/Vulnerability Assessment Framework (VAF)/Page B-A–12
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is the building perimeter Review documentation from
monitored by electronic means? electric monitoring installation.
Are entrances monitored by Review documentation from
electronic means? electric monitoring installation.
Are garages monitored by Review documentation from
electronic means? electric monitoring installation.
3.17 The Security What are the total number of Review number, level and
Force federal police and/or guards and effectiveness of security forces on-
number of hours of coverage? site.
What equipment has been issued to Review documentation indicating
guards (firearm, handcuffs, baton, type of equipment issued to
gas, 2-way radio, none)? guards.
Is the present security force Review documentation indicating
strength and composition strength and composition of
commensurate with the degree of security force. Compare
security protection required by documentation to security force
regulation or organizational regulations and organizational
definition? definition.
Are all security posts fixed and Review documentation defining
mobile provided with security security force orders sent to all
force orders? security posts.
Are security force orders reviewed Consult documentation from
by the security officer for currency security force order reviews.
at least monthly?
Are security force personnel Review documentation regarding
inspected by a supervisor prior to security guard inspection.
being posted? Interview supervisor for security
force personnel.
Do supervisors inspect each Review documentation regarding
post/patrol/activity at least twice security guard inspection.
per shift? Interview supervisor for security
force personnel.
/Vulnerability Assessment Framework (VAF)/Page B-A–13
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Does the organization maintain an Identify crisis response force.
organized and equipped crisis Review documentation describing
response force? crisis response force.
Does the crisis response force Review documentation describing
receive adequate training? crisis response force.
How many personnel are available Review documentation describing
within the facility? crisis response force.
Outside the facility, how many Review documentation describing
additional security forces could be crisis response force.
brought with:
n One hour notice
n Four hour notice
Has liaison been established with Review documentation describing
local, state, and federal law crisis response force. Review
enforcement agencies whereby correspondence with local, state,
early warning of a threat situation and federal law enforcement
will be provided? agencies.
Does security force personnel Review documentation that
record or report their presence at indicates reporting mechanism
key points in the facility by means used by security force personnel to
of: identify their presence at key
n Portable watch clock points in the facility.
n General watch clock
stations
n Telephones?
n Two way radio
communications equipment
n Other
Are guard assignments, times and
patrol routes varied at frequent
intervals avoiding establishing
routine? If yes, what are the
intervals
/Vulnerability Assessment Framework (VAF)/Page B-A–14
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.18 Personnel and Is a pass or badge identification Review procedures for controlling
Vehicle Movement system in effect to identify all the movement of personnel and
Control personnel within the confines of vehicles.
restricted areas?
Are personnel who require Review procedures for controlling
infrequent access to a restricted the movement of personnel and
area or have not been issued a vehicles.
permanent pass or badge for such,
treated as visitors, and issued a
visitors badge or pass?
Do guards at contract points Review procedures for controlling
compare badges to bearers, both the movement of personnel and
upon entry and exit? If no upon vehicles.
entry only? If no, Upon exit only?
Is the personnel identification and Review procedures for controlling
control system supervised at all the movement of personnel and
levels? vehicles.
Are badges and serial numbers Review procedures for controlling
recorded and controlled by rigid the movement of personnel and
accountability procedures? vehicles.
Are lost badges replaced with Review procedures for controlling
badges bearing different serial the movement of personnel and
numbers? vehicles.
Have procedures been established Review procedures for controlling
that provide for issuance of the movement of personnel and
temporary badges for individuals vehicles.
who have forgotten their
permanent badges?
Are badges of such design and Review procedures for controlling
appearance as to enable guards, the movement of personnel and
and other personnel, to recognize vehicles.
quickly and positively the
authorizations and limitations
applicable to the bearer
/Vulnerability Assessment Framework (VAF)/Page B-A–15
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are procedures in existence to Review procedures for controlling
ensure the return of identification the movement of personnel and
badges upon termination of vehicles.
employment of assignment?
Have effective visitor escort Review procedures for controlling
procedures been established when the movement of personnel and
necessary? vehicles.
Are visitors escorted within Review procedures for controlling
restricted areas when necessary? the movement of personnel and
vehicles.
Are permanent records of visits Review procedures for controlling
maintained? If yes, by whom are the movement of personnel and
these records kept? vehicles.
Are POVs and contractor vehicles, Review procedures for controlling
which are allowed routine access the movement of personnel and
to the installation, registered with vehicles.
the security office?
Are random administrative Review procedures for controlling
inspections made of automobiles? the movement of personnel and
vehicles.
3.19 Security Does the Security force have Review documentation indicating
Equipment sufficient vehicles to maintain security equipment inventory.
patrols, respond to alarms and
emergencies and maintain
supervision?
Are security force vehicles
equipped with:
n Signs conspicuously
identifying the vehicles as
security police vehicles?
n Emergency exterior
overhead lights?
n Electronic siren?
Do security force vehicles have
relatively low mileage?
/Vulnerability Assessment Framework (VAF)/Page B-A–16
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
How often do the security officers Review documentation indicating
and supervisory personnel review review of the firearms and
the firearms and ammunition ammunition requirements.
requirements to ensure their
accuracy?
Do observation towers provide Review location and visibility of
security personnel with observation towers.
observations of security areas?
What type of ammunition is used Review documentation indicating
by armed security force personnel? the type of ammunition used by
armed security force personnel.
Is ammunition properly secured for Review documentation indicating
and issued only to authorized procedures for the storage and
personnel? distribution of ammunition.
Are weapons stored and secured Review documentation indicating
when not in use? procedures for the storage and
distribution of weapons.
Are duties other than those related Review job descriptions of security
to security performed by security personnel. Review contractual
personnel? documentation from security
contractor, if applicable. Interview
security personnel.
Does the organization provide Review documentation indicating
device and specialized equipment devices and/or specialized
for use by the security force? equipment distributed to the
security force.
Does the organization provide Review documentation indicating
security force personnel with devices and/or specialized
individual equipment? equipment distributed to the
security force.
3.20 Security Does the organization have a loss Document and review security
Measures prevention plan? measures.
/Vulnerability Assessment Framework (VAF)/Page B-A–17
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
What is the date of the Review documentation detailing
organizations most recent risk and risk and threat analysis.
threat analysis?
Have areas been designated by the Review documentation indicating
organization as restricted areas as location and perimeters of
necessary? restricted areas.
Are the basic security measures for Review documentation defining
restricted areas in effect? the basic security measures for
restricted areas. Compare
definitions to current state.
Are all restricted area points Visit restricted area points.
appropriately posted?
Are security measures in effect to Review security measures in effect.
protect:
n Electrical power supplies
and transmission facilities
n Communications
centers/equipment
n Arms ammunition and
dangerous cargoes?
Are physical surveys of the Review documentation indicating
facilities conducted at least that physical surveys are
annually under the auspices of the conducted.
security office?
What is the date of the most recent Review documentation detailing
physical security inspection, audit, recent physical surveys. Identify
or review by an immediate person who conducted survey.
supervisor in the facility? Interview surveyors.
Does the facility have an after Review documentation indicating
hours or weekend restricted area the existence of an after hours or
security check by the security weekend restricted area security
force? check by security force.
/Vulnerability Assessment Framework (VAF)/Page B-A–18
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are the results of security checks Identify reporting process for
promptly reported to the facility security checks to the facility
security officer? security officer.
Does the facility have a privately Review parking plan for POV.
owned vehicle (POV) parking
plan?
If yes, does it include:
n Restriction of POV parking
in exclusive and limited
areas?
n Fence/enclave parking in
controlled areas?
Does the facility have a traffic Review documentation indicating
control program? the existence of a traffic control
program.
/Vulnerability Assessment Framework (VAF)/Page B-A–19
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.21 Barriers and Does the fenced portion of the Review security of barriers and
Openings facility meet the minimum openings to the facility.
specification for security fences?
Is it of chain link (cyclone)
composition?
Is it constructed of 9 gauge or
heavier wire?
Is the mesh opening no larger than
two inches?
Is the salvage twisted and barbed
at top and bottom?
Is the bottom of the fence within
two inches of solid ground?
In areas where the fence exceeds
two inches from solid ground,
have compensatory measures been
taken?
Is the top guard strung with
barbed wire (or barbed tape/razor
edge) and angled outward from the
protected site and upward at a 45-
degree angle?
Is the fence at least eight feet in
height including outrigger in all
required areas?
Does the facility provide for Review documentation indicating
security force inspection of the procedures for security force
security barrier including clear inspection of the security barrier.
zone at least once per month?
Are deficiencies noted?
Are remedial actions promptly
effected?
/Vulnerability Assessment Framework (VAF)/Page B-A–20
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is masonry wall used as part of Review architectural documents
facility barriers? If yes, do they for facility barriers.
provide security equivalent to that
provided by the security barrier?
Are all openings properly secured? Review architectural documents
for facility barriers.
Does a building form a part of the Review architectural documents
barrier? If yes, are additional for facility barriers.
security measures provided?
Are openings such as culverts, Review architectural documents
tunnels, and manholes for sewers for facility barriers.
and utility access and sidewalks,
which permit access to the facility
restricted and secured?
Are all portals in perimeter barriers Review architectural documents
guarded and or secured? for facility barriers.
Do the gates and/or other Review architectural documents
entrances in perimeter barriers for facility barriers.
exceed the number required for
safe and efficient operations?
Are all perimeter barrier portals Review architectural documents
equipped with secure locking for facility barriers.
devices? Are they locked when
not in used?
Do all gates provide protection Review architectural documents
equivalent to that provided by the for facility barriers.
barrier of which they are part?
Are prescribed clear zones Review architectural documents
maintained on both sides of the for facility barriers.
restricted area barriers?
If clear zone requirements cannot Review architectural documents
be met, have compensatory for facility barriers.
security measures been
implemented?
/Vulnerability Assessment Framework (VAF)/Page B-A–21
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are any perimeters protected by Review architectural documents
intrusion detection systems (IDS)? for facility barriers. Review
electronic security system
documents.
3.22 Protective Is the perimeter and restricted Review lighting specifications in
Lighting areas provided protective lighting? architectural documents.
If Yes:
n Does the protective
lighting meet adequate
intensity requirement?
n Are the zones of
illumination from lamps
directed downward and
away from guard
personnel?
n Is perimeter protective
lighting utilized so that
security force personnel
remain in comparative
darkness?
n Are lights checked at least
weekly for proper
operation prior to
darkness?
Are repairs to lights and Review documentation indicating
replacement of inoperative lamps procedures for light replacement.
effected immediately or in a
reasonable time?
Is additional lighting provided at Review lighting specifications in
active portals and points of architectural documents.
possible intrusion?
Does the facility have a dependable Review lighting specifications in
source of power for its protective architectural documents.
lighting system?
/Vulnerability Assessment Framework (VAF)/Page B-A–22
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Does the facility have a dependable Review lighting specifications in
auxiliary (emergency) source of architectural documents.
power for protective lighting? If
yes, is the power source
protected?
Are there provisions for standby or Review lighting specifications in
emergency protective lighting? If architectural documents.
yes, is the standby or emergency
equipment tested at least monthly?
Can the emergency backup power Review lighting specifications in
supply be rapidly switched into architectural documents.
operation when needed?
Is the emergency backup power Review lighting specifications in
supply self started? architectural documents.
Is the protective lighting/ Review lighting specifications in
emergency or standby power architectural documents.
source located within the restricted
area?
Is parallel circuitry used in the Review lighting specifications in
wiring? architectural documents.
Are multiple circuits used? If yes, Review lighting specifications in
are proper switching arrangements architectural documents.
provided?
/Vulnerability Assessment Framework (VAF)/Page B-A–23
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are switches and controls: Review lighting specifications in
architectural documents.
n properly located,
controlled and protected?
n weather proof and temper
resistant?
n readily accessible to
security personnel?
n located so that they are
inaccessible from outside
the perimeter barrier?
Is there a centrally located switch
to control protective lighting?
Is the protective lighting system Review lighting specifications in
designed and locations recorded so architectural documents.
that repairs can be made rapidly in
an emergency?
Are materials and equipment in Review lighting specifications in
shipping and storage areas architectural documents.
properly arranged to provide
adequate lighting?
If bodies of water form a part of Review lighting specifications in
the perimeter, is adequate lighting architectural documents.
provided where deemed
appropriate?
3.23 Intrusion Does the facility employ IDS? Examine intrusion detection
Detection System systems.
Are IDS signals monitored at one Review documentation describing
central point? Is the security force use of IDS.
response initiated from that point?
Are all sensor equipment, doors, Review documentation describing
drawers and removable panels use of IDS.
secured with key locks or screws
and equipped with tamper
switches?
/Vulnerability Assessment Framework (VAF)/Page B-A–24
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Have power supplies been Review documentation describing
protected against overload by use of IDS.
fuses or circuit breakers?
Are annunciator, control, and Review documentation describing
display subsystems located in a use of IDS.
separate areas/closed off from
public view?
Is the system backup by security Review documentation describing
alert teams? use of IDS.
Is the alarm system for active areas Review documentation describing
or structures placed in access use of IDS.
mode during normal working
hours?
Is the system tested prior to Review documentation describing
activation? use of IDS.
Is the system inspected at least Review documentation describing
monthly? use of IDS.
Is the exterior IDS waterproof? Review documentation describing
use of IDS.
Is there an alternate or Review documentation describing
independent power source use of IDS.
available for use on the system in
the event of power failure?
Is the emergency power source Review documentation describing
designed to cut in and operate use of IDS.
automatically when AC power
goes down?
Do trained and properly cleared Review documentation describing
personnel maintain the IDS use of IDS.
system?
Are frequent tests conducted to Review documentation describing
determine the adequacy and use of IDS.
promptness of response to alarm
systems?
/Vulnerability Assessment Framework (VAF)/Page B-A–25
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.24 Employee Does the activity have a current Review documentation describing
Security Education employee security education employee security education
Program program addressing facility program.
security management?
Are all assigned personnel Review documentation describing
provided facility security employee security education
indoctrination? program.
Is formal security education Review documentation describing
training conducted at least annually employee security education
for all personnel? program.
Are all personnel indoctrinated in Review documentation describing
security procedures, which apply employee security education
in the performance of their duties? program.
/Vulnerability Assessment Framework (VAF)/Page B-A–26
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is yes, does the program cover Review documentation describing
such topics as: employee security education
n Pass and badge systems program.
n Privately owned vehicle
identification and control
n Random package and
vehicle inspection?
n Procedures for prompt
reporting of security
breaches?
n Layout of the facility to
which the security force is
assigned?
n Means/avenues by which
the facility may be
accessed?
n Types of operations on the
facility that should be
expected?
n General security topics?
Are local law enforcement
agencies asked to actively
participate in pertinent portions of
this program?
3.25 Security Force Does the facility provide security Examine documentation describing
Training force training? security force training.
Does the facility provide lesson Examine documentation describing
plans to cover all facets of security security force training.
and law enforcement?
Is outside law Examine documentation describing
enforcement/security training security force training.
provided?
If yes- list schools:
/Vulnerability Assessment Framework (VAF)/Page B-A–27
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are individual training records Review documentation indicating
maintained for security force the existence of training records
personnel? for security force personnel.
Do all security force personnel Examine documentation describing
who are required to bear firearms, security force training.
receive training?
Do all security personnel receive Examine documentation describing
indoctrination in the use of force? security force training.
3.26 Security Force Does the activity security force Review documentation describing
Communications have its own communications security force communications.
system with direct communications
between security headquarters and
security elements?
Is there an auxiliary power supply Review documentation describing
for the communications systems? auxiliary power supply.
Is there sufficient equipment to Review documentation describing
maintain continuous security force communications.
communications with each element
of the security force?
Is there alternate means of Review documentation describing
communication available to the security force communications.
security force?
Is yes, is it comparable to the main Review documentation describing
source of communications? security force communications.
What is the primary means of Review documentation describing
communication for the security security force communications.
force?
What is the alternative means of Review documentation describing
communications for the security security force communications.
force?
/Vulnerability Assessment Framework (VAF)/Page B-A–28
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Radio communications: Review documentation describing
security force communications.
Are proper radio procedures
practiced?
Is all communications equipment
properly maintained?
Are there at least two dedicated
radio frequencies for security force
use?
Are portable radios equipped with
multiple frequency capability?
Are portable radios equipped with
an automatic tilt or switch
activated duress frequency?
Does the security force use a Review documented procedures
duress code for emergency for emergency situations.
situations?
Is the duress code changed at least Review documented procedures
monthly? for emergency situations.
Is the communications center Review documented procedures
afforded adequate physical security for emergency situations.
against armed intrusion?
Are communications systems Review documentation indicating
capable of being used to transmit capabilities of communication
instructions to all key posts system.
simultaneously in a rapid and
timely manner?
3.27 Sabotage Do procedures exist to protect Review documentation indicating
your organization against industrial sabotage protection procedures.
sabotage?
Do procedures exist to protect Review documentation indicating
your organization against radiological sabotage protection
radiological sabotage? procedures.
/Vulnerability Assessment Framework (VAF)/Page B-A–29
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Have measures been taken to Review documentation indicating
protect the health and safety of the the procedures to protect the
public? health and safety of the public.
3.28 Protection of A target is a physical item or Review documentation identifying
Targets information that an adversary targets. Examine procedures for
wishes to acquire, destroy, or protecting targets.
modify. Has your organization
identified targets within the facility
(vaults, labs, shipment trucks,
equipment room, etc.)?
If so, have special measures been Examine procedures for protecting
taken to secure these targets? targets.
Has “One of-a-kind” equipment Review documentation identifying
been considered and protected targets.
sufficiently?
Have you determined the Review documentation indicating
consequence of target of loss, the appropriate response to the
including type and quantity of loss of a target.
material or weapon, effect on
health and safety of public, effect
on national security?
3.29 Threat Has your organization obtained Retrieve and examine threat data.
Estimation local threat data by defining the
site-specific threat to the facility?
To assist with the definition of
local threats have you contacted
your local FBI office, State Police,
Sheriff’s office and local police
department, nearby military special
investigations or criminal
investigations unit, Alcohol,
Tobacco, and Firearms (ATF),
Treasury, drug Enforcement
Agency (DEA), or other local
offices of federal law enforcement
agencies?
/Vulnerability Assessment Framework (VAF)/Page B-A–30
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.30 Information Are facility tours conducted? Explore avenues of information
Gathering gathering.
Are architectural diagrams and Review the availability of
alarm system prints available? documentation.
Are interviews conducted with Review documentation of
facility personnel (management interviews conducted with facility
and workers)? It is important to personnel.
interview those who know how
safeguards actually work, not just
how they should work.
Are safeguards, security, and Review availability of safeguards,
material control and accountability security and material control and
plans available? accountability plans.
Has a diagram of your facility been Review availability of a facility
drawn? diagram.
If yes, does the diagram focus on Review facility diagram.
issues relevant to safeguards and
security?
Does the diagram highlight Review facility diagram.
representative features? It should
not indicate every emergency exit,
for example, if all are essentially
the same.
Does the diagram indicate the Review facility diagram.
location of targets?
Does the diagram highlight Review facility diagram.
physical areas and protection
layers (the set of path elements
separating two areas)?
/Vulnerability Assessment Framework (VAF)/Page B-A–31
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Have common path elements (a Review facility diagram.
physical route or passageway from
one area to another) been
considered? These include: gates,
portals, and emergency exits;
fences, isolation zones, and
overpasses; surfaces, roofs, floors,
and windows; ducts, tunnels, and
effluent-removal systems;
helicopter flight paths.
3.31 Intrusion Have primary sensors that detect Review intrusion detection
Detection unauthorized passage or capabilities of the facility.
penetration been installed on the
interior of the facility?
Have primary sensors that detect Review intrusion detection
unauthorized passage or capabilities of the facility.
penetration been installed on the
exterior of the facility?
Have alarm assessment Review intrusion detection
mechanisms been installed? capabilities of the facility.
Do alarm systems detect Review intrusion detection
contraband? capabilities of the facility.
3.32 Defeating Have delays that are inactive Examine existing delays both
Delay during certain states been inactive and active that may affect
considered, such as vault doors threat elimination response time.
and gates?
Have activated delays such as Examine existing delays both
smoke generators and vault doors inactive and active that may affect
been taken into account? threat elimination response time.
/Vulnerability Assessment Framework (VAF)/Page B-A–32
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
3.33 Insider Threats Have insider types and acts been Identify and review insider threats.
considered? Insider threats include
anyone with access to the facility
(or inside knowledge of the
operations). Insider criminals are
among the most difficult and
dangerous adversaries to defend
against.
Are assessments performed that Review documentation indicating
view the facility from an that assessments are performed
adversary’s perspective? from an adversary’s perspective.
For each person that has access to Review information available
the facility, do you have regarding personnel access to
information that reflects: access to facility.
critical facility areas, keys or
combinations held or easily
acquired special authority or job
privilege, special skills or
knowledge?
To protect your facility against Review inventory consolidation
insiders, have inventories been and reduction procedures.
consolidated and reduced?
3.34 Outsider Have outsider types and acts been Identify and review outsider
Threats considered such as terrorists, threats.
criminals, psychotics and anti-
nuclear extremists?
Have outsider attacks been Review documentation indicating
documented? outsider attacks.
Have intelligence-gathering Review documentation indicating
agencies been utilized for that intelligence-gathering agencies
gathering data about outsider have been contacted.
threats?
Have detection, delay and Review documentation indicating
response options been explored? that detection, delay and response
options have been explored.
/Vulnerability Assessment Framework (VAF)/Page B-A–33
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Has the physical location of Review documentation indicating
detectors been explored? the physical location of detectors.
Has protection during uncommon Review documentation describing
facility states been considered? protection of facility during
different states.
3.35 Upgrade Are iterative safeguard evaluations Review documentation indicating
Analysis conducted to identify upgrades and that safeguard evaluations are
achieve effective protection? conducted to identify upgrades and
Generally, upgrades imply physical achieve effective protection.
change in the protection system.
