Nationwide Cyber Security Review (NCSR) Assessment

Nationwide Cyber Security Review (NCSR) Assessment

Attachment 2_NCSR Questions_Feb 10 2011v3

Nationwide Cyber Security Review (NCSR) Assessment

OMB: 1670-0025

Document [pdf]
Download: pdf | pdf
OMB Control No. 1670-NEW
Expiration Date: XX/XX/XXXX

Draft Nationwide Cyber Security Review Question Set
The Nationwide Cyber Security Review (NCSR) is a VOLUNTARY survey.

Paperwork Reduction Act
The public reporting burden to complete this information collection is estimated at two (2) hours or less per respondent, including the time for reviewing instructions,
searching existing data sources, gathering and maintaining the data needed, and the completing and reviewing the assessment questions. An agency may not conduct or
sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number and expiration date. Send comments
regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to DHS/National Protection and Programs
Directorate, Michael Leking, 703-235-3030, [email protected], ATTN: PRA [OMB Control Number: 1670-NEW].

Privacy Act Statement
Authority: Title XVIII of the Homeland Security Act of 2002, 6 U.S.C. § 101 et seq., and the Implementing Recommendations of the 9/11 Commission Act or 2007 (6 U.S.C.
579(m) authorizes the collection of this information.
Purpose: The primary purpose of this assessment is to examine relationships, interactions, and processes governing IT management and the ability to effectively manage
operational risk within States and Large Urban Areas.
Routine Uses: The information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the
information as necessary and authorized by the routine uses published in DHS/All-003 Department of Homeland Security General Training Records (November 25, 2008,
73 FR 228).

This report was prepared for the United States Department of Homeland Security
SEI Administrative Agent
ESC/XPK
5 Eglin Street
Hanscom AFB, MA 01731-2100
The ideas and findings in this report should not be construed as an official U.S. Government or U.S. Agency (including, but not limited to DoD or DHS) position. It is published in the interest of scientific and technical information
exchange.
This work is sponsored by the U.S. Department of Homeland Security. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense.
Copyright 2011 Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED
FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
INFRINGEMENT.
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative
works.
External use. This document may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or
commercial use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
This work was created with the funding and support of the U.S. Department of Homeland Security under the Federal Government Contract Number FA8721-05-C-0003 between the U.S. Department of Defense and Carnegie Mellon
University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the
work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. Any reproduction of this material or portions thereof marked
with this legend must also reproduce the disclaimers contained on this page.

Process
Area

Question

Range of potential answers for the Respondent to select.

Copyright 2011 Carnegie Mellon University.
Process Area Compass Question
ADM

Does your organization identify and
document information about the
people who are vital to the continued
operation of high-value services,
including those it does not directly

Wednesday, March 09, 2011

11:36:31 AM

Answer 1

Answer 2

Answer 3

Answer 4

No

People who are vital to
high-value services are
identified informally,
but their roles or
functions in support of
those services are not
documented

An asset management
database or other
repository identifies and
describes the roles of
internal employees who
are vital to high-value
services, but not
contracted or other
external staff

Yes, a repository
identifies all vital
staff and describes
their roles in support
of high-value
services

employ?

ADM

Does your organization identify and
inventory the information, technology,
and facility assets that directly support
the continued operation of high-value
services?

No

Some leased or owned
assets are inventoried

All leased or owned
assets are inventoried

Most or all
information,
technology, and
facility assets are
inventoried, but
they are not tracked
by which services
they support

ADM

In your inventory of high-value assets
(people, information, technology, and
facilities), is there a standard or
template that helps ensure consistency
among asset descriptions?