However, organizational changes,
administrative and procedural and
re-deployment of existing
resources constitute upgrades if
they reduce the risk.
3.36 Key Control Describe key control system. Review documentation describing
key control systems.
Who is responsible for key Review documentation describing
control? key control systems.
How many master keys, which Review documentation describing
provide access to all locks, are key control systems.
there?
Who has been issued master keys? Review documentation describing
What are their names, positions key control systems.
and what is the key number?
Are keys signed for? Review documentation describing
key control systems.
Are all keys accounted for? Review documentation describing
key control systems.
Is issuance of keys recorded? Review documentation describing
key control systems.
If yes, is report kept up to date? Review documentation describing
key control systems.
/Vulnerability Assessment Framework (VAF)/Page B-A–34
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are keys removed from vehicles at Review documentation describing
night and on weekends? key control systems.
Describe the procedure for return Review documentation describing
of keys when an employee is key control systems.
terminated or transferred.
3.37 Trash Disposal Who provides the facility’s trash Review trash disposal process.
disposal?
How often is trash removed? Review trash disposal process.
Is trash periodically inspected? Review trash disposal process.
Is trash removed from facility Review trash disposal process.
under supervision?
3.38 Lobby How many hours per day is the Review lobby access policy.
lobby open?
What time does the lobby Review lobby access policy.
open/close?
Is any control exercised over Review lobby access policy.
personnel movement during this
time?
Is it possible to have any personnel Review lobby access policy.
control in the lobby during open
periods?
Describe controls currently in Review lobby access policy.
force.
How many banks of elevators are Review lobby access policy.
there in the lobby?
3.39 Custodial Is the custodial work in the Review documentation indicating
Personnel building done by building custodial access controls.
employees or by contract
personnel?
How are custodial passkeys Review documentation indicating
distributed? custodial access controls.
/Vulnerability Assessment Framework (VAF)/Page B-A–35
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
During what hours do custodial Review documentation indicating
personnel work? custodial access controls.
How is custodial service Review documentation indicating
supervised? custodial access controls.
Are these emergency exits tested Determine area responsible for
on a monthly basis to ensure that testing exits. Obtain evidence of
the alarms are working properly? testing for last 2 quarters.
Are emergency exits equipped with Test to ensure that each
an automatic closing device? emergency exit in the area is
equipped with such a device.
Data Centers
4. Controls are in Is all computer and Verify that no computer and
place to ensure that telecommunications equipment in a telecommunications equipment
the identification physically secured data center? exist outside a secured data center.
and access rights of
users as well as the
identity of system
and data ownership
are established and
managed in a
unique and central
manner to obtain
consistency and
efficiency of global
access control.
Has the data center been assessed Assess the data center for risk.
for risk?
Is access to telephone/riser closets Determine whether closets are
adequately controlled? locked and how keys are secured.
Evaluate whether only appropriate,
authorized individuals possess
keys.
Are telephone/riser closets clean Perform walk-through of each
and free of miscellaneous closet and determine whether
equipment? closets are neat and clean.
/Vulnerability Assessment Framework (VAF)/Page B-A–36
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
If a room contains equipment that Verify that if a room contains
will be supported by MORE equipment that will be supported
THAN ONE by multiple entities (departments,
ORGANIZATIONAL ENTITY vendors, etc.) a recorded CCTV
(i.e. department, vendor, etc.), is a camera is used to monitor the
recorded CCTV camera used to person entering the room. Verify
monitor the person entering the that the tapes are retained for a
room? One exception to this minimum of seven days.
requirement is to have the
approved vendor escorted by a
department employee for the full
amount of time the vendor is in the
room. Also, it is important to
ensure that he/she does not have
access via the card key entry
system, so that he/she cannot enter
alone.
Physical Access Lists and Visitor Logs to Data Centers
5. Controls are in Is there an access list posted at the Obtain current list of employees
place to ensure that data center entrance? and verify that access list is up to
adequate control date. You may need to obtain a
measures are list from HR listing all employees
imposed to who have transferred or left the
safeguard area to verify whether the list is
equipment and current.
facilities
Is there a process to review the Obtain procedures as well as
access list on a quarterly basis to evidence that review was
ensure it is current? conducted for the last 2 quarters.
Do only authorized individuals Obtain a listing from the Card Key
(including authorized employees, System and reconcile against an
consultants, or vendors) have HR listing of employees who have
access to the tech/Comm room or left the area and current
data center and do the names of vendor/consultant lists who
those authorized match the access support equipment in the facility.
list posted on the door?
/Vulnerability Assessment Framework (VAF)/Page B-A–37
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Do documented procedures exist Verify the existence of these
for the admittance and control procedures.
over visitors to the
tech/communications room or data
center? NOTE: If an outsourcing
agreement exists, then vendor
personnel who require access to
perform their job are not
considered visitors.
Do authorized department Verify that procedures document
personnel while working within the this requirement and observe
secured Tech/Comm Room or data process when visitors are present.
center escort all visitors?
Does a visitors log exist for all Select 5 completed pages from the
non-authorized personnel to sign- logbook for review. Verify that
in upon entering the Tech/Comm the log contains the proper
Room or data center? verification items.
Does it require: date of visit, Verify that date of visit,
individual’s name, purpose of visit, individual’s name, purpose of visit,
time-in and time-out and initials of time-in and time-out and initials of
employee authorizing the visit? employee authorizing the visit are
present on the samples.
Is management required to review Select a 5-page sample from the
the visitor logs weekly to ensure logbook and verify entries are
that logs are complete and do they complete and that there is evidence
evidence their review by signing of management review.
the log in the appropriate space?
/Vulnerability Assessment Framework (VAF)/Page B-A–38
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Physical keys, Card keys and Cipher locks
6. Controls are in Is a recorded Card key system Verify that a Recorded Card key
place to ensure that used to enter and exit all legacy system is used to enter and exit all
adequate physical and new Installations as specified legacy and new Installations as
security measures by Corporate Security? specified by Corporate Security, by
are imposed to observation.
safeguard
equipment and
facilities
Is there a process to periodically Obtain evidence of most recent
inventory the card keys to ensure card inventory. Spot check items
that none have been lost or stolen? on the list to ensure inventory is
complete.
Is there a process for management Obtain the results from the last
to periodically (i.e., at least semi- review. Ensure all affected areas
annually) review card key access of management have had an
listings to ensure that only opportunity to review the listing.
authorized individuals have access
to the facility?
Is there a policy that requires Obtain procedures and list of
management to obtain card keys employees who have the left the
from terminated or transferred area from HR. Verify that cards
employees? for employees who have left have
either been assigned to other users
or are deactivated.
Are unused card keys kept in a Meet with security personnel to
secured location and kept in a determine where cards are secured.
deactivated state? Review card list or card key
system itself to determine whether
cards are deactivated. Record
observation.
Does the facility have a fail-safe Verify the existence of the fail-safe
design or manual override through observation or
capability if the Card Key Access documentation from the
System fails? manufacturer.
/Vulnerability Assessment Framework (VAF)/Page B-A–39
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
If a cipher lock is used, Obtain the results from the last
compensating controls must be review. Ensure all affected areas
used. Is there a process for of management have had an
management to periodically (i.e., at opportunity to review the listing.
least semi-annually) review cipher
lock access listings to ensure that
only authorized individuals have
access to the facility?
Does a procedure exist to change Verify the existence of the
the cipher lock at least quarterly or procedure stating these controls.
when an employee leaves the area?
Is the key to change the cipher If key is in the Tel-key box, answer
lock combination kept in a secured Facilities - Tel-Key Box Section.
location (i.e., Tel-key box or safe)?
Is a logbook of cipher lock Verify that changes were made
changes kept? quarterly or when an employee
left, by reconciling with a HR
listing of employees who have left
the area. Verify that all log entries
are complete.
Does the facility have a fail-safe Verify the existence of a fail safe
design or manual override or manual override through
capability if the cipher lock system observation or documentation
fails? from the manufacturer.
Is access to the Tech/Comm Room
or data center controlled through
the use of physical keys?
Is there a list of individuals who Verify with management that the
have keys to the facility and is it appropriate individuals have keys.
appropriate for all those on the list
to have these keys?
Is a Tel-key box used by the If you determine through the
facility to secure keys and/or course of your review that a Tel-
passwords to sensitive ID’s? key box is needed, then record this
as an issue as well.
/Vulnerability Assessment Framework (VAF)/Page B-A–40
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is the Tel-key box under dual Observe the process to open the
control? box. Obtain a list of individuals
who possess these keys and their
location. Make sure that one
individual cannot dominate the
entry process.
Is there an inventory of items Obtain inventory and sample items
inside the Tel-key box? in Tel-key box to ensure that the
inventory is current
Is there a logbook to record what Remove 3 completed pages from
is removed and returned to the the log. Verify completeness of
Tel-key box? Does the logbook columns & entries. Select 6
contain Date, Time, Reason for entries from sampled pages &
removal including Trouble ticket #, trace to trouble ticket # or other
and the initials of both individuals authorizing paperwork.
who opened the Tel-key box to
remove the item?
Does management review the Tel- From 3-page sample, ensure that a
key log monthly to ensure that management review was
entries are complete and is there performed monthly.
evidence of such a management
review?
Is the Tel-key box process Verify that the Tel-Key Box
documented in a procedure procedures are documented in the
manual? procedure manual.
If tech/comm room is shared Spot check several cabinets
among multiple business units and verify that cabinets are
and/or vendors, is equipment locked. Determine controls
kept in locked cabinet? over cabinet keys.
Are keys to these cabinets
secured?
Passwords
/Vulnerability Assessment Framework (VAF)/Page B-A–41
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
7. Passwords, Are passwords Review pertinent policies and
tokens, or other n unique for specific procedures.
devices are used to individuals, not groups;
identify and
authenticate users. n controlled by the assigned Interview users.
user and not subject to
disclosure;
Review security software
n changed periodically— password parameters.
every 30 to 90 days;
n not displayed when
entered; Observe users keying in
passwords.
n at least 6 alphanumeric
characters in length;
n prohibited from being Attempt to log on without a valid
shared, and password; make repeated attempts
to guess passwords.
n prohibited from reuse for at
least 6 generations?
Assess procedures for generating
and communicating passwords to
users.
Is the use of names or words is Review a system-generated list of
prohibited? current passwords.
Search password file using audit
software.
Are vendor-supplied passwords Attempt to log on using common
replaced immediately? vendor supplied passwords.
Search password file using audit
software.
Are generic user IDs and Interview users and security
passwords used? managers.
Review a list of IDs and
passwords.
/Vulnerability Assessment Framework (VAF)/Page B-A–42
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are password protected screen Verify password protected screen
savers used on all desktop savers are installed and locking out
computers? within a specified time period on
all desktop computers by sampling
them for compliance.
Are attempts to log on with invalid Repeatedly attempt to log on using
passwords limited to about three invalid passwords.
attempts? Review security logs.
Are personnel files automatically Review pertinent policies and
matched with actual system users procedures.
to remove terminated or
Review documentation of such
transferred employees from the
comparisons.
system?
Interview security managers.
Make comparison using audit
software.
Are password files encrypted? View dump of password files (e.g.,
hexadecimal printout).
For other devices, such as tokens Interview users:
or key cards, do users:
To evaluate biometrics or other
n maintain possession of their technically sophisticated
individual tokens, cards, authentication techniques, the
etc, and auditor should obtain the
n understand that they must assistance of a specialist.
not loan or share these with
others, and must report lost
items immediately?
Network Management Systems (NMS)
8. Network Are all terminal access methods Obtain dial-in access list for all
Management (i.e., dial-in, LAN, hard-wired) for NMS in use. Compare list against
Systems (NMS) the NMS listed? each NMS configuration.
/Vulnerability Assessment Framework (VAF)/Page B-A–43
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is there a description of each NMS Each NMS in use must have
and are the networks they support written procedure for designated
documented in the procedures? network. Operational procedure
should be in PCM manual.
Are all network control and Ensure that physical security to
monitoring systems in a physically Network control and monitoring
controlled area? systems approved by manager.
Check access list to controlled area
against organization chart.
If dial-in access is allowed to the If the remote dial-in access to
NMS, are dial-in access controls in NMS is allowed. Operations
place (e.g., manual log or callback personnel must have:
security)?
n Ready access to the list of
network User ID’s,
location, and telephone
contact number.
n The facility to rapidly
disable any individual
network User ID. Maintain
current log for all dial-in
access activity. Systems
must have unlisted phone
numbers.
Are security administration Review procedures
procedures (i.e., ID creation,
review of security administration
activity, violation monitoring,
emergency access, and periodic
review of entitlements) in place for
each network management system?
/Vulnerability Assessment Framework (VAF)/Page B-A–44
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is a segregation of duties Look at ACLs to determine if
maintained between the individuals security and system administration
performing the security function is segregated.
administration function for each
NMS and the individuals
performing the network
management and monitoring
functions?
Are the NMS privileges of Review organization chart with
individuals in the area under roles and responsibilities.
review appropriate for their job
function?
Are NMS IDs shared by more than Look at user ID file to determine if
one operator or technician? generic IDs exist.
If shared IDs are used, is it See above
because legacy systems are used
where separate IDs are not
technologically feasible? Or, are
the IDs, which are shared used
solely for monitoring purposes,
and have read or inquiry access
only?
Security Software
9. Logical Controls Is security software used to restrict Interview security administrators
over Data Files and access? and system users.
Software Programs
Is access to security software Review security software
restricted to security parameters.
administrators only?
Are computer terminals Observe terminals in use.
automatically logged off after a Review security software
period of inactivity? parameters.
/Vulnerability Assessment Framework (VAF)/Page B-A–45
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are inactive user accounts Review security software
monitored and removed when not parameters.
needed? Review a system generated list of
inactive logon IDs, and determine
why access for these users has not
been terminated.
Do security administration Determine library names for
personnel set parameters of sensitive or critical files and
security software to provide access libraries, and obtain security
as authorized and restrict access reports of related access rules.
that has not been authorized Using these reports, determine
including access to data files, load who has access to critical files and
libraries, batch operational libraries and whether the access
procedures, source code libraries, matches the level and type of
security files, and operating system access authorized.
files?
/Vulnerability Assessment Framework (VAF)/Page B-A–46
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
DBMS
10.1 Logical Have database management Review pertinent policies and
controls over a systems (DBMS) and data procedures.
database dictionary (DD) controls been
Interview database administrator.
implemented that:
Review DBMS and DD security
n restrict access to data files
parameters.
at the logical data view,
field, or field-value level; Test controls by attempting access
to restricted files.
n control access to the DD
using security profiles and
passwords;
n maintain audit trails that
allow monitoring of
changes to the DD;
n provide inquiry and update
capabilities from
application program
functions, interfacing
DBMS or DD facilities?
Is the use of DBMS utilities Review security system
limited? parameters.
Are access and changes to DBMS Review procedures and change
software controlled? control documentation.
Is the access to security profiles in Review procedures for access.
the DD and security tables in the
DBMS limited?
10.2 Network Are network topology diagrams Review each network topology
Management current for each network that and verify accuracy of the
Systems (NMS) supports the production information against the actual
environment? network configuration. Use
management system data for
verification and cross-referencing.
/Vulnerability Assessment Framework (VAF)/Page B-A–47
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are detailed network circuit Sample 10% of network circuits.
diagrams current? Choose several linkages from the
topology diagrams and trace
diagrams to the physical
equipment, Check for Demark
ID’s, modems, cable switching
equipment, label ID’s, cabinet
ID’s, servers, router, etc.
Remote Access
11.1 Logical Are dial-in phone numbers Review pertinent policies and
controls over published and are they periodically procedures.
telecommunications changed?
Review documentation showing
access
changes to dial-in numbers.
Review entity’s telephone
directory to verify that the
numbers are not listed.
11.2 Dial Backup Are all Dial Backup lines that are Obtain a list of DBU lines for use
(DBU) defined to the network listed? by interviewing management.
Do procedures exist for Obtain procedures and ensure that
authorizing, invoking, monitoring procedures address all concerns.
and testing dial backup for certain
portions of the network?
11.3 Remote If session level encryption is used Obtain reports from management
Access (e.g., IRE) and activation is system to identify user listing,
dependent on some type of devices, application names and
physical connection, are users unauthorized access activity.
prohibited from gaining access via Check if trouble tickets are opened
alternate means (i.e., different for illegal connections.
phone numbers)?
/Vulnerability Assessment Framework (VAF)/Page B-A–48
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is dial-in access to all production All personnel, consultants, and
resources restricted to authorized vendor dial-in access should use
personnel via either challenge dynamic password tokens (i.e.
response, dynamic password SecureID, DESGOLD, etc.) cards
exchange, and approved for user authentication. Obtain
cryptographic techniques, or users dial-in list and verify
emergency procedures, which approved authentication use.
incorporate compensating
controls?
Are all Internet gateways to and Verify that backbone networks and
leased lines interfacing with business supported LAN’s and
external networks are protected by WANs protected by firewalls.
a firewall? Firewalls must be configured to
provide; user identification,
destination screening, and service
restrictions (i.e. Telnet, FTP)
Does an inventory exist of the dial- Access to the network, User ID,
in devices, which includes their location and telephone contact
location? number must be documented.
Does a formal process exist to Procedure must be in place
request dial-in access, which regardless of whether the dial
requires supervisor or business access facilities are owned and
relationship approval? operated by the internal
organization, or by external service
provider. Verify procedures for
approved dial-in access.
If private or public dial-in access is Obtain reports to validate dial-in
being used, how is this access access. Reference to Information
tracked and controlled? Security Admin reports to identify
failed attempt and unauthorized
access. Obtain violation-logging
records for verification.
/Vulnerability Assessment Framework (VAF)/Page B-A–49
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Encryption and Related Applications
12.1 Cryptographic Have cryptographic tools been To evaluate cryptographic tools,
tools implemented to protect the the auditor should obtain the
integrity and confidentiality of assistance of a specialist.
sensitive and critical data and
software programs?
12.2 Transaction Do policies exist to ensure that Review policies to determine if
Authorization where appropriate, controls are they exist for authenticity of
implemented to provide transactions.
authenticity of transactions? This
requires use of cryptographic
techniques for signing and
verifying transactions.
12.3 Cryptographic Are the physical and logical Review dual control procedures of
Key Management encryption keys secured under dual logical and physical encryption
control? keys. Some encryption devices
have physical keys; others have a
module that plugs into the unit to
change the logical keys. Key A
and B must be separated and
maintained by two different party
or people. This procedure applies
to internal or external controls.
Are encryption devices properly Select cabinets with encryption
locked and are physical keys devices installed. Each Tag must
removed from the units? have, encryption unit #, CKT ID.
Unused keys must be Tagged.
Verify if encryption devices locks
are in locked position and physical
keys in Telkey box.
/Vulnerability Assessment Framework (VAF)/Page B-A–50
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
If encryption keys are Review encryption devices
automatically changed, are management system alarms events
alarms/events in place to notify for unsuccessful DAILY key
management when devices are exchange or BYPASS conditions.
inoperable or set to the bypass Devices that are not connected to
mode? management system the above
events can be obtained directly
from unit. Look into encryption
management option. Evidence
must be signed and dated by
manager.
Note: each unit can store up to 99
events, then buffer is over written
with new data.
Is the organization notified within Reference to SLA for user
a designated number of hours notification process. Memo or
whenever a particular device is trouble ticket should be used for
placed in bypass mode? notification if required. Verify if
user has requested this type of
service.
Are alarms reviewed in real time? Institute procedure to review
Are procedures in place for alarms in real time and develop
performing this review? review process. Manager signature
and date must exist. If checkoff
list is utilized, verify if all major
alarms are displayed in real time
and corrective action taken for
each event.
Does the cryptographic key DES is approved standard.
distribution methodology in place
comply with the ANSI X9.17 and
X 9.24 Standards?
/Vulnerability Assessment Framework (VAF)/Page B-A–51
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is master key encryption keys Management must sign logs.
change procedure documented and Review procedure for MASTER
in place? key encryption generation,
distribution scheme and records
keeping. Reference to vendor
manuals for detail process. For
manual device key must be
changed at least once a year.
Devices that utilize management
system key can be distributed
automatically.
Do the encryption devices that Logs must be dated and signed by
have manual key exchanging management. Cryptographic
features use tamper proof hardware must be tamper proof as
encryption key transportation and specified in Federal Information
storage device? processing Standards (FIPS) 140-
1. Information must be protected
from unauthorized access and have
automatic erasure.
Are all data that requires Standards require encryption over
protection encrypted for all all links that transmit this type of
systems that process sensitive data through which any bank
information? transaction is transmitted. Identify
supported business with sensitive
information to ensure if Restricted
and Confidential data is secured.
Reference to risk level analysis or
SLA documentation if available.
Do you maintain a list of encrypted Reference to SLA for encryption
and unencrypted circuits and which requirement and data owner
businesses each circuit supports? responsibility. Obtain encrypted
and unencrypted circuits inventory
list. Identify which businesses are
not compliant.
Verify encrypted circuits
supported businesses.
/Vulnerability Assessment Framework (VAF)/Page B-A–52
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are ALL network data Identify data circuits that transmit
transmissions that leave through non-government owned
government property (including property or floors. Contact
cases where government personnel businesses and obtain approval of
do not occupy contiguous floors of exposure.
a building) encrypted?
Are all default encryption keys Examine encryption devices
changed that are provided by the configuration against standards.
vendor? Are these keys changed
after each new software release?
12.4 Non- Do policies exist for ensuring that, Review policies relating to digital
Repudiation where appropriate, transactions signatures.
cannot be denied by either party,
and controls are implemented to
provide non-repudiation of origin
or receipt, proof of submission,
and receipt of transactions? This
can be implemented through digital
signatures, time stamping and
trusted third parties.
Monitoring
13.1 Audit trails are Is all activity involving access to Review security software settings
maintained and modifications of sensitive or to identify types of activity logged.
critical files logged?
13.2 Actual or Are security violations and Review pertinent policies and
attempted activities, including failed logon procedures.
unauthorized, attempts, other failed access Review security violation reports.
unusual, or attempts, and sensitive activity,
sensitive access is reported to management and Examine documentation showing
monitored. investigated? reviews of questionable activities.
13.3 Suspicious Do security managers investigate Test a selection of security
access activity is security violations and report violations to verify that follow-up
investigated and results to appropriate supervisory investigations were performed and
appropriate action and management personnel? to determine what action were
taken. taken against the perpetrator
/Vulnerability Assessment Framework (VAF)/Page B-A–53
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are appropriate disciplinary Review procedures and interview
actions taken? personnel responsible for
monitoring of activity.
Are violations summarized and Interview senior management and
reported to senior management? personnel responsible for
summarizing violations.
Review any supporting
documentation.
Are access control policies and Review policies and procedures
techniques modified when and interview appropriate
violations and related risk personnel.
assessments indicate that such
Review any supporting
changes are appropriate?
documentation.
13.4 Security Is all sensitive activity performed Verify that there is an appropriate
Surveillance by highly privileged accounts audit trail produced whenever a
monitored for access and highly privileged account is used.
maintenance activity? There should be a traceable trouble
ticket opened for each usage and
associated audit trail logs outlining
the use and appropriate signatures
showing concurrence for the use.
Datascopes and Sniffers
14. Network Is software sniffer technology in Determine local policies. If in
Monitoring use? violation, record an issue.
Are there procedures governing Obtain procedures and determine
the use of hardware sniffers and/or whether controls are included by
datascopes? answer the following several
questions.
Does management on a daily basis For the samples previously
to ensure usage is justified review selected, verify that a management
the log or audit trail? review was performed.
/Vulnerability Assessment Framework (VAF)/Page B-A–54
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Hub Management
15. Hub Has a management tool been Verify that SPEL, HUB
Management installed on all Hubs? management tool has been
installed.
Is “Security” turned “On” for all Ensure that “Security” has been
ports on each HUB’s? Configure turned “On” for all ports on all
Hubs with X-disabled ports; X- HUB’s. Configuration must have
Send Trap; X-Lock Ports; Define the following settings: X-disabled
MAC address on all HUB ports? ports; X-Send Trap; X-Lock
Ports; Define MAC address on all
HUB ports.
Is a process in place to update Verify if HUB inventory process
HUB inventory? has been developed and
implemented.
Is inventory in place for all Verify inventory list for all Hubs
physical Hubs and configured and check active ports.
ports?
Voice Operations
16.1 System- Are maintenance ports configured Obtain the PBX configuration
Related to prevent direct access from an listing. In addition, try to access
external line? This would prevent the maintenance ports from an
a hack into the PBX. outside line. If answer is no,
record as comment.
Are lines that are used for Obtain a listing of the maintenance
maintenance ports configured ports modem numbers. If numbers
through a central office and do have the same prefix, record as a
they have a different prefix than comment. Review modem
the regular phone numbers? technical description and access
line information.
/Vulnerability Assessment Framework (VAF)/Page B-A–55
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is invalid access to the If system has been outsourced,
maintenance ports tracked and obtain letter from vendor and
reviewed on a real-time basis? vendor’s process/
Access to maintenance ports Procedure for performing this
provides the greatest level of function. If system is not
access to the system and offers the outsourced and answer is no,
most potential for abuse. record as a comment. Review
PBX maintenance and monitoring
procedures.
Is there a process to ensure that all If no, record as comment. Review
systems are backed up at a Copy of process and procedures.
minimum of every 30 days and
does it include:
n Backup whenever a major
system reconfiguration is
completed.
n (2) copies of backup made
with one stored onsite and
one offsite?
n Backup Tapes are write
protected.
16.2 Maintenance Is access to the maintenance If outsourced, answer with N/A.
Functions function limited to administrators If not outsourced, obtain a listing
on a need to have basis? of PBX maintenance users and
Unauthorized access to this verify that access is essential. If
function can compromise the answer is no, record as a comment.
switch parameters to potential Request a copy of vendor
hacking activity. certifications of training.
/Vulnerability Assessment Framework (VAF)/Page B-A–56
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Do all PBX administrators have If answer is no, record as a
their own maintenance ID’s and comment.
pass-words and are they certified
for access to the switch by the
vendor? Untrained/uncertified
administrators can provide the
potential for unwanted parameters
leading to potential incidents of
toll fraud.
Are all administration/
maintenance terminals providing
access to telephone system secured
at all times? Are terminals logged
off when left attended?
Is there a process for HR to notify Check procedure and verify
site management of documentation is received of
terminated/resigned employees? terminated and/or resigned
This is necessary in order to notify employees. If not, record as
the appropriate management of comment and obtain procedures of
accounts (voice mail and how management is notified.
telephone) which need to be Request listing from HR and
terminated. sampling of activity for terminated
employees.
16.3 Trunking Is trunking feature “trunk-to- If answer is yes, record as a
Configuration trunk” activated? comment. If yes, review the
procedures for managing trunk-to-
trunk. Review PBX Configuration
printout
/Vulnerability Assessment Framework (VAF)/Page B-A–57
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are trunk access codes (TAC) Allowing TAC access to tie trunks
disabled and only enabled for on your switch may give the caller
testing purposes, including TAC access to the Trunk Verification
access to Tie Trunks (if more than feature on the switch. If not
one PBX in complex)? properly administered, a caller may
be able to dial 9 or the TAC’s in
the other switch. Toll hackers can
choose a menu option that allows
an extension number that provides
access to an outside line.
Check the PBX configuration files
for the presence of Trunk Access
Codes. If answer is no, record as
comment.
Is all Direct Inward System Access Check the Class of Service (COS)
(DISA) that allows an external to verify that DISA is disabled. If
caller to gain access to the PBX answer is no, record as comment.
system features or trunks, For Lucent Definity G3 type
functionality disabled? Remote switches, the COS table will have
access to these features may result no reference to DISA, UNLESS it
in toll fraud and system abuse. is enabled.
Is access to any known “pay per Check the ARS Table to verify
call” service restricted (i.e., 900, that the numbers are restricted. If
976, selected 809)? Access to the answer is no, record as
these numbers may cause comment.
unwarranted or fraudulent charges.
Does the PBX, except for COB Check the PBX configuration files
purposes restrict codes used for for long distance carrier
alternate long distance carriers? If restrictions. If answer is no,
not controlled, hackers can dial out record as comment.
by using carrier codes that bypass
touting restrictions placed on
primary carrier.
/Vulnerability Assessment Framework (VAF)/Page B-A–58
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is the PBX set up so that the long Obtain telephone bills and verify
distance carrier of choice (e.g. that no calls are charged except for
AT&T in the US) is the primary a MCI (example) emergency. If
carrier for all long distance calls? answer is no, record as comment.
And are secondary carriers only
used in the event of an outage of
the primary carrier.
16.4 Class of Do semi-annual reviews of the Select a sample of added, changed
Service COS levels and CORs take place and deleted subscribers and verify
(COS)/Class of in light of changing business procedures are being followed and
Restriction (COR) requirements, improved carrier executed in a satisfactory and
Configuration services, system usage, and timely manner. Determine date of
organizational re-engineering? last review of CORs and COS with
This is necessary to insure that business and verify review. If
excessive entitlements do not answer is no, record as comment.
exceed requirements of business,
resulting in conditions that may
lead to system abuse.
Is external call forwarding disabled Check the COS to verify that
from all COSs, including Fax internal call forwarding is allowed.
Machine/Modem COS? This In addition, test the controls by
prevents a user from forwarding an trying to call forward a phone to
extension to an outside number. an outside number. If answer is no,
record as comment.
Are Privileged Abbreviated Dialing Check the PBX configuration files
Group Lists present on the PBX? for the presence of speed dialing
These numbers can be used to numbers. If answer is yes, record
bypass any COS restrictions and as comment.
should be restricted to only
authorized business related
numbers.
/Vulnerability Assessment Framework (VAF)/Page B-A–59
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Is access to the outside operator Check the Class of Service (COS)
(0, 00, 01, 011, 411, 1411, 611, tables, Class of Restriction (COR),
1611, 555-1212, and xxx-555- Automatic Route Selection (ARS)
1212) restricted? This is to Tables, and the Facility Restriction
prevent an operator from Levels (FRL’s) to verify that
connecting a call through to operator access is not allowed. If
another number. present, record as comment.
Are publicly-accessible phones If answer is no, record as
restricted as follows: comment.
n to placing only internal,
free local, toll-free, and
911 calls
n Call-forwarding
deactivated?
Are publicly-accessible phones If answer is no, record as
used to request admittance into a comment.
secured area restricted as follows:
n to placing 911 and internal
calls
n Call-forwarding
deactivated?
Is long distance dialing capability If no, record as comment.
restricted during off-hours? This
is a prime time for hackers and
other users to abuse the system.
Are calling cards or authorization If no, record as comment.
codes used after-hours for long
distance access if the area in
question is not a 24-hour
operation?
/Vulnerability Assessment Framework (VAF)/Page B-A–60
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
16.5 Authorization Are authorization codes printed in If listed in CDR by authorization
Codes CDR by employee number? If number list as comment.
obtained by unauthorized
personnel would authorization
codes open up those codes to toll
fraud?
Are group accounts or generic If yes, list as comment as the CDR
account authorization numbers report could not identify
used for visitors? Generic or individual’s long distance charges.
group accounts prevent
accountability by individuals of toll
charges.
Are there procedures for managing If no, list as comment.
Authorization (Auth) Codes
assigned within system? Do they
cover the following items:
n All domestic long distance
and international calls
require an Auth Code.
n Auth Codes are disabled
and new code issued when
compromise is suspected
and/or confirmed.
n Auth Codes disabled when
employee/temp, etc., leaves
the bank or relocates to
another location.
n Auth Codes must be hand-
delivered or sent through
registered mail to
requesting party, not sent
through e-mail, interoffice
mail, delivered via
telephone, etc.
n No “spare” Auth codes are
to be activated.
/Vulnerability Assessment Framework (VAF)/Page B-A–61
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
16.6 Call Is there a process to manage If CMS is installed and answer is
Management changes to the CMS system that no, record comment. Review copy
System contain: of CMS procedures, configuration
and identify deviations.
n Only system administrator
or back-up control all write
access to VDN’s, vectors,
and splits.
n CMS system is partitioned
to allow this level of
control.
n Deviations are on file for
those areas requiring write
access to these features and
are renewed yearly.
16.7 Voice Mail Does the Voice Mail system Obtain the Voice mail
System require an 8-digit password/pin? configuration file printout and
Voice mail accounts must be verify. If answer is no, record as a
password protected to prevent comment.
unauthorized access to user voice
mail system.
Does the Voice mail system Test the feature by trying to log in
disconnect a caller attempting to with 3 successive invalid PIN’s. If
access the system after 3 invalid unauthorized access is suspected,
PIN attempts are made (within1 notify vendor and await assurance
hour for Octel Voice Mail that box has been disabled.
Systems)? If fraudulent use is
suspected, notify vendor and
insure SDT is notified when the
mailbox is disabled.
/Vulnerability Assessment Framework (VAF)/Page B-A–62
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are new Voice mail accounts set Review the Voice Mail
up with an initial PIN which is configuration procedures for PIN
unique and which is not the same initialization procedures. If no
as the individuals phone extension? procedures exist, ask the Voice
Mail technician.
Test new mailboxes by attempting
to access with extension number.
If voice mailbox can be accessed,
record as comment.
Does the Voice mail system Obtain the Voicemail configuration
prohibit external call capability? file printout and verify. If answer
This prevents a caller from dialing is no, record as comment.
out through the PBX, thus causing
Citibank to pick up the tab for long
distance calls. (Except on Octel
Voice Mail Systems for Citifax,
Pager Notification and Voice Mail
System Networking)
Does the Voice mail system detect Review site’s procedures for
uninitialized mailboxes? And does uninitialized mailboxes. If answer
the system manager remove them is no, record as comment.
after 45 days?
16.8 Call Detail Is there a Call detail reporting If answer is no, record as
Reporting System system installed to keep track of comment. Review Call detail
length of calls and designation? report & configuration
Is the CDR system logging and If answer is no, record as
tracking for adequacy the comment.
following:
n all calls over 15 minutes
n Off hour and holiday usage
n Calls over certain dollar
amounts
/Vulnerability Assessment Framework (VAF)/Page B-A–63
CIAO
ACCESS CONTROLS
Control Control Technique Compliance Procedures
Objectives
Are CDR reports reviewed by Obtain copies of old reports and
management every month or look for signoff. If no, record as
whenever an apparent problem comment.
occurs (i.e., sudden increase in the
number of calls)? Would failure to
provide supported businesses with
CDR reports disable businesses
with a prime management tool to
control costs and prevent possible
fraud or system abuse?
Does a Contingency plan exist for If no, record as comment. Review
the PBX? Does it address the copy of site COB Plan
issues outlined in the Continuity of
Services and Operations
questionnaire?
Are Emergency Bypass Phones If no, record as comment. Review
installed at site and are they copy of Emergency Bypass Phone
installed as follows: configuration, including location of
n Phones are connected to non- all phones, and procedures.
PBX lines, i.e., CO/DOD,
1FB/1MB, or Centrex lines.
n Allow full range of out-dial
access except for 900, 976 and
international calling.
16.9 Miscellaneous Is there a process for producing If no, record as comment.
and reviewing system error reports
and logs for:
n Review on daily basis
n Unauthorized access attempts.
n Multiple invalid password
attempts.
n High rates of usage.
16.10 Policies & Is an up-to-date Voice Policy and Check the Voice PCM and insure
Procedures Procedure Manual (PCM) in place policies and required reviews are
and in use? up to date.
/Vulnerability Assessment Framework (VAF)/Page B-A–64
CIAO
Appendix C:
Segregation of Duties
Control Control Technique Compliance Procedures
Objectives
Policies
1.1 Incompatible Do policies and procedures exist Review pertinent policies and
duties have been for segregating duties? If so, are procedures.
identified and they up-to-date? Interview selected management and
policies IS personnel regarding segregation of
implemented to duties.
segregate these
duties.
Are distinct systems support Review an agency organization chart
functions performed by different showing IS functions and assigned
individuals, including the personnel.
following?
Interview selected personnel and
n IS management determine whether functions are
n System design appropriately segregated.
n Application programming Determine whether the chart is
current and different individuals staff
n Systems programming each function.
n Quality assurance/testing Review relevant alternate or backup
n Library management and assignments and determine whether
change management the proper segregation of duties is
maintained.
n Computer operations
Observe activities of personnel to
n Production control and determine the nature and extent of the
scheduling compliance with the intended
n Data control segregation of duties.
n Data security
n Data administration
/Vulnerability Assessment Framework (VAF)/Page C-1
CIAO
SEGREGATION OF DUTIES
Control Control Technique Compliance Procedures
Objectives
Do any individuals have complete Review the organizational chart and
control over incompatible interview personnel to determine that
transaction processing functions? assignments do not result in a single
Specifically, are the following person being responsible for the
combinations of functions indicated combinations of functions.
performed by a single individual?
Observe activities of personnel to
n Data entry and verification determine the nature and extent of the
of data compliance with the intended
n Data entry and its segregation of duties.
reconciliation to output
n Input of transactions for
incompatible processing
functions (e.g. input of
vendor invoices, and
purchasing and receiving
information)
n Data entry and supervisory
override functions(e.g.,
authorizing a rejected
transaction to continue
processing that exceeds
some limit requiring a
supervisor’s review and
approval)
Are data processing personnel also Determine through interview and
users of information systems? Do observation whether data processing
data processing personnel or personnel and security managers are
security managers initiate, input, or prohibited from these activities.
correct transactions?
Are day-to-day operating Review the adequacy of documented
procedures for the data center operating procedures for the data
adequately documented and are center.
prohibited actions identified?
/Vulnerability Assessment Framework (VAF)/Page C-2
CIAO
SEGREGATION OF DUTIES
Control Control Technique Compliance Procedures
Objectives
Do departures from standard job Review procedures that identify,
schedules occur? investigate, and approve departures
from standard job schedules.
Are regularly scheduled vacations Individuals performing incompatible
and periodic job/shift rotations duties and conducting inappropriate
required (see SP-4.1 on personnel actions could be detected when
policies)? another individual undertakes those
duties. Requiring vacations and
rotations helps detect such actions.
Do documented job descriptions Review job descriptions and interview
include definitions of the technical management personnel.
knowledge, skills, and abilities
required for successful
performance in the relevant
position, and can they be used for
hiring, promoting, and
performance evaluation purposes?
1.2 Employees Do all employees fully understand Interview personnel filling positions
understand their their duties and responsibilities, for the selected job descriptions (see
duties and and carry out those responsibilities above). Determine if the descriptions
responsibilities. in accordance to their job match their understanding of their
descriptions? duties and responsibilities and
whether additional duties are
undertaken that are not reflected in
their job descriptions.
Is senior management responsible Determine from interviewed
for providing adequate resources personnel whether senior
and training in assuring that management has provided adequate
segregation of duty principles are resources and training to establish,
understood and established, enforce, and institutionalize the
enforced, and institutionalized principles of segregation of duties.
within the organization?
/Vulnerability Assessment Framework (VAF)/Page C-3
CIAO
SEGREGATION OF DUTIES
Control Control Technique Compliance Procedures
Objectives
Are responsibilities for restricting Interview management personnel in
access by job positions in key these activities.
operating and programming
activities clearly defined,
understood, and followed?
Access Controls to Enforce Segregation of Duties
2. Establish access Are management reviews Determine what reviews are
controls to enforce performed to determine that conducted to assess the adequacy of
segregation of control techniques for segregating duty segregation. Obtain and review
duties incompatible duties are functioning results of such reviews.
as intended and that the control
techniques in place are maintaining
risks within acceptable levels (e.g.,
periodic risk assessments)?
Operating Procedures, Supervision, and Review
3.1 Formal Do detailed, written instructions Review manuals.
procedures provide exist and are they followed for the
Interview supervisors and personnel.
guidance for the performance of work?
performance of Observe processing activities.
personnel activities
Do operator instruction manuals Review manuals.
provide guidance on system
operation?
Do application run manuals Review manuals.
provide instruction on operating
specific applications?
Are operators prevented from Interview supervisors and personnel.
overriding file label or equipment
error messages?
/Vulnerability Assessment Framework (VAF)/Page C-4
CIAO
SEGREGATION OF DUTIES
Control Control Technique Compliance Procedures
Objectives
3.2 Active Are personnel provided adequate Interview supervisors and personnel
supervision and supervision and review, including Observe processing activities.
review are provided each shift for computer
for all personnel operations? Review history log reports for
signatures indicating supervisory
review.
Determine who is authorized to IPL
the system, what steps are followed,
and what controls are in place to
monitor console activity during the
process. Determine whether
operators override the IPL
parameters.
Are all operator activities on the Interview management.
computer system recorded on an
Review history logs.
automated history log?
Is system startup monitored and Interview management and
performed by authorized subordinate staff.
personnel? Are parameters set
Review procedures that identify the
during the initial program load
tasks associated with documenting,
(IPL) in accordance with
periodically testing, and adjusting
established procedures?
start-up processes.
/Vulnerability Assessment Framework (VAF)/Page C-5
CIAO
Appendix D:
Continuity of Services and Operations
Control Objectives Control Technique Compliance Procedures
Business Continuity Plan
1.1 Resources Have resources supporting critical Review related documentation.
supporting critical operations been identified and Interview program and security
operations are documented? Do identified administration officials.
identified. resources include:
n computer hardware,
n computer software,
n computer supplies,
n system documentation,
n telecommunications,
n office facilities and
supplies, and
n human resources?
1.2 Critical Does the continuity plan identify Review BCP
Information the critical application programs,
Technology third-party services, operating
Resources are systems, personnel and supplies,
identified. data files and time frames needed
for recovery after a disaster
occurs?
1.3 Availability Does senior management Interview senior management,
Plan. concerning the availability of data data processing management, and
processing and on-line services user management.
establish goals? Review supporting
documentation.
Has management established an Obtain and review minutes of
availability plan to achieve, meetings discussing capacity
monitor and control the availability planning and performance
of information services? measurement
/Vulnerability Assessment Framework (VAF)/Page D-A–1
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
1.4 HAVE EMERGENCY REVIEW RELATED
EMERGENCY PROCESSING PRIORITIES POLICIES.
PROCESSING BEEN DOCUMENTED AND
PRIORITIES APPROVED BY REVIEW RELATED
ARE APPROPRIATE PROGRAM DOCUMENTATION.
ESTABLISHED. AND DATA PROCESSING Interview program and security
MANAGERS? administration officials.
/Vulnerability Assessment Framework (VAF)/Page D-A–2
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
1.5 Information n Does the Continuity of Review BCP
Technology Service Plan contain the
Continuity Plan following:
Contents n Guidelines on how to use
the continuity plan;
n Emergency procedures to
ensure the safety of all
affected staff members;
n Response procedures
meant to bring the business
back to the state it was in
before the incident or
disaster;
n Recovery procedures
meant to bring the business
back to the state it was in
before the incident or
disaster;
n Procedures to safeguard
and reconstruct the home
site;
n Co-ordination procedures
with public authorities;
n Communication procedures
with stakeholders:
employees, key customers,
critical suppliers,
stockholders and
management; and
n Critical information on
continuity teams, affected
staff, customers, suppliers,
public authorities and
media?
/Vulnerability Assessment Framework (VAF)/Page D-A–3
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
1.6 ARE THERE, IN THE BCP, REVIEW BCP
MAINTAINING CHANGE CONTROL
THE PROCEDURES ENSURING
INFORMATION THAT THE CONTINUITY
TECHNOLOGY PLAN IS UP-TO-DATE AND
CONTINUITY REFLECTS ACTUAL
PLAN BUSINESS REQUIREMENTS?
1.7 GIVEN THE SENSITIVE REVIEW BCP
INFORMATION NATURE OF INFORMATION
TECHNOLOGY IN THE CONTINUITY PLAN,
CONTINUITY IS THE BCP DISTRIBUTED
PLAN ONLY TO AUTHORIZED
DISTRIBUTION PERSONNEL AND SHOULD
BE SAFE-GUARDED
AGAINST UNAUTHORIZED
DISCLOSURE.
CONSEQUENTLY, SECTIONS
OF THE PLAN NEED TO BE
DISTRIBUTED ON A NEED-
TO-KNOW BASIS?
1.8 DOES THE DISASTER REVIEW BCP
INFORMATION CONTINUITY
TECHNOLOGY METHODOLOGY ENSURE
CONTINUITY THAT ALL CONCERNED
PLAN PARTIES RECEIVE
TRAINING REGULAR TRAINING
SESSIONS REGARDING THE
PROCEDURES TO BE
FOLLOWED IN CASE OF AN
INCIDENT OR DISASTER?
1.9 TESTING DOES MANAGEMENT REVIEW BCP TESTING
THE ASSESS THE ADEQUACY OF PROCEDURES
INFORMATION TEST RESULTS?
TECHNOLOGY
CONTINUITY
PLAN
/Vulnerability Assessment Framework (VAF)/Page D-A–4
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ON SUCCESSFUL REVIEW BCP & RESULTS
RESUMPTION OF THE OF RECENT TEST OR
INFORMATION SERVICES DISASTER. NOTE ANY
FUNCTION AFTER A CORRECTIVE ACTIONS
DISASTER OR A TEST, HAS AND MODIFICATIONS TO
MANAGEMENT PLAN TO INCORPORATE
ESTABLISHED THEM.
PROCEDURES FOR
ASSESSING THE ADEQUACY
OF THE PLAN AND
UPDATING THE PLAN
ACCORDINGLY.
Resource Management - COB
2.1 MANAGE THE MANAGEMENT ANALYSIS SHOULD BE
PERFORMANCE PROCESS SHOULD ENSURE CONDUCTED ON SYSTEM
AND CAPACITY THAT BUSINESS NEEDS ARE FAILURES AND
IDENTIFIED REGARDING IRREGULARITIES
AVAILABILITY AND PERTAINING TO
PERFORMANCE OF FREQUENCY, DEGREE OF
INFORMATION SERVICES IMPACT AND AMOUNT OF
AND CONVERTED INTO DAMAGE.
AVAILABILITY TERMS AND
REQUIREMENTS.
DOES THE PERFORMANCE REVIEW THE
MANAGEMENT PROCESS PERFORMANCE
INCLUDE FORECASTING MANAGEMENT PROCESS.
CAPABILITY TO ENABLE
PROBLEMS TO BE
CORRECTED BEFORE THEY
AFFECT SYSTEM
PERFORMANCE?
/Vulnerability Assessment Framework (VAF)/Page D-A–5
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
2.2 WORKLOAD ARE CONTROLS IN PLACE OBTAIN AND ANALYZE
FORECASTING TO ENSURE THAT TREND ANALYSIS
WORKLOAD FORECASTS REPORTS.
ARE PREPARED TO
IDENTIFY TRENDS AND TO
PROVIDE INFORMATION
NEEDED FOR THE
CAPACITY PLAN?
2.3 CAPACITY IS THERE A PLANNING REVIEW PROCEDURES
MANAGEMENT PROCESS FOR THE REVIEW AND CAPACITY STUDIES.
OF RESOURCES OF HARDWARE
PERFORMANCE AND
CAPACITY TO ENSURE
THAT COST-JUSTIFIABLE
CAPACITY ALWAYS EXISTS
TO PROCESS THE AGREED
WORKLOADS AND TO
PROVIDE THE REQUIRED
PERFORMANCE QUALITY
AND QUANTITY
PRESCRIBED IN SERVICE
LEVEL AGREEMENTS?
ARE FAULT TOLERANCE REVIEW FAULT
MECHANISMS, TOLERANCE MECHANISMS
PRIORITIZING TASKS AND IN USE.
EQUITABLE RESOURCE
ALLOCATION
MECHANISMS IN USE?
/Vulnerability Assessment Framework (VAF)/Page D-A–6
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
HAS MANAGEMENT REVIEW CAPACITY AND
ENSURED THE TIMELY RESOURCE PLANS AND
ACQUISITION OF WORKLOAD PLANNING
REQUIRED CAPACITY, DOCUMENTS. REVIEW
TAKING INTO ACCOUNT RESULTS OF
ASPECTS SUCH AS CONTINGENCY TESTS.
RESILIENCE,
CONTINGENCY, WORK-
LOADS AND STORAGE
PLANS.
2.4 SYSTEM IS ADVANCE NOTIFICATION REVIEW HARDWARE
MAINTENANCE ON HARDWARE CHANGES CHANGE PROCEDURE
IS PERFORMED GIVEN TO USERS SO THAT
WITH THE SERVICE IS NOT
LEAST UNEXPECTEDLY
AMOUNT OF INTERRUPTED?
IMPACT.
IS ROUTINE PERIODIC INTERVIEW DATA
HARDWARE PROCESSING AND USER
PREVENTATIVE MANAGEMENT.
MAINTENANCE
SCHEDULED AND REVIEW MAINTENANCE
PERFORMED IN DOCUMENTATION.
ACCORDANCE WITH
VENDOR SPECIFICATIONS,
AND IN A MANNER THAT
MINIMIZES THE IMPACT
ON OPERATIONS?
IS REGULAR AND CHECK MAINTENANCE
UNSCHEDULED PROCEDURES AND
MAINTENANCE MAINTENANCE LOGS.
PERFORMED AND
DOCUMENTED?
/Vulnerability Assessment Framework (VAF)/Page D-A–7
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
2.5 ENSURE INFORMATION SERVICES REVIEW THE CONTINUITY
CONTINUOUS FUNCTION MANAGEMENT FRAMEWORK.
SERVICE IS TO CREATE A
CONTINUITY FRAMEWORK REVIEW THE RULES AND
WHICH DEFINES THE STRUCTURES USED TO
ROLES, RESPONSIBILITIES, DOCUMENT THE COB
THE RISK BASED PLAN.
APPROACH/METHODOLOG
Y TO BE ADOPTED, AND REVIEW THE APPROVAL
THE RULES AND PROCEDURES.
STRUCTURES TO
DOCUMENT THE PLAN AS
WELL AS THE APPROVAL
PROCEDURES.
HAS THE BUSINESS UNIT IF YES VERIFY THAT THE
HEAD APPOINTED A RESPONSE TEAM IS PART
RESPONSE TEAM TO OF THE ANNUAL
COORDINATE RECOVERY CONTINGENCY TEST.
ACTIONS DURING AND
AFTER A CONTINGENCY?
DOES THE COB PLAN IF YES, VERIFY THOSE
INCLUDE PROCEDURES ON UPDATED MAPS, TRAVEL
HOW TO ALERT INFORMATION, AND
INDIVIDUALS ON WHERE ESCALATION PLANS ARE
TO GO IN CASE OF A INCLUDED IN THE COB.
CONTINGENCY?
DOES THE COB PLAN CALL IF YES, ASK FOR AND
FOR ALL ASSOCIATED REVIEW ANY ALERT
BUSINESS UNITS TO BE MESSAGES ASSOCIATED
ALERTED TO ANY WITH FAILED OR
DEFICIENCIES IN THE DEFICIENT PARTS OF THE
CONTINGENCY PROCESS? PLAN AND TESTING
PROCESS AND VERIFY
THAT ALL BUSINESS WERE
NOTIFIED.
/Vulnerability Assessment Framework (VAF)/Page D-A–8
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
2.6 MANAGEMENT SHOULD INTERVIEW SENIOR
INFORMATION ENSURE THAT THE MANAGEMENT.
TECHNOLOGY INFORMATION
CONTINUITY TECHNOLOGY CONTINUITY
PLAN PLAN IS IN LINE WITH THE
OVERALL BCP TO ENSURE
CONSISTENCY.
2.7 ENSURE HAS THE COB PLAN BEEN VERIFY THE COB PLAN
BUSINESS REVIEWED BY THE CONTAINS A SECTION
REVIEW OF BUSINESS HEAD ON AN SHOWING THE PROPER
CONTINUITY ANNUAL BASIS OR AFTER A BUSINESS SIGNOFFS
OF BUSINESS MAJOR CHANGE HAS SHOWING PLAN
(COB) PLAN OCCURRED? ACCEPTANCE.
IS THE COB PLAN VERIFY THE COB PLAN
REVIEWED AT LEAST SEMI- CONTAINS A SECTION
ANNUALLY BY A SHOWING SIGNATURE OF
RESPONSIBLE PERSON TO PERSON WHO UPDATED
VERIFY THAT ALL THE PLAN.
SECTIONS ARE UP TO DATE
(E.G. PERSONNEL, PHONE
NUMBERS, SITES)?
/Vulnerability Assessment Framework (VAF)/Page D-A–9
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
Contingency Plan
/Vulnerability Assessment Framework (VAF)/Page D-A–10
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
3.1 AN UP-TO- HAS A CONTINGENCY PLAN REVIEW THE
DATE BEEN DOCUMENTED THAT: CONTINGENCY PLAN AND
CONTINGENCY n REFLECTS CURRENT COMPARE ITS PROVISIONS
PLAN IS CONDITIONS, WITH THE MOST RECENT
DOCUMENTED. RISK ASSESSMENT AND
n THAT HAS BEEN WITH A CURRENT
APPROVED BY KEY DESCRIPTION OF
AFFECTED GROUPS, AUTOMATED
INCLUDING, SENIOR OPERATIONS.
MANAGEMENT, DATA
CENTER MANAGEMENT, INTERVIEW SENIOR
AND PROGRAM MANAGEMENT, DATA
MANAGERS, CENTER MANAGEMENT,
n CLEARLY ASSIGNS AND PROGRAM
RESPONSIBILITIES FOR MANAGERS.
RECOVERY,
n INCLUDES DETAILED
INSTRUCTIONS FOR
RESTORING
OPERATIONS (BOTH
OPERATING SYSTEM
AND CRITICAL
APPLICATIONS),
n IDENTIFIES THE
ALTERNATE
PROCESSING FACILITY
AND THE BACK-UP
STORAGE FACILITY,
n INCLUDES
PROCEDURES TO
FOLLOW WHEN THE
DATA/SERVICE CENTER
IS UNABLE TO RECEIVE
OR TRANSMIT DATA,
n IDENTIFIES CRITICAL
DATA FILES,
n IS DETAILED
ENOUGH TO BE
UNDERSTOOD BY ALL
/Vulnerability Assessment Framework (VAF)/Page D-A–11
AGENCY MANAGERS,
n INCLUDES
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
3.2 IS SPARE OR BACKUP INTERVIEW DATA CENTER
CONTINGENCY HARDWARE USED TO MANAGEMENT.
PLAN PROVIDE A HIGH LEVEL OF
ADDRESSES SYSTEM AVAILABILITY
ALL FOR CRITICAL AND
COMPONENTS. SENSITIVE APPLICATIONS?
DOES THE PLAN PROVIDE REVIEW THE
FOR BACKUP PERSONNEL CONTINGENCY PLAN.
SO THAT IT CAN BE
IMPLEMENTED
INDEPENDENT OF SPECIFIC
INDIVIDUALS?
HAVE USER DEPARTMENTS INTERVIEW SENIOR
DEVELOPED ADEQUATE MANAGEMENT, DATA
MANUAL/PERIPHERAL CENTER MANAGEMENT,
PROCESSING PROCEDURES AND PROGRAM
FOR USE UNTIL MANAGERS.
OPERATIONS ARE
RESTORED?
ARE SEVERAL COPIES OF OBSERVE COPIES OF THE
THE CURRENT CONTINGENCY PLAN HELD
CONTINGENCY PLAN OFF-SITE.
SECURELY STORED OFF-
SITE AT DIFFERENT
LOCATIONS?
IS THE CONTINGENCY REVIEW THE PLAN AND
PLAN PERIODICALLY ANY DOCUMENTATION
REASSESSED AND, IF SUPPORTING RECENT
APPROPRIATE, REVISED TO PLAN REASSESSMENTS.
REFLECT CHANGES IN
HARDWARE, SOFTWARE,
AND PERSONNEL?
/Vulnerability Assessment Framework (VAF)/Page D-A–12
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
3.3 THE PLAN IS HAS THE CURRENT PLAN REVIEW POLICIES ON
PERIODICALLY BEEN TESTED UNDER TESTING.
TESTED. CONDITIONS THAT
SIMULATE A DISASTER? REVIEW TEST RESULTS.
OBSERVE A DISASTER
RECOVERY TEST.
HAVE TEST RESULTS BEEN REVIEW FINAL TEST
DOCUMENTED AND HAS A REPORT.
REPORT, SUCH AS A
“LESSONS LEARNED” INTERVIEW SENIOR
REPORT, BEEN DEVELOPED MANAGERS TO
AND PROVIDED TO SENIOR DETERMINE IF THEY ARE
MANAGEMENT? AWARE OF THE TEST
RESULTS.
WERE THE CONTINGENCY REVIEW ANY
PLAN AND RELATED DOCUMENTATION
AGREEMENTS AND SUPPORTING
PREPARATIONS ADJUSTED CONTINGENCY PLAN
TO CORRECT ANY ADJUSTMENTS.
DEFICIENCIES IDENTIFIED
DURING TESTING?
/Vulnerability Assessment Framework (VAF)/Page D-A–13
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
Service Level Agreement Management
4.1 SERVICE HAS SENIOR MANAGEMENT REVIEW SERVICE LEVEL
LEVEL DEFINED A FRAMEWORK AGREEMENTS. USERS AND
AGREEMENT WHEREIN IT PROMOTES THE INFORMATION
FRAMEWORKS THE DEFINITION OF SERVICES FUNCTION
ARE FORMAL SERVICE LEVEL SHOULD HAVE A WRITTEN
ESTABLISHED AGREEMENTS AND AGREEMENT, WHICH
DEFINED THE MINIMAL DESCRIBES THE SERVICE
CONTENTS? LEVEL IN QUALITATIVE
AND QUANTITATIVE
TERMS. THE AGREEMENT
DEFINES THE
RESPONSIBILITIES OF
BOTH PARTIES. THE
INFORMATION SERVICES
FUNCTION MUST OFFER
THE AGREED QUALITY
AND QUANTITY OF
SERVICE AND THE USERS
MUST CONSTRAIN THE
DEMANDS THEY PLACE
UPON THE SERVICE
WITHIN THE AGREED
LIMITS.
/Vulnerability Assessment Framework (VAF)/Page D-A–14
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
4.2 ASPECTS OF DO THE SERVICE LEVEL REVIEW SERVICE LEVEL
SERVICE AGREEMENTS COVER, AT AGREEMENTS AND
LEVEL LEAST, THE FOLLOWING PERFORMANCE TRACKING
AGREEMENTS ASPECTS: AVAILABILITY, MEASURES.
RELIABILITY,
PERFORMANCE, CAPACITY
FOR GROWTH, LEVELS OF
SUPPORT PROVIDED TO
USERS, CONTINUITY
PLANNING, SECURITY,
MINIMUM ACCEPTABLE
LEVEL OF
SATISFACTORILY
DELIVERED SYSTEM
FUNCTIONALITY,
RESTRICTIONS (LIMITS ON
THE AMOUNT OF WORK),
SERVICE CHARGES,
CENTRAL PRINT
FACILITIES
(AVAILABILITY), CENTRAL
PRINT DISTRIBUTION AND
CHANGE PROCEDURES?
4.3 ARE PROCEDURES IN OBTAIN EVIDENCE OF
PERFORMANCE PLACE TO ENSURE THAT LEGAL
PROCEDURES THE MANNER OF AND REVIEW/APPROVAL OF
RESPONSIBILITIES FOR THE CONTRACT
PERFORMANCE
GOVERNING RELATIONS
(E.G., NON-DISCLOSURE
AGREEMENTS) BETWEEN
ALL INVOLVED PARTIES
ARE ESTABLISHED,
COORDINATED,
MAINTAINED AND
COMMUNICATED TO ALL
AFFECTED DEPARTMENTS?
/Vulnerability Assessment Framework (VAF)/Page D-A–15
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
4.4 ARE SERVICE FUNCTIONS REVIEW PERFORMANCE-
MONITORING MONITORED BY A SERVICE TRACKING METHODS. THE
AND LEVEL MANAGER WHO IS MONITORING STATISTICS
REPORTING RESPONSIBLE FOR SHOULD BE ANALYZED ON
MONITORING AND A TIMELY BASIS.
REPORTING ON THE APPROPRIATE
ACHIEVEMENT OF THE CORRECTIVE ACTION
SPECIFIED SERVICE SHOULD BE TAKEN AND
PERFORMANCE CRITERIA FAILURES SHOULD BE
AND ALL PROBLEMS INVESTIGATED.
ENCOUNTERED DURING
PROCESSING?
4.5 REVIEW OF DOES MANAGEMENT OBTAIN EVIDENCE OF
SERVICE PERFORM A REGULAR REVIEW.
LEVEL REVIEW PROCESS FOR
AGREEMENTS SERVICE LEVEL
AND AGREEMENTS AND UNDER-
CONTRACTS PINNING CONTRACTS WITH
THIRD-PARTY SERVICE
PROVIDERS?
Data Center Management
5.1 ARE THE EQUIPMENT OBTAIN FLOOR PLANS.
ORGANIZATION LAYOUT DESIGNS (FLOOR
OF DATA PLANS) CURRENT?
CENTER
ARE CABINETS/FRAMES VERIFY THAT EQUIPMENT
SPACED SO THAT IS SPACED PROPERLY
EQUIPMENT IS A MINIMUM EITHER THROUGH
OF 36” FROM THE BACK MEASUREMENT OR
WALLS OR FROM THE THROUGH FLOOR PLAN,
NEXT BANK OF
CABINETS/FRAMES?
/Vulnerability Assessment Framework (VAF)/Page D-A–16
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE ALL SYSTEMS PERFORM
LABELED TO ASSURE WALKTHROUGH AND
PROPER USAGE (E.G., SELECT CERTAIN
ROUTER NAME, IP EQUIPMENT AND VERIFY
ADDRESS, NODE NAME, ACCURACY OF LABELS.
ETC.)?
IS ALL EQUIPMENT (E.G., SELECT VARIOUS
PORTS, PATCH PANELS) EQUIPMENT TYPES
AND CABLES PROPERLY (PORTS, PATCH PANELS,
LABELED END TO END? ETC.) AND CABLES AND
VERIFY THE ACCURACY
OF THE LABELS.
DOES THE SITE HAVE OBTAIN PROCEDURES AND
PROCEDURES FOR DETERMINE WHETHER
PREPARING FOR THE ALL TYPES OF EQUIPMENT
SHUTDOWN AND START-UP ARE ADDRESSED. IN
OF EQUIPMENT DURING MANY CASES, EQUIPMENT
REGULARLY SCHEDULED MUST BE BROUGHT DOWN
BUILDING POWER AND UP GRADUALLY SO AS
OUTAGES? NOT TO CAUSE
ADDITIONAL PROBLEMS.
IS UPS INSTALLED ON KEY OBTAIN A LIST OF
EQUIPMENT? EQUIPMENT ON UPS.
DETERMINE WHETHER
THE LIST IS
COMPREHENSIVE
ENOUGH.
/Vulnerability Assessment Framework (VAF)/Page D-A–17
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
DO PROCEDURES EXIST TO OBTAIN UPS TEST
PERIODICALLY TEST THE PROCEDURES. VERIFY
UPS EQUIPMENT AND ARE THAT TESTING
THEY BASED ON THE FREQUENCY IS
MANUFACTURER’S ADEQUATE, BASED ON
RECOMMENDATIONS? MANUFACTURER’S
INSTRUCTIONS. VERIFY
TESTS WERE PERFORMED
ACCORDING TO THAT
FREQUENCY.
ARE UPS BATTERIES OBTAIN PROCEDURES FOR
CHECKED TO ENSURE MONITORING BATTERY
THAT THEY WILL POWER. MOST BATTERIES
FUNCTION PROPERLY IN A ARE ONLY GUARANTEED
CONTINGENCY SITUATION? FOR 5 YEARS AND SHOULD
BE CHECKED
PERIODICALLY TO AVOID
POTENTIAL PROBLEMS
DURING POWER OUTAGES.
IS THE CAPACITY OF THE DETERMINE AMPS
UPS CHECKED NEEDED TO SUPPORT
PERIODICALLY? EQUIPMENT. REVIEW
TEST RESULTS TO
DETERMINE IF NUMBER
OF AMPS PROVIDED BY
UPS ADDRESSES THE
NEED. CHECK WITH
BUILDING ENGINEER IF
NECESSARY.
/Vulnerability Assessment Framework (VAF)/Page D-A–18
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
IS UPS BEING CHARGED OBTAIN EVIDENCE FROM
WHEN THE FACILITY IS BUILDING MANAGEMENT
OPERATING UNDER THAT UPS IS CHARGED
BACKUP POWER? WHILE BACKUP
GENERATORS ARE
FUNCTIONING, IN ORDER
TO AVOID ANY POWER
DISRUPTIONS.
IS THE UPS VERIFY THAT SWITCH IS
AUTOMATICALLY MADE AUTOMATICALLY
SWITCHED TO THE EITHER BY REVIEWING
GENERATORS IN THE TEST RESULTS OR
EVENT OF A POWER THROUGH INTERVIEWS
OUTAGE? WITH BUILDING
MANAGEMENT.
ARE GENERATORS IN USE DETERMINE EXISTENCE
FOR BACKUP POWER FOR OF SUCH GENERATORS.
THE FACILITY?
ARE GENERATORS TESTED OBTAIN EVIDENCE OF
IN ACCORDANCE WITH TESTING PERFORMED
MANUFACTURERS’ FROM MANAGEMENT.
REQUIREMENTS? IS THE DETERMINE WHETHER
TESTING OF BUILDING TESTING REQUIREMENTS
GENERATORS TIED TO WERE MET BY REVIEWING
TESTING THE ON-SITE MANUFACTURER’S
CONTINGENCY DOCUMENTATION AND
REQUIREMENTS OF THE HOW TEST RESULTS ARE
UNIT? TIED TO THE COB PLAN.
IS EMERGENCY LIGHTING PERFORM A WALK-
IN PLACE IN THE EVENT OF THROUGH TO DETERMINE
A POWER FAILURE? THE EXISTENCE OF
EMERGENCY LIGHTING.
/Vulnerability Assessment Framework (VAF)/Page D-A–19
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE EMERGENCY EXIT PERFORM A WALK-
SIGNS LIGHTED BY THEIR THROUGH TO ENSURE
OWN POWER? THAT EXIT SIGNS WILL BE
ILLUMINATED IN THE
EVENT OF A POWER
FAILURE.
ARE “EXIT” AND “NO PERFORM A WALK-
SMOKING” SIGNS VISIBLY THROUGH OF AREA IN
POSTED IN THE FACILITY? QUESTION. IDENTIFY ALL
EXITS AND DETERMINE
WHETHER EXIT AND NO
SMOKING SIGNS ARE
VISIBLE.
IS THERE AN EMERGENCY PERFORM A WALK-
POWER CUTOFF SWITCH? THROUGH OF AREA.
DETERMINE THE
EXISTENCE OF SUCH A
POWER SWITCH.
IS THERE A FIRST AID KIT DETERMINE EXISTENCE
READILY AVAILABLE IN OF KIT. IF KIT DOES NOT
THE FACILITY? EXIST, THEN RECORD
ISSUE.
ARE EMERGENCY PERFORM WALK-
NUMBERS (FIRE, SECURITY, THROUGH OF THE AREA.
MEDICAL) POSTED IN THE DETERMINE WHETHER
DATA CENTER OR AFFIXED EMERGENCY NUMBERS
TO ALL PHONES? ARE VISIBLE TO
PERSONNEL.
IS THE FACILITY PERFORM A WALK-
INCLUDING DESKS, THROUGH OF THE AREA.
MAINTAINED WELL, E.G. DETERMINE WHETHER
NEAT AND CLEAN? AREA IS NEAT/CLEAN.
/Vulnerability Assessment Framework (VAF)/Page D-A–20
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE FORMS, PAPERS, AND PERFORM A WALK-
OTHER SUPPLIES KEPT TO THROUGH OF THE AREA.
A MINIMUM AND STORED DETERMINE WHETHER
IN A MANNER THAT DOES MATERIALS ARE STORED
NOT REPRESENT A SAFETY PROPERLY SO AS NOT TO
HAZARD? CAUSE A SAFETY
CONCERN.
IS ALL CABLING ROUTED PERFORM A WALK-
NEATLY AND TIE-WRAPPED THROUGH OF THE AREA.
(WITH EXCESS CABLING THROUGH OBSERVATION,
REMOVED), ESPECIALLY ESTABLISH WHETHER
WHERE THERE ARE LARGE CABLES ARE
PERCENTAGES OF LEGACY ROUTED/SECURED
EQUIPMENT? PROPERLY.
IF RAISED FLOORS EXIST IN IF RAISED FLOORS ARE IN
THE DATA CENTER, IS THE USE, OBTAIN EVIDENCE OF
AREA UNDER THE FLOOR MONTHLY INSPECTION
INSPECTED MONTHLY AND AND CLEANING. IF
CLEANED EVERY SIX NECESSARY, PERFORM
MONTHS? YOUR OWN INSPECTION.
IS THERE A FIRE ALARM VERIFY RECORDS FROM
SYSTEM INSTALLED MANAGEMENT THAT
CONSISTING OF MANUAL SYSTEMS ARE INSTALLED.
AND AUTOMATIC SUB-
SYSTEMS?
IS THE MANUAL FIRE VERIFY RECORDS FROM
ALARM SYSTEM TESTED MANAGEMENT THAT
QUARTERLY AND THE SYSTEMS WERE TESTED
AUTOMATIC SYSTEM AS REQUIRED.
TESTED ANNUALLY BY THE
BUILDING/FACILITY?
/Vulnerability Assessment Framework (VAF)/Page D-A–21
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
DOES THE AUTOMATIC VERIFY RECORDS FROM
FIRE ALARM SUB-SYSTEM MANAGEMENT THAT
INCLUDE AUTOMATIC AUTOMATIC FIRE
DETECTION DEVICES, I.E., DETECTION DEVICES
SMOKE, HEAT, AND FLAME INCLUDE SMOKE, HEAT,
DETECTORS? AND FLAME DETECTORS.
DOES THE FIRE DETECTION DETERMINE THE
SYSTEM SET OFF AN EXISTENCE OF FIRE
AUDIBLE ALARM IN THE ALARM SYSTEMS AND
FACILITY/ BUILDING, WHETHER ALARM IS
SECURITY OFFICE AND/OR AUDIBLE.
LOCAL FIRE DEPARTMENT?
ARE AUTOMATED FIRE ALL FACILITIES MUST
SUPPRESSION DEVICES HAVE SUPPRESSION
INSTALLED? DEVICES.
ARE AUTOMATED FIRE VERIFY RECORDS FROM
SUPPRESSION DEVICES MANAGEMENT THAT
TESTED EACH YEAR AND IS DEVICES WERE TESTED
EVIDENCE OF THIS ACCORDINGLY.
TESTING MAINTAINED?
ARE FIRE DRILLS VERIFY THAT FIRE DRILLS
CONDUCTED QUARTERLY? WERE CONDUCTED BY
INTERVIEWING THE FIRE
WARDEN OR TALKING TO
BUILDING PERSONNEL.
ARE THE APPROPRIATE DETERMINE THE
PORTABLE FIRE LOCATION OF EACH
EXTINGUISHERS PORTABLE FIRE
INSTALLED (E.G., WATER, EXTINGUISHER IN THE
FOAM, CO2) BASED ON THE AREA IN QUESTION AND
TYPE OF EQUIPMENT AND VERIFY THAT THE RIGHT
MATERIALS IN THE AREA? TYPE OF FIRE
EXTINGUISHERS IS
PRESENT.
/Vulnerability Assessment Framework (VAF)/Page D-A–22
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE THE PORTABLE FIRE CHECK EACH PORTABLE
EXTINGUISHERS CHECKED FIRE EXTINGUISHER TO
AT LEAST ANNUALLY OR VERIFY THAT AN
ACCORDING TO LOCAL AUTHORIZED AGENT
CODE (E.G., SOME STATES SERVICED THEM WITHIN
REQUIRES A SEMI-ANNUAL THE LAST YEAR.
CHECK)?
IS THE DATA CENTER EVALUATE THE RISK
BELOW GROUND LEVEL WITH APPROPRIATE
WHERE WATER MAY MANAGEMENT.
CAUSE A PROBLEM?
IS THERE A MANUAL DETERMINE THE
CUTOFF VALVE FOR EXISTENCE OF WATER
WATER PIPES ENTERING PIPES EITHER OVERHEAD
THE FACILITY? OR AT GROUND LEVEL OR
BELOW. IF PIPES EXIST,
DETERMINE WHETHER
SUCH A CUTOFF VALVE IS
NECESSARY.
ARE PLASTIC COVERS IF PIPES EXIST,
AVAILABLE TO PROTECT DETERMINE WHETHER
FACILITY EQUIPMENT PLASTIC COVERS EXIST.
FROM OVERHEAD WATER
LEAKS?
ARE OPENINGS, PIPES, PERFORM A WALK-
CONDUITS AND CABLES THROUGH OF THE AREA.
PASSING THROUGH DETERMINE WHETHER
FIREWALLS SEALED TO SUCH OPENINGS PRESENT
PREVENT TUNNELING ANY HAZARDS.
EFFECTS IN CASE OF FIRE?
/Vulnerability Assessment Framework (VAF)/Page D-A–23
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE WATER DETECTORS FIRE/SAFETY STANDARD
INSTALLED? REQUIRES WATER
DETECTORS BE
INSTALLED IN EVERY
FACILITY.
ARE EMERGENCY PERFORM A WALK-
EVACUATION PROCEDURES THROUGH OF THE AREA.
POSTED IN THE DATA DETERMINE EXISTENCE
CENTER? OF SUCH PROCEDURES
AND WHETHER OR NOT
THEY ARE POSTED.
ARE EMERGENCY OBTAIN EVIDENCE OF
EVACUATION PROCEDURES REVIEW FROM
REVIEWED QUARTERLY MANAGEMENT.
WITH THE FIRE WARDEN?
ARE TRASHCANS IN USE PERFORM A WALK-
WITHIN EACH FACILITY THROUGH OF THE AREA.
CONSTRUCTED FROM NON- DETERMINE WHETHER
COMBUSTIBLE MATERIALS TRASHCANS MEET
WITH A SOLID BOTTOM REQUIREMENTS OF THE
AND SIDES OR LINED WITH STANDARD.
A NON-COMBUSTIBLE
MATERIAL?
HAVE TEMPERATURE AND DETERMINE LOCATION OF
HUMIDITY GAUGES BEEN DEVICES. OBTAIN
INSTALLED AND ARE THEY PROCEDURES FOR
BEING MONITORED? MONITORING DEVICES.
MAKE SURE THAT
DEVICES ARE BEING
MONITORED AS
REQUIRED. IF DEVICES
ARE NOT INSTALLED OR
ARE NOT BEING
MONITORED.
/Vulnerability Assessment Framework (VAF)/Page D-A–24
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
IS A/C INSTALLED IN THE DETERMINE IF SEPARATE
DATA CENTER TO ENSURE A/C UNITS ARE NEEDED
THAT ROOM BASED ON TYPE OF
TEMPERATURES ARE IN EQUIPMENT IN USE. IF THE
COMPLIANCE WITH BUILDING PROVIDES A/C,
MANUFACTURER’S ENSURE THAT
REQUIREMENTS, TO LIMIT TEMPERATURES ARE
DOWNTIME? BEING MONITORED AND
PRECAUTIONS (E.G., FANS)
ARE IN PLACE TO
ADDRESS OUTAGES.
IS THE A/C SERVICED IN OBTAIN INVOICES OR
ACCORDANCE WITH THE SERVICE LOGS THAT
MANUFACTURER’S SEPARATE A/C UNITS
REQUIREMENTS? WERE SERVICED.
ARE WATER DETECTORS IN EITHER THROUGH
PLACE AROUND STAND- OBSERVATION OR BY
ALONE A/C UNITS? REVIEWING THE FLOOR
PLAN, ENSURE THAT
WATER DETECTORS ARE
IN PLACE AROUND THE
A/C UNITS.
HAVE ALL DATA CENTER INTERVIEW DATA CENTER
EMPLOYEES RECEIVED STAFF.
TRAINING AND DO THEY
UNDERSTAND THEIR
EMERGENCY ROLES AND
RESPONSIBILITIES?
DO DATA CENTER STAFF REVIEW TRAINING
RECEIVE PERIODIC RECORDS.
TRAINING IN EMERGENCY
FIRE, WATER, AND ALARM REVIEW TRAINING
INCIDENT PROCEDURES? COURSE DOCUMENTATION
/Vulnerability Assessment Framework (VAF)/Page D-A–25
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE EMERGENCY REVIEW EMERGENCY
RESPONSE PROCEDURES RESPONSE PROCEDURES.
DOCUMENTED?
ARE EMERGENCY REVIEW TEST POLICIES.
PROCEDURES
PERIODICALLY TESTED?
5.2 ARCHIVING HAS MANAGEMENT REVIEW POLICIES AND
IMPLEMENTED A POLICY PROCEDURES
AND PROCEDURES FOR
ENSURING THAT
ARCHIVAL MEETS LEGAL
AND BUSINESS
REQUIREMENTS, AND IS
PROPERLY SAFEGUARDED
AND ACCOUNTED FOR?
5.3 CONTINUED ARE THERE MANAGEMENT REVIEW PROCEDURES
INTEGRITY OF PROCEDURES TO ENSURE
STORED DATA. THAT THE INTEGRITY AND
CORRECTNESS OF THE
DATA KEPT ON FILES AND
OTHER MEDIA (E.G.,
ELECTRONIC CARDS) IS
CHECKED PERIODICALLY?
SPECIFIC ATTENTION
SHOULD BE PAID TO VALUE
TOKENS, REFERENCE FILES
AND FILES CONTAINING
PRIVACY INFORMATION.
/Vulnerability Assessment Framework (VAF)/Page D-A–26
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
5.4 RETENTION ARE RETENTION PERIODS REVIEW PROCEDURES
PERIODS AND AND STORAGE TERMS
STORAGE DEFINED FOR DOCUMENTS,
TERMS DATA, PROGRAMS AND
REPORTS AND MESSAGES
(INCOMING AND
OUTGOING) AS WELL AS
THE DATA (KEYS,
CERTIFICATES) USED FOR
THEIR ENCRYPTION AND
AUTHENTICATION?
5.5 MEDIA ARE PROCEDURES REVIEW PROCEDURES
LIBRARY ESTABLISHED TO ASSURE
MANAGEMENT THAT CONTENTS OF ITS
SYSTEM MEDIA LIBRARY
CONTAINING DATA ARE
INVENTORIED
SYSTEMATICALLY, THAT
ANY DISCREPANCIES
DISCLOSED BY A PHYSICAL
INVENTORY ARE
REMEDIED IN A TIMELY
FASHION AND THAT
MEASURES ARE TAKEN TO
MAINTAIN THE INTEGRITY
OF MAGNETIC MEDIA
STORED IN THE LIBRARY?
/Vulnerability Assessment Framework (VAF)/Page D-A–27
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE STANDARDS DEFINED REVIEW PROCEDURES
FOR THE EXTERNAL AND EVIDENCE OF
IDENTIFICATION OF INVENTORY.
MAGNETIC MEDIA AND
THE CONTROL OF THEIR
PHYSICAL MOVEMENT AND
STORAGE TO SUPPORT
ACCOUNTABILITY?
RESPONSIBILITIES FOR
MEDIA (MAGNETIC TAPE,
CARTRIDGE, DISKS AND
DISKETTES) LIBRARY
MANAGEMENT SHOULD BE
ASSIGNED TO SPECIFIC
MEMBERS OF THE
INFORMATION SERVICES
FUNCTION.
Back-up Management
6.1 BACK-UP DOES MANAGEMENT REVIEW BCP AND HOT
SITE AND ENSURE THAT THE SITE CONTRACT(S).
HARDWARE. CONTINUITY
METHODOLOGY
INCORPORATES AN
IDENTIFICATION OF
ALTERNATIVES
REGARDING THE BACK-UP
SITE AND HARDWARE AS
WELL AS A FINAL
ALTERNATIVE SELECTION?
/Vulnerability Assessment Framework (VAF)/Page D-A–28
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
IS THE OFF-SITE STORAGE EXAMINE THE OFF-SITE
LOCATION STORAGE LOCATION.
GEOGRAPHICALLY
REMOVED FROM THE
PRIMARY SITE(S) AND
PROTECTED BY
ENVIRONMENTAL
CONTROLS AND PHYSICAL
ACCESS CONTROLS?
ARE SYSTEM AND LOCATE AND EXAMINE
APPLICATION DOCUMENTATION.
DOCUMENTATION
MAINTAINED AT THE OFF-
SITE STORAGE LOCATION?
6.2 DATA AND ARE PROCEDURES IN REVIEW PROCEDURES
PROGRAM PLACE FOR DATA
BACK-UP STORAGE, WHICH
PROCEDURES CONSIDER RETRIEVAL
HAVE BEEN REQUIREMENTS, AND COST
IMPLEMENTED. EFFECTIVENESS AND
SECURITY POLICY?
/Vulnerability Assessment Framework (VAF)/Page D-A–29
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE BACKUP FILES REVIEW WRITTEN
CREATED ON A POLICIES AND
PRESCRIBED BASIS AND PROCEDURES FOR
ROTATED OFF-SITE OFTEN BACKING UP FILES.
ENOUGH TO AVOID
DISRUPTION IF CURRENT COMPARE INVENTORY
FILES WERE LOST OR RECORDS WITH THE FILES
DAMAGED? MAINTAINED OFF-SITE,
AND DETERMINE THE AGE
OF THESE FILES.
FOR A SELECTION OF
CRITICAL FILES, LOCATE
AND EXAMINE THE
BACKUP FILES.
DETERMINE WHETHER
BACKUP FILES ARE
CREATED AND ROTATED
OFF-SITE AS PRESCRIBED,
AND ARE SENT BEFORE
PRIOR VERSIONS ARE
RETURNED.
DO BACK-UP PROCEDURES REVIEW PROCEDURES
FOR INFORMATION
TECHNOLOGY-RELATED
MEDIA INCLUDE THE
PROPER STORAGE OF THE
DATA FILES, SOFTWARE
AND RELATED
DOCUMENTATION, BOTH
ON-SITE AND OFF-SITE?
/Vulnerability Assessment Framework (VAF)/Page D-A–30
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
ARE BACK-UPS STORED REVIEW PROCEDURES
SECURELY AND THE
STORAGE SITES
PERIODICALLY REVIEWED
REGARDING PHYSICAL
ACCESS SECURITY AND
SECURITY OF DATA FILES
AND OTHER ITEMS.
6.3 BACK-UP HAS MANAGEMENT REVIEW PROCEDURES
AND IMPLEMENTED A PROPER
RESTORATION STRATEGY FOR BACK UP
AND RESTORATION TO
ENSURE THAT IT INCLUDES
A REVIEW OF BUSINESS
REQUIREMENTS, AS WELL
AS THE DEVELOPMENT,
IMPLEMENTATION,
TESTING AND
DOCUMENTATION OF THE
RECOVERY PLAN?
6.4 BACK-UP ARE PROCEDURES IN REVIEW PROCEDURES
JOBS PLACE TO ENSURE BACK-
UPS ARE TAKEN IN
ACCORDANCE WITH THE
DEFINED BACK-UP
STRATEGY AND THE
USABILITY OF BACK-UPS IS
REGULARLY VERIFIED?
/Vulnerability Assessment Framework (VAF)/Page D-A–31
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
Alternative Site Management
7.1 DOES THE CONTINUITY REVIEW BCP
ALTERNATIVE METHODOLOGY ENSURE
SITE IS THAT THE USER
MANAGED DEPARTMENTS ESTABLISH
EFFECTIVELY. ALTERNATIVE-
PROCESSING PROCEDURES
THAT MAY BE USED UNTIL
THE INFORMATION
SERVICES FUNCTION IS
ABLE TO FULLY RESTORE
ITS SERVICES AFTER A
DISASTER OR EVENT?
7.2 USER HAVE CONTRACTS OR REVIEW CONTRACTS AND
DEPARTMENT INTERAGENCY AGREEMENTS.
ALTERNATIVE AGREEMENTS BEEN
PROCESSING ESTABLISHED FOR A BACK-
UP DATA CENTER AND
OTHER NEEDED FACILITIES
THAT
ARE IN A STATE OF
READINESS
COMMENSURATE WITH
THE RISKS OF
INTERRUPTED
OPERATIONS,
HAVE SUFFICIENT
PROCESSING CAPACITY,
AND
ARE LIKELY TO BE
AVAILABLE FOR USE?
/Vulnerability Assessment Framework (VAF)/Page D-A–32
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
7.3 ALTERNATE HAVE ALTERNATE REVIEW CONTRACTS AND
DATA TELECOMMUNICATION AGREEMENTS.
PROCESSING SERVICES BEEN
AND ARRANGED?
TELECOMMUNI
CATION
FACILITIES
ARE ARRANGEMENTS REVIEW BCP.
PLANNED FOR TRAVEL AND
LODGING OF NECESSARY
PERSONNEL, IF NEEDED?
Interdependency Awareness
8.1 HAS MANAGEMENT INTERVIEW SENIOR
ORGANIZATION CONSIDERED THE EFFECT MANAGEMENT.
IS AWARE OF OF THE LOSS OF A
INTERDEPENDE NATIONAL
NCIES. INFRASTRUCTURE
COMPONENT, SUCH AS:
LOSS OF POWER FOR AN
EXTENDED PERIOD OF
TIME
LOSS OF WATER SUPPLY
LOSS OF
TELECOMMUNICATIONS
LOSS OF TRANSPORTATION
SYSTEM
LOSS OF OIL OR GAS
/Vulnerability Assessment Framework (VAF)/Page D-A–33
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
8.2 HAS THE ORGANIZATION INTERVIEW SENIOR
MANAGEMENT CONSTRUCTED MANAGEMENT.
HAS REDUNDANT RESOURCES
RECOGNIZED IN CRITICAL AREAS? REVIEW ARCHITECTURE
DEPENDENCE DIAGRAMS.
ON OUTSIDE
SOURCES.
Monitoring
9.1 HAS MANAGEMENT OBTAIN AND REVIEW
MONITORING IMPLEMENTED A PROCESS NETWORK MONITORING
POLICIES AND TO ENSURE THAT THE REPORTS
PROCEDURES PERFORMANCE OF
ARE INFORMATION
IDENTIFIED. TECHNOLOGY RESOURCES
IS CONTINUOUSLY
MONITORED AND
EXCEPTIONS ARE
REPORTED IN A TIMELY
AND COMPREHENSIVE
MANNER?
9.2 ARE PROBLEMS AND REVIEW “HELP DESK”
MONITORING DELAYS ENCOUNTERED, RECORDS AND
AND THE REASON, AND THE MANAGEMENT METRICS.
REPORTING ELAPSED TIME FOR
RESOLUTION RECORDED
AND ANALYZED TO
IDENTIFY RECURRING
PATTERNS OR TRENDS?
ARE RECORDS REVIEW MAINTENANCE
MAINTAINED ON THE RECORDS.
ACTUAL PERFORMANCE IN
MEETING SERVICE
SCHEDULES?
/Vulnerability Assessment Framework (VAF)/Page D-A–34
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
DOES SENIOR REVIEW TREND ANALYSIS
MANAGEMENT REPORTS AND USER
PERIODICALLY REVIEW SURVEYS.
AND COMPARE THE
SERVICE PERFORMANCE
ACHIEVED WITH THE
GOALS? DO THEY SURVEY
USER DEPARTMENTS TO
SEE IF THEIR NEEDS ARE
BEING MET?
IS USER SUPPORT REVIEW
ESTABLISHED WITHIN A ORGANIZATIONAL
“HELP DESK” FUNCTION? STRUCTURE.
9.3 ASSIST AND DO THE PROBLEM REVIEW TROUBLE TICKET
ADVISE MANAGEMENT REPORTS AND VERIFY
INFORMATION PROCEDURES CALL FOR THAT A UNIQUE INCIDENT
TECHNOLOGY ALL ISSUES TO BE LOGGED NUMBER REFERS TO EACH
CUSTOMERS AND REPORTED THROUGH INSTANCE. IF NO
A SINGLE CONTROL POINT EVIDENCE IS AVAILABLE,
(I.E., THE PROBLEM RECORD AS AN
MANAGEMENT SYSTEM) EXCEPTION.
AND ASSIGNED THEIR OWN
UNIQUE TRACKING
NUMBER?
ARE PROCEDURES IN IF YES, REVIEW TROUBLE
PLACE TO ENSURE THAT TICKET REPORTS FOR
ALL CUSTOMER QUERIES EVIDENCE. IF NO, RECORD
ARE ADEQUATELY COMMENT AS EXCEPTION
REGISTERED BY THE “HELP
DESK”?
/Vulnerability Assessment Framework (VAF)/Page D-A–35
CIAO
CONTINUITY OF SERVICES AND OPERATIONS
Control Objectives Control Technique Compliance Procedures
9.4 CUSTOMER DO “HELP DESK” IF YES, REVIEW TROUBLE
QUERIES PROCEDURES ENSURE TICKET REPORTS FOR
PROCESSES THAT CUSTOMER QUERIES, EVIDENCE. IF NO, RECORD
ARE ASSESSED. WHICH CANNOT COMMENT AS EXCEPTION.
IMMEDIATELY BE
RESOLVED, ARE
APPROPRIATELY
ESCALATED WITHIN THE
INFORMATION SERVICES
FUNCTION?
ARE THERE ESTABLISH REVIEW TROUBLE TICKET
PROCEDURES FOR TIMELY REPORTS
MONITORING OF THE
CLEARANCE OF CUSTOMER
QUERIES?
ARE LONG OUTSTANDING REVIEW TROUBLE TICKET
QUERIES INVESTIGATED REPORTS
AND ACTED UPON?
ARE PROCEDURES IN IF YES, REVIEW PAST
PLACE, WHICH ASSURE DATA AND SEE IF A TREND
ADEQUATE REPORTING ANALYSIS HAS BEEN
WITH REGARD TO PERFORMED. IF NO,
CUSTOMER QUERIES AND RECORD THE WEAKNESS
RESOLUTION, RESPONSE
TIMES AND TREND
IDENTIFICATION? THE
REPORTS SHOULD BE
ADEQUATELY ANALYZED
AND ACTED UPON.
/Vulnerability Assessment Framework (VAF)/Page D-A–36
CIAO
Appendix E:
Change Control & Life Cycle Management
Control Objectives Control Technique Compliance Procedures
Change Management
1.1 Authorizations Are system change request forms Identify recent system
for system used to document requests and modifications and determine
modifications are related approvals? whether change request forms
documented and were used.
maintained Examine a selection of system
change request forms for
approvals.
Do both system users and data Interview software development
processing staff approve change staff.
requests?
1.2 Changes are Have test plan standards been Review test plan standards.
controlled through developed for all levels of testing
testing to final that define responsibilities for each
approval party (e.g., users, system analysts,
programmers, auditors, quality
assurance, and library control)?
Are software changes documented Review test plan procedures.
so that they can be traced from
Review documentation.
code to design specifications and
functional requirements?
Are program changes moved into Review test plan procedures.
production only upon documented Review documentation.
approval from user and system
development management?
Do data center management and/or Interview data center management
the security administrators and security administrators.
periodically review production
program changes to determine
whether access controls and
change controls have been
followed?
/Vulnerability Assessment Framework (VAF)/Page E-A–1
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
1.3 Emergency Are emergency change procedures Review procedures.
changes are documented?
promptly tested and
approved
Are emergency changes For a selection of emergency
documented and changes recorded in the emergency
change log, review related
n approved by the operations
documentation and approval.
supervisor,
n formally reported to computer
operations management for
follow-up, and
n approved after the fact by
programming supervisors and
user management?
1.4 Change Request Does management ensure that all Interview senior management.
Procedures Exist requests for changes, system
maintenance and supplier
maintenance are standardized and
are subject to formal change
management procedures?
Are changes categorized and Review change request
prioritized, and are specific procedures.
procedures in place to handle
urgent matters?
1.5 System Impact Is a procedure in place to ensure Review change control
is Assessed that all requests for change are procedures.
assessed in a structured way for all
possible impacts on the operational
system and its functionality?
1.6 Control of Does management ensure that Interview senior management.
Changes is change management, and software
Managed control and distribution are
properly integrated with a
comprehensive configuration
management system?
/Vulnerability Assessment Framework (VAF)/Page E-A–2
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
1.7 Documentation Does the change process ensure Review change control
and Procedures are that whenever system changes are procedures.
Updated implemented, the associated Review documentation.
documentation and procedures are
updated accordingly?
1.8 Maintenance is Does management ensure Interview senior management.
Authorized maintenance personnel have
specific assignments and that their
work is properly monitored?
Does management ensure the Interview management.
system access rights of
Review change control policies
maintenance personnel are
and procedures.
controlled to avoid risks of
unauthorized access to automated
systems?
System Development Life Cycle Management
2.1 A System Has a system development life Review SDLC methodology.
Development Life cycle (SDLC) methodology been
Cycle Methodology developed that provides a
has been structured approach consistent
implemented with generally accepted concepts
and practices?
Does it include active user Interview senior management.
involvement throughout the Interview active users.
process?
Is it sufficiently documented to Review SDLC methodology
provide guidance to staff with documentation.
varying levels of skill and
experience?
Does it provide a means of Review SDLC documentation.
controlling changes in
requirements that occur over the
system’s life?
Does it include documentation Review SDLC documentation.
requirements?
/Vulnerability Assessment Framework (VAF)/Page E-A–3
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
2.2 System Does senior management Interview senior management.
Development Life implement a periodic review of its Review SDLC documentation.
Cycle Methodology system development life cycle
is Updated methodology to ensure that its
provisions reflect current generally
accepted techniques and
procedures?
2.3 Coordination Has management established a Interview senior management.
and Communication process for ensuring close
Review communication and
Processes Exist coordination and communication
coordination process.
between customers of the
information services function and
system implementers?
Does this process entail structured Interview senior management.
methods using the system
Interview system users.
development life cycle
methodology to ensure the
provision of quality information
technology solutions that meet the
business demands?
Does management promote an Interview senior management.
organization that is characterized
Interview system users.
by close cooperation and
communication throughout the
system development life cycle?
2.4 Program Does the organization’s system Review program documentation
Documentation development life cycle standards.
Standards Exist methodology incorporate
standards for program
documentation that have been
communicated to the concerned
staff and enforced?
Does the methodology ensure that Review SDLC methodology.
the documentation created during Review documentation.
information system development
or modification projects conforms
to these standards?
/Vulnerability Assessment Framework (VAF)/Page E-A–4
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
2.5 Methods for Does the organization’s system Review SDLS methodology
Design development life cycle procedures and techniques.
methodology provide that Review system design and
appropriate procedures and verification process.
techniques, involving close liaison
with system users, are applied to
create the design specifications for
each new information system
development project and to verify
the design specifications against
the user requirements?
2.6 Source Data Does the organization’s system Review SDLC methodology.
Collection Design development life cycle
methodology require that adequate
mechanisms for the collection and
entry of data be specified for each
information system development
or modification project?
2.7 Definition and Does the organization’s system Review SDLC methodology.
Documentation for development life cycle
input/output methodology require that adequate
Requirements mechanisms exist for defining and
documenting the input
requirements for each information
system development or
modification project?
2.8 Output Does the organization’s system Review SDLC methodology.
Requirements development life cycle
Definition and methodology require that adequate
Documentation mechanisms exist for defining and
documenting the output
requirements for each information
system development or
modification project?
/Vulnerability Assessment Framework (VAF)/Page E-A–5
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
2.9 Interfaces are Does the organization’s system Review SDLC methodology.
Defined development life cycle
methodology provide that all
external and internal interfaces are
properly specified, designed and
documented?
Does the organization’s system Review SDLC methodology.
development life cycle
methodology provide for the
development of an interface
between the user and machine
which is easy to use and self-
documenting (by means of on-line
help functions)?
2.10 Requirements Does the organization’s system Review SDLC methodology.
for Definition and development life cycle
Documentation methodology require that adequate
Processing mechanisms exist for defining and
documenting the processing
requirements for each information
system development or
modification project?
2.11 Controllability Does the organization’s system Review SDLC methodology.
is Assured development life cycle
methodology require that adequate
mechanisms for assuring the
internal control and security
requirements be specified for each
information system development
or modification project?
Does the methodology further Review SDLC methodology.
ensure that information systems
are designed to include application
controls that guarantee the
accuracy, completeness, timeliness
and authorization of inputs,
processing and outputs?
/Vulnerability Assessment Framework (VAF)/Page E-A–6
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
Is a sensitivity assessment Interview senior management.
performed during initiation of
system development or
modification?
Is the basic security and internal Review SDLC methodology.
control aspects of a system to be Interview senior management.
developed or modified assessed
along with the conceptual design
of the system in order to integrate
security concepts in the design as
early as possible?
2.12 Availability is Does the organization’s system Review SDLC methodology.
a Key Design development life cycle
Factor methodology provide that
availability is considered in the
design process for new or modified
information systems at the earliest
possible stage?
Is availability analyzed and, if Interview senior management.
necessary, increased through
maintainability and reliability
improvements?
2.13 Conversion is Does the organization’s system Review SDLC methodology.
Incorporated development life cycle
methodology provide, as part of
every information system
development, implementation or
modification project, that the
necessary elements from the old
system are converted to the new
one according to a pre-established
plan?
2.14 Promotion to Does management define and Interview senior management.
Production Process implement formal procedures to Review handover control
Exists control the handover of the system procedures.
from development to testing to
operations?
/Vulnerability Assessment Framework (VAF)/Page E-A–7
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
Are the respective environments Interview senior management.
segregated and properly
protected?
2.15 Evaluation of Does organization’s system Review SDLC methodology.
Meeting User development life cycle
Requirements is methodology require that a post-
Conducted implementation review of
operational information system
requirements (e.g., capacity,
throughput, etc.) be conducted to
assess whether the users’ needs are
being achieved by the system?
2.16 Post- Does the organization’s system Review SDLC methodology.
Implementation development life cycle
Review is methodology require that a post-
Conducted by implementation review of an
Management operational information system
assess and report on whether the
system delivered the benefits
envisioned in the most cost
effective manner?
2.17 Disposal Does the system development life Review Disposal Procedures
Process Exists cycle methodology have
procedures in place for disposal of
systems and applications?
Project Management
3.1 Project Has management established a Interview management.
Management general project management Review project management
Framework Exists framework that defines the scope framework.
and boundaries of managing
projects, as well as the project
management methodology to be
adopted and applied to each
project undertaken?
/Vulnerability Assessment Framework (VAF)/Page E-A–8
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
Does the methodology cover Review project management
allocation of responsibilities, task methodology.
breakdown, budgeting of time and
resources, milestones, checkpoints
and approvals?
3.2 User Does the organization’s project Review project management
Department management framework provide framework.
Participates in for participation by the affected
Project Initiation user department management in
the definition and authorization of
a development implementation or
modification project?
3.3 Project Team Does the organization’s project Review project management
Membership and management framework specify framework.
Responsibilities are the basis for assigning staff
Specified members to the project and define
the responsibilities and authorities
of the project team members?
3.4 Process exists Does the organization’s project Review project management
for Project management frame-work provide framework.
Definitions for the creation of a clear written
statement defining the nature and
scope of every implementation
project before work on the project
begins?
3.5 Project is Does the organization’s project Review project management
Approved management framework ensure framework.
that for each proposed project, the Interview senior management.
organization’s senior management
reviews the reports of the relevant
feasibility studies as a basis for its
decision on whether to proceed
with the project?
/Vulnerability Assessment Framework (VAF)/Page E-A–9
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
3.6 Project Phases Does the organization’s project Review project management
are Approved management frame-work provide framework.
for designated managers of the
user and information services
functions to approve the work
accomplished in each phase of the
cycle before work on the next
phase begins?
3.7 Project Master Does management ensure that for Interview senior management.
Plan is Created each approved project a project
Review project master plans.
master plan is created which is
adequate for maintaining control
over the project throughout its life
and which includes a method of
monitoring the time and costs
incurred throughout the life of the
project.
3.8 System Quality Does management ensure that the Interview senior management.
Assurance Plan implementation of a new or
Review quality plans.
Exists modified system includes the
preparation of a quality plan that is
then integrated with the project
master plan and formally reviewed
and agreed to by all parties
concerned?
3.9 Planning of Are assurance tasks identified Review project management
Assurance Methods during the planning phase of the framework.
is Conducted project management framework?
Do assurance tasks support the Review assurance tasks.
accreditation of new or modified
systems and assure that internal
controls and security features meet
the related requirements?
/Vulnerability Assessment Framework (VAF)/Page E-A–10
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
3.10 Program for Has management implemented a Interview management.
Formal Project Risk formal project risk management Review project risk management
Management Exists program for eliminating or program.
minimizing risks associated with
individual projects?
3.11 Test Plan is Does organization’s project Review project management
Created management framework require framework.
that a test plan be created for every Review test plans.
development, implementation and
modification project?
3.12 Post- Does the organization’s project Review project management
Implementation management framework provide framework.
Review Plan is for the development of a plan for a
Review post-implementation
Developed post-implementation review of
review plans.
every new or modified information
system to ascertain whether the
project has delivered the planned
benefits?
3.13 Design is Does the organization’s system Review SDLC methodology.
Approved development life cycle
Review approval procedures.
methodology require that the
design specifications for all
information system development
and modification projects be
reviewed and approved by
management, the affected user
departments and the organization’s
senior management, when
appropriate?
3.14 File Does the organization’s system Review SDLC methodology.
Requirements are development life cycle Review file-type documentation
Defined and methodology provide that an procedures.
Documented appropriate procedure be applied
for defining and documenting the
file format for each information
system development or
modification project?
/Vulnerability Assessment Framework (VAF)/Page E-A–11
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
3.15 Program Does the organization’s system Review SDLC methodology.
Specifications are development life cycle Review program specification
Prepared methodology require that detailed procedures.
written program specifications be
prepared for each information
system development or
modification project?
Does the methodology further Review SDLC methodology.
ensure that program specifications
Review program specification
agree with system design
procedures.
specifications?
3.16 System Does the organization’s system Review SDLC methodology.
Design is Re- development life cycle
Review program specification
assessed methodology ensure that the
procedures.
system design is re-assessed
whenever significant technical
and/or logical discrepancies occur
during system development or
maintenance?
3.17 Staff is Are staff of the affected user Review training plan.
Trained departments and the operations
Interview staff.
group of the information services
function trained in accordance with
the defined training plan and
associated materials, as part of
every information systems
development, implementation or
modification project.
3.18 Application Is application software Review SDLC methodology.
Software performance sizing (optimization)
Performance Sizing established, as an integral part of
is Established the organization’s system
development life cycle
methodology to forecast the
resources required for operating
new and significantly changed
software?
/Vulnerability Assessment Framework (VAF)/Page E-A–12
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
Application Acquisition, Management, and Maintenance
4.1 Software Does Management ensure that the Review software release policies.
Release Policies release of software is governed by
Reviewed. formal procedures ensuring sign-
off, packaging, regression testing,
handover, etc?
4.2 Distribution Are standardized procedures used Examine procedures for
and implementation to distribute new software for distributing new software.
of new or revised implementation?
software is
controlled
Do internal control measures Review internal control measures.
ensure distribution of the correct
Review audit trail documentation.
software element to the right
place, with integrity, and in a
timely manner with adequate audit
trails?
4.3 Use of public Are clear policies restricting the Review pertinent policies and
domain and use of personal and public domain procedures
personal software is software developed and enforced?
Interview users and data
restricted.
processing staff.
/Vulnerability Assessment Framework (VAF)/Page E-A–13
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
4.4 Programs are Is library management software is Review pertinent policies and
labeled and used to: procedures.
inventoried. n produce audit trails of program Interview personnel responsible for
changes, library control.
n maintain program version Determine how many prior
numbers, versions of software modules are
maintained.
n record and report program
changes,
n maintain creation/date
information for production
modules,
n maintain copies of previous
versions, and
n control concurrent updates?
4.5 Access to Are separate libraries maintained Examine libraries in use.
Program Libraries for program development and
Interview library control
is Restricted maintenance, testing, and
personnel.
production programs?
Is source code maintained in a Examine libraries in use.
separate library?
Is access to all programs, including For critical software production
production code, source code, and programs, determine whether
extra program copies, protected by access control software rules are
access control software and clearly defined.
operating system features?
Are all deposits and withdrawals of Review deposit and withdrawal
tapes to the tape library authorized procedures.
and logged?
/Vulnerability Assessment Framework (VAF)/Page E-A–14
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
4.6 Movement of Does a group independent of the Review pertinent policies and
programs and data user and programmers control procedures.
among libraries is movement of programs and data
controlled among libraries?
For a selection of program
changes, examine related
documentation to verify that
n procedures for authorizing
movement among libraries
were followed and
n before and after images were
compared.
Are before and after images of Review pertinent policies and
program code maintained and procedures.
compared to ensure that only
approved changes are made?
For a selection of program
changes, examine related
documentation to verify that
n procedures for authorizing
movement among libraries
were followed and
n before and after images were
compared.
4.7 User Reference Are adequate user reference and Review SDLC procedures.
and Support support manuals prepared Review reference and support
Materials are (preferably in electronic format) as manuals.
prepared and part of every information system
updated development or modification
project?
4.8 User Are adequate user procedure Review SDLC procedures.
Procedures manuals prepared and refreshed as Review procedure manuals.
Manuals are part of every information system
prepared and development, implementation or
updated modification project?
/Vulnerability Assessment Framework (VAF)/Page E-A–15
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
4.9 Operations Are adequate operations manuals Review SDLC procedures.
Manual is adequate prepared and kept up-to-date as Review operations manuals.
part of every information system
development, implementation or
modification project?
4.10 Training Are adequate training materials Review SDLC procedures.
Materials are developed as part of every Review training materials.
developed information system development,
implementation or modification
project?
Quality and Assurance
5.1 General Quality Has senior management developed Interview senior management.
Plan is maintained and regularly maintained an overall
Review quality plan.
quality plan based on the
organizational and information
technology long-range plans?
Does the plan promote the Review quality plan.
continuous improvement
philosophy and answer the basic
questions of what, who and how?
5.2 Quality Has management established a Interview senior management.
Assurance standard approach regarding
Review quality assurance
Approach is quality assurance that covers both
approach.
established general and project specific quality
assurance activities?
Does the approach prescribe the Review quality assurance
type(s) of quality assurance approach.
activities (such as reviews, audits,
inspections, etc.) to be performed
to achieve the objectives of the
general quality plan?
Does the approach also require Review quality assurance
specific quality assurance reviews? approach.
/Vulnerability Assessment Framework (VAF)/Page E-A–16
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
5.3 Quality Has management implemented a Interview senior management.
Assurance Planning quality assurance planning process Review quality assurance planning
Process is to determine the scope and timing process.
implemented of the quality assurance activities?
5.4 Adherence to Does management ensure that the Interview senior management.
the Information responsibilities assigned to the
Services Function’s quality assurance personnel include
Standards and a review of general adherence to
Procedures is the information services function’s
reviewed standards and procedures?
5.5 Adherence to Does the organization’s quality Review quality assurance
Development assurance approach require that a approach.
Standards is post-implementation review of an
evaluated operational information system
assess whether the project team
adhered to the provisions of the
system development life cycle
methodology?
5.6 The Quality Does the quality assurance Review quality assurance
Assurance Review approach include a review of the approach.
of the Achievement extent to which particular systems
of the Information and application development
Services Function’s activities have achieved the
Objectives is objectives of the information
reviewed services function?
5.7 Quality Metrics Has management defined and used Interview senior management.
are defined metrics to measure the results of Review metrics.
activities, thus assessing whether
quality goals have been achieved?
5.8 Reports of Are reports of quality assurance Review quality assurance reviews.
Quality Assurance reviews prepared and submitted to
Reviews are management of user departments
prepared and the information services
function?
/Vulnerability Assessment Framework (VAF)/Page E-A–17
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
5.9 Program Does the organization’s system Review SDLC methodology.
Testing Standards development life cycle
exist methodology provide standards
covering test requirements,
verification, documentation and
retention for testing individual
software units and aggregated
programs created as part of every
information system development
or modification project?
5.10 Parallel/Pilot Does the organization’s system Review SDLC methodology.
Testing is development life cycle
conducted methodology define the
circumstances under which parallel
or pilot testing of new and/or
existing systems will be
conducted?
5.11 System Does the organization’s system Review SDLC methodology.
Testing is development life cycle
Review testing documentation.
documented methodology provide, as part of
every information system
development, implementation, or
modification project, that the
documented results of testing the
system are retained?
5.12 Information Has the organization established Review assurance procedures for
Technology procedures to assure, where integrity.
Integrity Provisions applicable, that application
in Application programs contain provisions which
Program Software routinely verify the tasks
have been performed by the software to help
established assure data integrity, and which
provide in the restoration of the
integrity through rollback or other
means?
/Vulnerability Assessment Framework (VAF)/Page E-A–18
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
5.13 Application Is unit testing, application testing, Review project test plans.
Software Testing integration testing, system testing, Review testing standards.
process is defined and load and stress testing
performed according to the project
test plan and established testing
standards before the user approves
it?
Are adequate measures conducted Review controls for sensitive
to prevent disclosure of sensitive information.
information used during testing?
Have program staff and staff Interview staff.
involved in developing and testing
Review training records.
software been trained and are they
familiar with the use of the
organization’s SDLC
methodology?
Are detailed system specifications Interview staff.
prepared by the programmer and
reviewed by a programming
supervisor?
Are test plans documented and Review test plan documentation.
approved that define
responsibilities for each party
involved (e.g., users, systems
analysts, programmers, auditors,
quality assurance, library control)?
Are unit, integration, and system Review testing procedures.
testing performed and approved
n in accordance with the test
plan and
n applying a sufficient range of
valid and invalid conditions?
/Vulnerability Assessment Framework (VAF)/Page E-A–19
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
Is a comprehensive set of test Review testing procedures.
transactions and data developed
that represents the various
activities and conditions that will
be encountered in processing?
Are live data used in testing of Review testing procedures.
program changes except to build
test data files?
5.14 Changes are Does management ensure that Interview senior management.
Tested changes are tested in accordance
Review testing procedures.
with the impact and resource
assessment in a separate test
environment by an independent
(from builders) test group before
use in the regular operational
environment begins?
Are back-out plans developed? Review back-out plans.
Is acceptance testing carried out in Review testing procedures.
an environment representative of
the future operational
environment?
5.15 Parallel / Pilot Are procedures in place to ensure Review parallel and pilot
Testing meets that parallel or pilot testing is procedures.
Criteria and performed in accordance with a
Review test plans.
Performance pre-established plan and that the
Standards criteria for terminating the testing
process are specified in advance?
Do procedures provide for a Review testing procedures.
formal evaluation and approval of
the test results by management of
the affected user department(s)
and the information services
function?
/Vulnerability Assessment Framework (VAF)/Page E-A–20
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
Control Objectives Control Technique Compliance Procedures
5.16 Final Do the tests cover all components Review testing procedures.
Acceptance Test is of the information system (e.g.,
adequate application software, facilities,
technology, and user procedures)?
5.17 Security Has management defined and Review acceptance procedures.
Testing and implemented procedures to ensure
Accreditation that operations and user
Procedures are management formally accepts the
defined test results and the level of security
for the systems, along with the
remaining residual risk?
5.18 Operational Does management ensure that Interview senior management.
Test Procedures before moving the system into
Review testing procedures.
Exist operation, the user or designated
custodian validates its operation as
a complete product, under
conditions similar to the
application environment and in the
manner in which the system will be
run in a production environment?
(Page Left Intentionally Blank)
/Vulnerability Assessment Framework (VAF)/Page E-A–21
CIAO
CHANGE CONTROL & LIFE CYCLE MANAGEMENT
/Vulnerability Assessment Framework (VAF)/Page E-A–22
CIAO
Appendix F:
System Software
Control Objectives Control Technique Compliance Procedures
System Software Access Control
1.1 Access Do policies and procedures exist Review pertinent policies and
authorizations are for restricting access to systems procedures.
appropriately software? If so, are they up-to- Interview management and
limited. date? systems personnel regarding access
restrictions.
Observe personnel access system
software.
Attempt to access system
software.
Is access to system software Review pertinent policies and
restricted to a limited number of procedures.
personnel, corresponding to job
Interview management and
responsibilities? Are application
systems personnel regarding access
programmers and computer
restrictions.
operators specifically prohibited
from accessing system software?
Is documentation showing Select some systems programmers
justification and management and determine whether
approval for access to system management approved
software kept on file? documentation supports their
access to system software.
Select some application
programmers and determine
whether they are not authorized
access.
Are access capabilities of system Determine the last time the access
programmers periodically reviewed capabilities of system programmers
for propriety to see that access were reviewed.
permissions correspond with job
duties?
/Vulnerability Assessment Framework (VAF)/Page F-A–1
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
1.2 All access paths Is the operating system configured Test the operating system
have been identified to prevent circumvention of the parameters to verify that it is
and controls security software and application configured to maintain the integrity
implemented to controls? of the security software and
prevent or detect application controls.
access for all paths. The specifics of this step will be
determined by the operating
system in use. The auditor should
consult audit guides for the
operating system in use. This step
may be facilitated by use of CA-
EXAMINE, the DEC VAX Toolkit,
or other audit tools. However, the
auditor should be experienced in
using the specific software tool, or
seek the assistance of someone
who is.
Perform an operating system
penetration analysis to determine if
users can inappropriately utilize
computer resources through direct
or covert methods. Include the
following:
n Determine whether the
operating system’s
subsystems have been
appropriately implemented
to ensure that they support
integrity controls.
/Vulnerability Assessment Framework (VAF)/Page F-A–2
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
n Determine whether
applications interfaces have
been implemented to
support operating system
integrity controls,
including: on-line
transaction monitors,
database software, on-line
editors, on-line direct-
access storage devices, on-
line operating system
datasets, exits related to
the operating system,
security, and program
products, and controls over
batch processing (including
security controls, scheduler
controls, and access
authorities).
n Evaluate the controls over
external access to
computer resources,
including networks, dial-
up, LAN, WAN, RJE, and
the Internet.
n Identify potential
opportunities to adversely
impact the operating
system and its products
through Trojan horses,
viruses, and other
malicious actions.
/Vulnerability Assessment Framework (VAF)/Page F-A–3
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
Is access to system software Obtain a list of all system software
restricted by access control on test and production libraries
software for personnel with used by the entity.
appropriate job responsibilities? Is Verify that access control software
update access limited to primary restricts access to system software.
and backup systems programmers?
Are accesses to system software Using security software reports,
files logged by automated logging determine who has access to
facilities? system software files, security
software, and logging files.
Reports should be generated in
presence of auditor.
Are vendor supplied default logon Inquire whether disabling has
IDs and passwords disabled? occurred.
Test for their presence using
vendor standard IDs and
passwords.
Is remote access to the system Determine what terminals are set
master console restricted? Do up as master consoles and what
physical and logical controls controls exist over them.
provide security over all terminals
that are set up as master consoles?
System Software Monitoring (Access and Use)
2.1 Policies and Do policies and procedures for Review pertinent policies and
techniques have using and monitoring use of procedures.
been implemented system software utilities exist?
for using and Are they up-to-date?
monitoring use of
system utilities.
Are responsibilities for using Interview management and
sensitive system utilities clearly systems personnel regarding their
defined? Do systems programmers responsibilities.
understand their responsibilities?
/Vulnerability Assessment Framework (VAF)/Page F-A–4
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
Are responsibilities for monitoring Interview management and
use defined and understood by systems personnel regarding
technical management? monitoring.
Is the use of sensitive system Determine whether logging occurs
utilities logged using access and what information is logged.
control software reports or job Review logs.
accounting data (e.g., IBM’s
System Management Facility)? Using security software reports,
determine who can access the
logging files.
2.2 Inappropriate Does technical management review Interview technical management
or unusual activity the use of privileged system regarding their reviews of
is investigated and software and utilities? privileged system software and
appropriate actions utilities usage.
taken.
Review documentation supporting
their reviews.
Is inappropriate or unusual activity Interview management and
in using utilities investigated? systems personnel regarding these
investigations.
Review documentation supporting
these investigations.
Are system programmers’ Interview systems programmer
activities monitored and reviewed? supervisors to determine their
activities related to supervising and
monitoring their staff.
Review documentation supporting
their supervising and monitoring of
systems programmers’ activities
/Vulnerability Assessment Framework (VAF)/Page F-A–5
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
System Software Change Control
3.1 System Do up-to-date policies and Review pertinent policies and
Software changes procedures exist for identifying, procedures.
are authorized, selecting, installing, and modifying Interview management and
tested, and system software? Do procedures systems personnel.
approved before include an analysis of risks, costs
implementation. and benefits, and consideration of
the impact on processing reliability
and security?
Do procedures exist for identifying Review procedures for identifying
and documenting system software and documenting system software
problems? Do procedures include problems.
using a log to record the problem,
Interview management and
the individual assigned to analyze
systems programmers.
the problem, and how the problem
was resolved? Review the causes and frequency
of any recurring system software
problems, as recorded in the
problem log, and ascertain if the
change control process should
have prevented these problems.
Do new system software versions Determine what authorizations and
or products, and modifications to documentation are required prior
existing system software receive to initiating system software
proper authorization? changes.
Are they supported by a change Select recent system software
request document? changes and determine whether the
authorization was obtained and the
change is supported by a change
request document.
/Vulnerability Assessment Framework (VAF)/Page F-A–6
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
Are new system software versions Determine the procedures used to
or products, and modifications to test and approve system software
existing system software tested? prior to its implementation.
Are the test results approved
Select recent system software
before implementation? Do
changes and test whether the
procedures include:
indicated procedures were in fact
n a written standard that guides used.
the testing, which is conducted
in a test rather than production
environment;
n specification of the optional
security related features to be
turned on, when appropriate;
n review of test results by
technically qualified staff, who
document their opinion
whether the system software is
ready for production use; and
n review of test results and
documented opinions by data
center management prior to
granting approval to move the
system software into
production use?
Do procedures exist for controlling Review procedures used to control
emergency changes? Do and approve emergency changes.
procedures include: Select some emergency changes to
n authorizing and documenting system software and test whether
emergency changes as they the indicated procedures were in
occur; fact used.
n reporting the change for
management review; and
n review by an independent IS
supervisor of the change.
/Vulnerability Assessment Framework (VAF)/Page F-A–7
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
3.2 Installation of Is installation of system software Interview management and
system software is scheduled to minimize the impact systems programmers about
documented and on data processing, and is advance scheduling and giving advance
reviewed. notice given to system users? notices when system software is
installed.
Review recent installations and
determine whether scheduling and
advance notification did occur.
Determine whether better
scheduling and notification of
installations appears warranted to
reduce impact on data processing
operations.
Does an independent library Interview management, systems
control group perform migration programmers, and library control
of tested and approved system personnel, and determine who is
software to production use? responsible for the migration of
approved system software to
production libraries, and whether
outdated versions are removed
from production libraries.
Are outdated versions of system Review supporting documentation
software removed from production for some system software
libraries? migrations, and the removal of
outdated versions from production
libraries.
Is installation of all system Interview data center management
software logged to establish an about their role in reviewing
audit trail and reviewed by data system software installations.
center management? Review some recent system
software installations and
determine whether documentation
shows that logging and
management review occurred.
/Vulnerability Assessment Framework (VAF)/Page F-A–8
CIAO
SYSTEM SOFTWARE
Control Objectives Control Technique Compliance Procedures
Is vendor supplied system software Interview system software
still supported by the vendor? personnel concerning a selection of
system software and determine the
extent to which the operating
version of the system software is
currently supported by the vendor.
Is all system software current? Interview management and
systems programmers about the
currency of system software and
the currency and completeness of
its documentation.
Does current and complete Review documentation and test
documentation exist? whether recent changes are
incorporated.
Is a configuration baseline used as Review configuration baseline.
a checkpoint to return to after
changes?
3.3 System Do procedures exist for Review procedures for maintaining
Software maintaining system software? Do system software.
maintenance is procedures define the steps for
Interview management and
performed in making system software changes
systems personnel.
accordance with that result from maintenance
system software activities?
change control
procedures.
Are third-party maintenance Review third-party maintenance
agreements in place? Do third- agreements.
party maintenance agreements
validate, protect, and maintain the
software product’s integrity rights
while performing changes in
accordance with system software
change procedures?
/Vulnerability Assessment Framework (VAF)/Page F-A–9
CIAO
SYSTEM SOFTWARE
(Page Left Intentionally Blank)
/Vulnerability Assessment Framework (VAF)/Page F-A–10
CIAO
Appendix G:
WHITE PAPER
The Clinton Administration’s Policy on Critical Infrastructure Protection:
Presidential Decision Directive 63
May 22, 1998
This White Paper explains key elements of the Clinton Administration’s policy on critical
infrastructure protection. It is intended for dissemination to all interested parties in both the
private and public sectors. It will also be used in U.S. Government professional education
institutions, such as the National Defense University and the National Foreign Affairs Training
Center, for coursework and exercises on interagency practices and procedures. Wide
dissemination of this unclassified White Paper is encouraged by all agencies of the U.S.
Government.
I. A Growing Potential Vulnerability
The United States possesses both the world’s strongest military and its largest national economy.
Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly
reliant upon certain critical infrastructures and upon cyber-based information systems.
Critical infrastructures are those physical and cyber-based systems essential to the minimum
operations of the economy and government. They include, but are not limited to,
telecommunications, energy, banking and finance, transportation, water systems and emergency
services, both governmental and private. Many of the nation’s critical infrastructures have
historically been physically and logically separate systems that had little interdependence. As a result
of advances in information technology and the necessity of improved efficiency, however, these
infrastructures have become increasingly automated and interlinked. These same advances have
created new vulnerabilities to equipment failures, human error, weather and other natural causes,
and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible,
evolutionary approaches that span both the public and private sectors, and protect both domestic
and international security.
Because of our military strength, future enemies, whether nations, groups or individuals, may seek
to harm us in non-traditional ways including attacks within the United States. Our economy is
increasingly reliant upon interdependent and cyber-supported infrastructures and non-traditional
attacks on our infrastructure and information systems may be capable of significantly harming both
our military power and our economy.
/Vulnerability Assessment Framework (VAF)/Page G-A–1
CIAO
White Paper
II. President’s Intent
It has long been the policy of the United States to assure the continuity and viability of critical
infrastructures. President Clinton intends that the United States will take all necessary measures to
swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical
infrastructures, including especially our cyber systems.
III. A National Goal
No later than the year 2000, the United States shall have achieved an initial operating capability and
no later than five years from the day the President signed Presidential Decision Directive 63 the
United States shall have achieved and shall maintain the ability to protect our nation’s critical
infrastructures from intentional acts that would significantly diminish the abilities of:
n the Federal Government to perform essential national security missions and to ensure the
general public health and safety;
n state and local governments to maintain order and to deliver minimum essential public
services;
n the private sector to ensure the orderly functioning of the economy and the delivery of
essential telecommunications, energy, financial and transportation services.
Any interruptions or manipulations of these critical functions must be brief, infrequent,
manageable, geographically isolated and minimally detrimental to the welfare of the United States.
IV. A Public-Private Partnership to Reduce Vulnerability
Since the targets of attacks on our critical infrastructure would likely include both facilities in the
economy and those in the government, the elimination of our potential vulnerability requires a
closely coordinated effort of both the public and the private sector. To succeed, this partnership
must be genuine, mutual and cooperative. In seeking to meet our national goal to eliminate the
vulnerabilities of our critical infrastructure, therefore, the U.S. government should, to the extent
feasible, seek to avoid outcomes that increase government regulation or expand unfunded
government mandates to the private sector.
For each of the major sectors of our economy that are vulnerable to infrastructure attack, the
Federal Government will appoint from a designated Lead Agency a senior officer of that agency as
the Sector Liaison Official to work with the private sector. Sector Liaison Officials, after
discussions and coordination with private sector entities of their infrastructure sector, will identify a
private sector counterpart (Sector Coordinator) to represent their sector.
/Vulnerability Assessment Framework (VAF)/Page G-A–2
CIAO
White Paper
Together these two individuals and the departments and corporations they represent shall
contribute to a sectoral National Infrastructure Assurance Plan by:
n assessing the vulnerabilities of the sector to cyber or physical attacks;
n recommending a plan to eliminate significant vulnerabilities;
n proposing a system for identifying and preventing attempted major attacks;
n developing a plan for alerting, containing and rebuffing an attack in progress and then, in
coordination with FEMA as appropriate, rapidly reconstituting minimum essential
capabilities in the aftermath of an attack.
During the preparation of the sectoral plans, the National Coordinator (see section VI), in
conjunction with the Lead Agency Sector Liaison Officials and a representative from the National
Economic Council, shall ensure their overall coordination and the integration of the various
sectoral plans, with a particular focus on interdependencies.
V. Guidelines
In addressing this potential vulnerability and the means of eliminating it, President Clinton wants
those involved to be mindful of the following general principles and concerns.
n We shall consult with, and seek input from, the Congress on approaches and programs to
meet the objectives set forth in this directive.
n The protection of our critical infrastructures is necessarily a shared responsibility and
partnership between owners, operators and the government. Furthermore, the Federal
Government shall encourage international cooperation to help manage this increasingly
global problem.
n Frequent assessments shall be made of our critical infrastructures’ existing reliability,
vulnerability and threat environment because, as technology and the nature of the threats to
our critical infrastructures will continue to change rapidly, so must our protective measures
and responses be robustly adaptive.
n The incentives that the market provides are the first choice for addressing the problem of
critical infrastructure protection; regulation will be used only in the face of a material failure
of the market to protect the health, safety or well-being of the American people. In such
cases, agencies shall identify and assess available alternatives to direct regulation, including
providing economic incentives to encourage the desired behavior, or providing information
upon which choices can be made by the private sector. These incentives, along with other
actions, shall be designed to help harness the latest technologies, bring about global
/Vulnerability Assessment Framework (VAF)/Page G-A–3
CIAO
White Paper
solutions to international problems, and enable private sector owners and operators to
achieve and maintain the maximum feasible security.
n The full authorities, capabilities and resources of the government, including law
enforcement, regulation, foreign intelligence and defense preparedness shall be available, as
appropriate, to ensure that critical infrastructure protection is achieved and maintained.
n Care must be taken to respect privacy rights. Consumers and operators must have
confidence that information will be handled accurately, confidentially and reliably.
n The Federal Government shall, through its research, development and procurement,
encourage the introduction of increasingly capable methods of infrastructure protection.
n The Federal Government shall serve as a model to the private sector on how infrastructure
assurance is best achieved and shall, to the extent feasible, distribute the results of its
endeavors.
n We must focus on preventative measures as well as threat and crisis management. To that
end, private sector owners and operators should be encouraged to provide maximum
feasible security for the infrastructures they control and to provide the government
necessary information to assist them in that task. In order to engage the private sector fully,
it is preferred that participation by owners and operators in a national infrastructure
protection system be voluntary.
n Close cooperation and coordination with state and local governments and first responders is
essential for a robust and flexible infrastructure protection program. All critical
infrastructure protection plans and actions shall take into consideration the needs, activities
and responsibilities of state and local governments and first responders.
VI. Structure and Organization
The Federal Government will be organized for the purposes of this endeavor around four
components (elaborated in Annex A).
1. Lead Agencies for Sector Liaison: For each infrastructure sector that could be a target for
significant cyber or physical attacks, there will be a single U.S. Government department
which will serve as the lead agency for liaison. Each Lead Agency will designate one
individual of Assistant Secretary rank or higher to be the Sector Liaison Official for that area
and to cooperate with the private sector representatives (Sector Coordinators) in addressing
problems related to critical infrastructure protection and, in particular, in recommending
components of the National Infrastructure Assurance Plan. Together, the Lead Agency and
the private sector counterparts will develop and implement a Vulnerability Awareness and
Education Program for their sector.
/Vulnerability Assessment Framework (VAF)/Page G-A–4
CIAO
White Paper
2. Lead Agencies for Special Functions: There are, in addition, certain functions related to
critical infrastructure protection that must be chiefly performed by the Federal Government
(national defense, foreign affairs, intelligence, law enforcement). For each of those special
functions, there shall be a Lead Agency which will be responsible for coordinating all of the
activities of the United States Government in that area. Each lead agency will appoint a
senior officer of Assistant Secretary rank or higher to serve as the Functional Coordinator for
that function for the Federal Government.
3. Interagency Coordination: The Sector Liaison Officials and Functional Coordinators of the
Lead Agencies, as well as representatives from other relevant departments and agencies,
including the National Economic Council, will meet to coordinate the implementation of this
directive under the auspices of a Critical Infrastructure Coordination Group (CICG), chaired
by the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism.
The National Coordinator will be appointed by and report to the President through the
Assistant to the President for National Security Affairs, who shall assure appropriate
coordination with the Assistant to the President for Economic Affairs. Agency
representatives to the CICG should be at a senior policy level (Assistant Secretary or higher).
Where appropriate, the CICG will be assisted by extant policy structures, such as the Security
Policy Board, Security Policy Forum and the National Security and Telecommunications and
Information System Security Committee.
4. National Infrastructure Assurance Council: On the recommendation of the Lead Agencies,
the National Economic Council and the National Coordinator, the President will appoint a
panel of major infrastructure providers and state and local government officials to serve as
the National Infrastructure Assurance Council. The President will appoint the Chairman.
The National Coordinator will serve as the Council’s Executive Director. The National
Infrastructure Assurance Council will meet periodically to enhance the partnership of the
public and private sectors in protecting our critical infrastructures and will provide reports to
the President as appropriate. Senior Federal Government officials will participate in the
meetings of the National Infrastructure Assurance Council as appropriate.
VII. Protecting Federal Government Critical Infrastructures
Every department and agency of the Federal Government shall be responsible for protecting its
own critical infrastructure, especially its cyber-based systems. Every department and agency Chief
Information Officer (CIO) shall be responsible for information assurance. Every department and
agency shall appoint a Chief Infrastructure Assurance Officer (CIAO) who shall be responsible for
the protection of all of the other aspects of that department’s critical infrastructure. The CIO may
be double-hatted as the CIAO at the discretion of the individual department. These officials shall
establish procedures for obtaining expedient and valid authorizations to allow vulnerability
assessments to be performed on government computer and physical systems. The Department of
Justice shall establish legal guidelines for providing for such authorizations.
/Vulnerability Assessment Framework (VAF)/Page G-A–5
CIAO
White Paper
No later than 180 days from issuance of this directive, every department and agency shall develop a
plan for protecting its own critical infrastructure, including but not limited to its cyber-based
systems. The National Coordinator shall be responsible for coordinating analyses required by the
departments and agencies of inter-governmental dependencies and the mitigation of those
dependencies. The Critical Infrastructure Coordination Group (CICG) shall sponsor an expert
review process for those plans. No later than two years from today, those plans shall have been
implemented and shall be updated every two years. In meeting this schedule, the Federal
Government shall present a model to the private sector on how best to protect critical
infrastructure.
VIII. Tasks
Within 180 days, the Principals Committee should submit to the President a schedule for
completion of a National Infrastructure Assurance Plan with milestones for accomplishing the
following subordinate and related tasks.
1. Vulnerability Analyses: For each sector of the economy and each sector of the government
that might be a target of infrastructure attack intended to significantly damage the United
States, there shall be an initial vulnerability assessment, followed by periodic updates. As
appropriate, these assessments shall also include the determination of the minimum essential
infrastructure in each sector.
2. Remedial Plan: Based upon the vulnerability assessment, there shall be a recommended
remedial plan. The plan shall identify timelines for implementation, responsibilities and
funding.
3. Warning: A national center to warn of significant infrastructure attacks will be established
immediately (see Annex A). As soon thereafter as possible, we will put in place an enhanced
system for detecting and analyzing such attacks, with maximum possible participation of the
private sector.
4. Response: A system for responding to a significant infrastructure attack while it is underway,
with the goal of isolating and minimizing damage.
5. Reconstitution: For varying levels of successful infrastructure attacks, we shall have a system
to reconstitute minimum required capabilities rapidly.
/Vulnerability Assessment Framework (VAF)/Page G-A–6
CIAO
White Paper
6. Education and Awareness: There shall be Vulnerability Awareness and Education Programs
within both the government and the private sector to sensitize people regarding the
importance of security and to train them in security standards, particularly regarding cyber
systems.
7. Research and Development: Federally-sponsored research and development in support of
infrastructure protection shall be coordinated, be subject to multi-year planning, take into
account private sector research, and be adequately funded to minimize our vulnerabilities on a
rapid but achievable timetable.
8. Intelligence: The Intelligence Community shall develop and implement a plan for enhancing
collection and analysis of the foreign threat to our national infrastructure, to include but not
be limited to the foreign cyber/information warfare threat.
9. International Cooperation: There shall be a plan to expand cooperation on critical
infrastructure protection with like-minded and friendly nations, international organizations
and multinational corporations.
10. Legislative and Budgetary Requirements: There shall be an evaluation of the executive
branch’s legislative authorities and budgetary priorities regarding critical infrastructure, and
ameliorative recommendations shall be made to the President as necessary. The evaluations
and recommendations, if any, shall be coordinated with the Director of OMB.
The CICG shall also review and schedule the taskings listed in Annex B.
IX. Implementation
In addition to the 180-day report, the National Coordinator, working with the National Economic
Council, shall provide an annual report on the implementation of this directive to the President and
the heads of departments and agencies, through the Assistant to the President for National Security
Affairs. The report should include an updated threat assessment, a status report on achieving the
milestones identified for the National Plan and additional policy, legislative and budgetary
recommendations. The evaluations and recommendations, if any, shall be coordinated with the
Director of OMB. In addition, following the establishment of an initial operating capability in the
year 2000, the National Coordinator shall conduct a zero-based review.
/Vulnerability Assessment Framework (VAF)/Page G-A–7
CIAO
White Paper
Annex A: Structure and Organization
Lead Agencies: Clear accountability within the U.S. Government must be designated for specific
sectors and functions. The following assignments of responsibility will apply.
Lead Agencies for Sector Liaison:
Commerce Information and communications
Treasury Banking and finance
EPA Water supply
Transportation Aviation
Highways (including trucking and intelligent
transportation systems)
Mass transit
Pipelines
Rail
Waterborne commerce
Justice/FBI Emergency law enforcement services
FEMA Emergency fire service
Continuity of government services
HHS Public health services, including prevention, surveillance, laboratory
services and personal health services
Energy Electric power
Oil and gas production and storage
Lead Agencies for Special Functions:
Justice/FBI Law enforcement and internal security
CIA Foreign intelligence
State Foreign affairs
Defense National defense
/Vulnerability Assessment Framework (VAF)/Page G-A–8
CIAO
White Paper
In addition, OSTP shall be responsible for coordinating research and development agendas and
programs for the government through the National Science and Technology Council.
Furthermore, while Commerce is the lead agency for information and communication, the
Department of Defense will retain its Executive Agent responsibilities for the National
Communications System and support of the President’s National Security Telecommunications
Advisory Committee.
National Coordinator: The National Coordinator for Security, Infrastructure Protection and
Counter-Terrorism shall be responsible for coordinating the implementation of this directive. The
National Coordinator will report to the President through the Assistant to the President for
National Security Affairs. The National Coordinator will also participate as a full member of
Deputies or Principals Committee meetings when they meet to consider infrastructure issues.
Although the National Coordinator will not direct Departments and Agencies, he or she will ensure
interagency coordination for policy development and implementation, and will review crisis
activities concerning infrastructure events with significant foreign involvement. The National
Coordinator will provide advice, in the context of the established annual budget process, regarding
agency budgets for critical infrastructure protection. The National Coordinator will chair the
Critical Infrastructure Coordination Group (CICG), reporting to the Deputies Committee (or, at
the call of its chair, the Principals Committee). The Sector Liaison Officials and Special Function
Coordinators shall attend the CICG’s meetings. Departments and agencies shall each appoint to
the CICG a senior official (Assistant Secretary level or higher) who will regularly attend its meetings.
The National Security Advisor shall appoint a Senior Director for Infrastructure Protection on the
NSC staff.
A National Plan coordination (the Critical Infrastructure Assurance Office -- CIAO) staff will be
contributed on a non-reimbursable basis by the departments and agencies, consistent with law. The
CIAO staff will integrate the various sector plans into a National Infrastructure Assurance Plan and
coordinate analyses of the U.S. Government’s own dependencies on critical infrastructures. The
CIAO staff will also help coordinate a national education and awareness program, and legislative
and public affairs.
The Defense Department shall continue to serve as Executive Agent for the Commission
Transition Office, which will form the basis of the CIAO, during the remainder of FY98.
Beginning in FY99, the CIAO shall be an office of the Commerce Department. The Office of
Personnel Management shall provide the necessary assistance in facilitating the CIAO’s operations.
The CIAO will terminate at the end of FY01, unless extended by Presidential directive.
Warning and Information Centers
As part of a national warning and information sharing system, the President immediately authorizes
the FBI to expand its current organization to a full scale National Infrastructure Protection Center
(NIPC). This organization shall serve as a national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity. During the initial period of six
to twelve months, the President also directs the National Coordinator and the Sector Liaison
/Vulnerability Assessment Framework (VAF)/Page G-A–9
CIAO
White Paper
Officials, working together with the Sector Coordinators, the Special Function Coordinators and
representatives from the National Economic Council, as appropriate, to consult with owners and
operators of the critical infrastructures to encourage the creation of a private sector sharing and
analysis center, as described below.
National Infrastructure Protection Center (NIPC): The NIPC will include FBI, USSS, and other
investigators experienced in computer crimes and infrastructure protection, as well as
representatives detailed from the Department of Defense, the Intelligence Community and Lead
Agencies. It will be linked electronically to the rest of the Federal Government, including other
warning and operations centers, as well as any private sector sharing and analysis centers. Its
mission will include providing timely warnings of intentional threats, comprehensive analyses and
law enforcement investigation and response.
All executive departments and agencies shall cooperate with the NIPC and provide such assistance,
information and advice that the NIPC may request, to the extent permitted by law. All executive
departments shall also share with the NIPC information about threats and warning of attacks and
about actual attacks on critical government and private sector infrastructures, to the extent
permitted by law. The NIPC will include elements responsible for warning, analysis, computer
investigation, coordinating emergency response, training, outreach and development and application
of technical tools. In addition, it will establish its own relations directly with others in the private
sector and with any information sharing and analysis entity that the private sector may create, such
as the Information Sharing and Analysis Center described below.
The NIPC, in conjunction with the information originating agency, will sanitize law enforcement
and intelligence information for inclusion into analyses and reports that it will provide, in
appropriate form, to relevant federal, state and local agencies; the relevant owners and operators of
critical infrastructures; and to any private sector information sharing and analysis entity. Before
disseminating national security or other information that originated from the intelligence
community, the NIPC will coordinate fully with the intelligence community through existing
procedures. Whether as sanitized or unsanitized reports, the NIPC will issue attack warnings or
alerts to increases in threat condition to any private sector information sharing and analysis entity
and to the owners and operators. These warnings may also include guidance regarding additional
protection measures to be taken by owners and operators. Except in extreme emergencies, the
NIPC shall coordinate with the National Coordinator before issuing public warnings of imminent
attacks by international terrorists, foreign states or other malevolent foreign powers.
The NIPC will provide a national focal point for gathering information on threats to the
infrastructures. Additionally, the NIPC will provide the principal means of facilitating and
coordinating the Federal Government’s response to an incident, mitigating attacks, investigating
threats and monitoring reconstitution efforts. Depending on the nature and level of a foreign
threat/attack, protocols established between special function agencies (DOJ/DOD/CIA), and the
ultimate decision of the President, the NIPC may be placed in a direct support role to either DOD
or the Intelligence Community.
/Vulnerability Assessment Framework (VAF)/Page G-A–10
CIAO
White Paper
Information Sharing and Analysis Center (ISAC): The National Coordinator, working with Sector
Coordinators, Sector Liaison Officials and the National Economic Council, shall consult with
owners and operators of the critical infrastructures to strongly encourage the creation of a private
sector information sharing and analysis center. The actual design and functions of the center and
its relation to the NIPC will be determined by the private sector, in consultation with and with
assistance from the Federal Government. Within 180 days of this directive, the National
Coordinator, with the assistance of the CICG including the National Economic Council, shall
identify possible methods of providing federal assistance to facilitate the startup of an ISAC.
Such a center could serve as the mechanism for gathering, analyzing, appropriately sanitizing and
disseminating private sector information to both industry and the NIPC. The center could also
gather, analyze and disseminate information from the NIPC for further distribution to the private
sector. While crucial to a successful government-industry partnership, this mechanism for sharing
important information about vulnerabilities, threats, intrusions and anomalies is not to interfere
with direct information exchanges between companies and the government.
As ultimately designed by private sector representatives, the ISAC may emulate particular aspects of
such institutions as the Centers for Disease Control and Prevention that have proved highly
effective, particularly its extensive interchanges with the private and non-federal sectors. Under
such a model, the ISAC would possess a large degree of technical focus and expertise and non-
regulatory and non-law enforcement missions. It would establish baseline statistics and patterns on
the various infrastructures, become a clearinghouse for information within and among the various
sectors, and provide a library for historical data to be used by the private sector and, as deemed
appropriate by the ISAC, by the government. Critical to the success of such an institution would
be its timeliness, accessibility, coordination, flexibility, utility and acceptability.
/Vulnerability Assessment Framework (VAF)/Page G-A–11
CIAO
White Paper
Annex B: Additional Taskings
Studies
The National Coordinator shall commission studies on the following subjects:
n Liability issues arising from participation by private sector companies in the information
sharing process.
n Existing legal impediments to information sharing, with an eye to proposals to remove
these impediments, including through the drafting of model codes in cooperation with the
American Legal Institute.
n The necessity of document and information classification and the impact of such
classification on useful dissemination, as well as the methods and information systems by
which threat and vulnerability information can be shared securely while avoiding disclosure
or unacceptable risk of disclosure to those who will misuse it.
n The improved protection, including secure dissemination and information handling systems,
of industry trade secrets and other confidential business data, law enforcement information
and evidentiary material, classified national security information, unclassified material
disclosing vulnerabilities of privately owned infrastructures and apparently innocuous
information that, in the aggregate, it is unwise to disclose.
n The implications of sharing information with foreign entities where such sharing is deemed
necessary to the security of United States infrastructures.
n The potential benefit to security standards of mandating, subsidizing, or otherwise assisting
in the provision of insurance for selected critical infrastructure providers and requiring
insurance tie-ins for foreign critical infrastructure providers hoping to do business with the
United States.
/Vulnerability Assessment Framework (VAF)/Page G-A–12
CIAO
White Paper
Public Outreach
In order to foster a climate of enhanced public sensitivity to the problem of infrastructure
protection, the following actions shall be taken:
n The White House, under the oversight of the National Coordinator, together with the
relevant Cabinet agencies shall consider a series of conferences: (1) that will bring together
national leaders in the public and private sectors to propose programs to increase the
commitment to information security; (2) that convoke academic leaders from engineering,
computer science, business and law schools to review the status of education in information
security and will identify changes in the curricula and resources necessary to meet the
national demand for professionals in this field; (3) on the issues around computer ethics as
these relate to the K through 12 and general university populations.
n The National Academy of Sciences and the National Academy of Engineering shall consider
a round table bringing together federal, state and local officials with industry and academic
leaders to develop national strategies for enhancing infrastructure security.
n The intelligence community and law enforcement shall expand existing programs for
briefing infrastructure owners and operators and senior government officials.
n The National Coordinator shall (1) establish a program for infrastructure assurance
simulations involving senior public and private officials, the reports of which might be
distributed as part of an awareness campaign; and (2) in coordination with the private
sector, launch a continuing national awareness campaign, emphasizing improving
infrastructure security.
Internal Federal Government Actions
In order for the Federal Government to improve its infrastructure security, these immediate steps
shall be taken:
n The Department of Commerce, the General Services Administration, and the Department
of Defense shall assist federal agencies in the implementation of best practices for
information assurance within their individual agencies.
n The National Coordinator shall coordinate a review of existing federal, state and local
bodies charged with information assurance tasks, and provide recommendations on how
these institutions can cooperate most effectively.
n All federal agencies shall make clear designations regarding who may authorize access to
their computer systems.
/Vulnerability Assessment Framework (VAF)/Page G-A–13
CIAO
White Paper
n The Intelligence Community shall elevate and formalize the priority for enhanced collection
and analysis of information on the foreign cyber/information warfare threat to our critical
infrastructure.
n The Federal Bureau of Investigation, the Secret Service and other appropriate agencies shall:
(1) vigorously recruit undergraduate and graduate students with the relevant computer-
related technical skills for full-time employment as well as for part-time work with regional
computer crime squads; and (2) facilitate the hiring and retention of qualified personnel for
technical analysis and investigation involving cyber attacks.
n The Department of Transportation, in consultation with the Department of Defense, shall
undertake a thorough evaluation of the vulnerability of the national transportation
infrastructure that relies on the Global Positioning System. This evaluation shall include
sponsoring an independent, integrated assessment of risks to civilian users of GPS-based
systems, with a view to basing decisions on the ultimate architecture of the modernized
NAS on these evaluations.
n The Federal Aviation Administration shall develop and implement a comprehensive
National Airspace System Security Program to protect the modernized NAS from
information-based and other disruptions and attacks.
n GSA shall identify large procurements (such as the new Federal Telecommunications
System, FTS 2000) related to infrastructure assurance, study whether the procurement
process reflects the importance of infrastructure protection and propose, if necessary,
revisions to the overall procurement process to do so.
n OMB shall direct federal agencies to include assigned infrastructure assurance functions
within their Government Performance and Results Act strategic planning and performance
measurement framework.
n The NSA, in accordance with its National Manager responsibilities in NSD-42, shall provide
assessments encompassing examinations of U.S. Government systems to interception and
exploitation; disseminate threat and vulnerability information; establish standards; conduct
research and development; and conduct issue security product evaluations.
/Vulnerability Assessment Framework (VAF)/Page G-A–14
CIAO
White Paper
Assisting the Private Sector
In order to assist the private sector in achieving and maintaining infrastructure security:
n The National Coordinator and the National Infrastructure Assurance Council shall propose
and develop ways to encourage private industry to perform periodic risk assessments of
critical processes, including information and telecommunications systems.
n The Department of Commerce and the Department of Defense shall work together, in
coordination with the private sector, to offer their expertise to private owners and operators
of critical infrastructure to develop security-related best practice standards.
n The Department of Justice and Department of the Treasury shall sponsor a comprehensive
study compiling demographics of computer crime, comparing state approaches to computer
crime and developing ways of deterring and responding to computer crime by juveniles.
/Vulnerability Assessment Framework (VAF)/Page G-A–15
CIAO
White Paper
(Page Left Intentionally Blank)
/Vulnerability Assessment Framework (VAF)/Page G-A–16
Produced by:
KPMG Peat Marwick LLP
2001 M Street, N.W.
Washington, D.C. 20036-3389
Telephone: 202-530-6441
You might also like
- Security Planning and Risk Management GuideNo ratings yetSecurity Planning and Risk Management Guide42 pages
- Physical Security Risk Assessment GuideNo ratings yetPhysical Security Risk Assessment Guide10 pages
- Security Measures and Principles ExplainedNo ratings yetSecurity Measures and Principles Explained21 pages
- Understanding Endpoint Security EssentialsNo ratings yetUnderstanding Endpoint Security Essentials43 pages
- Everbridge Visual Command Center OverviewNo ratings yetEverbridge Visual Command Center Overview4 pages
- UST Information Security Training GuideNo ratings yetUST Information Security Training Guide33 pages
- Calculating ARO in Qualitative Risk AssessmentNo ratings yetCalculating ARO in Qualitative Risk Assessment39 pages
- Understanding Security Management BasicsNo ratings yetUnderstanding Security Management Basics136 pages
- Understanding Cybersecurity Framework ComponentsNo ratings yetUnderstanding Cybersecurity Framework Components11 pages
- Security Governance, Management and Operations Are Not The Same100% (1)Security Governance, Management and Operations Are Not The Same10 pages
- The PDCA Cycle of ISO/IEC 27005:2008 Maturity Assessment FrameworkNo ratings yetThe PDCA Cycle of ISO/IEC 27005:2008 Maturity Assessment Framework14 pages
- Business Continuity Management for Data CentresNo ratings yetBusiness Continuity Management for Data Centres36 pages
- Security Risk, Threat, and Vulnerability AssessmentNo ratings yetSecurity Risk, Threat, and Vulnerability Assessment13 pages
- Physical Security Risk Assessment GuideNo ratings yetPhysical Security Risk Assessment Guide50 pages
- Building an Effective Security Operations CenterNo ratings yetBuilding an Effective Security Operations Center28 pages
- Security Policies Manual - U.S. CommerceNo ratings yetSecurity Policies Manual - U.S. Commerce447 pages
- Cybersecurity Awareness and Best PracticesNo ratings yetCybersecurity Awareness and Best Practices26 pages
- Kennebec Valley Security Assessment ReportNo ratings yetKennebec Valley Security Assessment Report24 pages
- Cloud Security Roles and ResponsibilitiesNo ratings yetCloud Security Roles and Responsibilities4 pages
- Port Security Management Second Edition Kenneth Christopher Read Ebook Testbank Solutions Online100% (2)Port Security Management Second Edition Kenneth Christopher Read Ebook Testbank Solutions Online75 pages
- Security Control Categories and Types FactsNo ratings yetSecurity Control Categories and Types Facts2 pages
- Top Physical Security Threats in BankingNo ratings yetTop Physical Security Threats in Banking7 pages
- Key Performance Indicators For Security Governance Part 1 1652237976No ratings yetKey Performance Indicators For Security Governance Part 1 16522379768 pages
- Understanding Asset Value and ProtectionNo ratings yetUnderstanding Asset Value and Protection5 pages
- Critical Manufacturing Cybersecurity GuideNo ratings yetCritical Manufacturing Cybersecurity Guide45 pages
- Exabeam and Logpoint Buyer'S Guide and Reviews November 2020No ratings yetExabeam and Logpoint Buyer'S Guide and Reviews November 202021 pages
- Ibm Qradar and Logpoint Buyer'S Guide and Reviews November 2020No ratings yetIbm Qradar and Logpoint Buyer'S Guide and Reviews November 202028 pages
- Managing Cyber Risk:: A Handbook For UK Boards of DirectorsNo ratings yetManaging Cyber Risk:: A Handbook For UK Boards of Directors42 pages
- Understanding The: Hyperscale RevolutionNo ratings yetUnderstanding The: Hyperscale Revolution12 pages
- Grammar Revision for Intermediate StudentsNo ratings yetGrammar Revision for Intermediate Students8 pages
- Della Dora, Setting and Bluring Boundaries PDFNo ratings yetDella Dora, Setting and Bluring Boundaries PDF24 pages
- Contract Law: Remedies and Misrepresentation88% (8)Contract Law: Remedies and Misrepresentation7 pages
- Crisis Management at Four Seasons RiyadhNo ratings yetCrisis Management at Four Seasons Riyadh8 pages
- Understanding Articles: "The" and "A/An"No ratings yetUnderstanding Articles: "The" and "A/An"4 pages
- INTERCARGO Q88 Questionnaire for YUAN DONG DE MINGNo ratings yetINTERCARGO Q88 Questionnaire for YUAN DONG DE MING9 pages
- TA NUTS: Eco-Friendly Nut Milk AnalysisNo ratings yetTA NUTS: Eco-Friendly Nut Milk Analysis26 pages
- Joint Cost Allocation for Tasty Brands CandyNo ratings yetJoint Cost Allocation for Tasty Brands Candy9 pages
- Fresh Graduate in Biochemistry & ResearchNo ratings yetFresh Graduate in Biochemistry & Research2 pages
- Abdul Majid: Electrical Engineer ProfileNo ratings yetAbdul Majid: Electrical Engineer Profile1 page
- Dishwasher User Manual and Safety GuideNo ratings yetDishwasher User Manual and Safety Guide33 pages
- Psychology Course Plan for B.Sc. NursingNo ratings yetPsychology Course Plan for B.Sc. Nursing4 pages