No, or no such
inventory exists

For one or two asset
types only

Yes, descriptions of like
or similar assets are
consistent

Yes, descriptions are
consistent and are
communicated to
those who need to
know

ADM

Are both owners and custodians of
high-value assets identified and
documented in asset descriptions in

No, or no such
asset descriptions
exist

Owners of assets, but
not custodians

Yes, both owners and
custodians

No

Dependencies and
potential conflicts are

Yes, dependencies and
potential conflicts are

the asset inventory?
ADM

If an asset supports more than one
high-value service, are dependencies

Yes, and mitigation
plans are developed

Answer 5

Yes, all information,
technology, and
facility assets that
directly support
high-value services
are inventoried.
including those
that are not directly
controlled

Answer 6

and potential conflicts identified, and
are they analyzed as to how they might
affect the operational resilience of the

identified as risks but
are not further analyzed

associated services?

Page 1 of 26

identified and analyzed

and implemented to
reduce the effects of
conflicts or, if
possible, to reduce
or eliminate the
conflicts themselves

Process Area Compass Question
ADM

Has your organization established a
set of criteria for changes in assets or
their associations with services that
trigger required updates of the asset
inventory, including updates of related

Answer 1

Answer 2

Answer 3

Answer 4

No, or no inventory
exists

Yes, for some assets

Yes, for all assets

Yes, for all assets, and
the criteria are
related to the
organization’s
resilience
requirements

Answer 5

Answer 6

Yes, using a change
control process,
and custodians are
notified of changes
that affect them

Yes, using a change
control process, and
the impact of asset
changes on existing
resilience
requirements and
activities is evaluated

resilience requirements?
ADM

Do you update asset descriptions and
other relevant documents (such as
protection strategies and continuity
plans) whenever changes are made to
high-value assets?

No

Asset descriptions for
Yes, asset descriptions
most assets are updated, and other relevant
but not other
documents are updated
documents

ADM

Does your organization document the
associations between assets and the
high-value services they support?

No, or high-value
services have not
been identified

Such associations are
generally known within
organizational units but
are not documented

Yes, for some asset types Yes, all high-value
or in some
asset-service
organizational units
associations are
identified and
documented

COMP

Have guidelines and standards for
satisfying compliance obligations been
established and communicated?

No

They are established and
communicated at the
individual
organizational unit or
line of business level but
are not coordinated
across the organization

Yes, they are established
and communicated as
part of the enterpriselevel compliance program

COMP

Is the organization’s compliance
process monitored, evaluated, and
improved?

No

Through selfThrough self-assessment,
assessment, with limited with extensive followfollow-through for
through for
improvement
improvement

COMP

Does your organization develop,
implement, and track plans to address

Areas needing
Areas needing
remediation are not remediation are

Yes, remediation plans
are developed,

Yes, using a change
control process that
includes keeping a
change history that
shows the rationale
for performing
changes

Through
independent
evaluation, with
extensive followthrough for
improvement

areas in which remediation is needed
to satisfy compliance obligations?

consistently
identified

Page 2 of 26

identified, but there is
no formal process to
address them

implemented, and
tracked to completion

Process Area Compass Question

Answer 1

Answer 2

Answer 3
Yes, for both external
obligations and internal
standards and policies
where applicable

Answer 4

Answer 5

Yes, for all
compliance
obligations

COMP

Does your organization track progress
against schedules for compliance
obligations and identify obligations
that may not be met?

No

Yes, for all external
governmental,
regulatory, and industry
compliance obligations

COMP

Has your organization implemented
processes for data validation and
integrity checking to ensure that
compliance data is accurate, complete,

No

For very few compliance For some compliance
obligations (<10%)
obligations (10%–50%)

For many
compliance
obligations (>50%
but <100%)

and timely?
COMP

Does your organization have
documented strategies for the
collection of compliance data?

No

No, but there are
established procedures
for data collection

Yes, there are
documented strategies
for ensuring that all data
needed to satisfy
obligations is collected

Yes, and the
strategies address
issues related to the
data collection,
storage, and retrieval
infrastructure

COMP

Are specific compliance obligations
assigned to specific owners?

No

Very few (<10%)

Some (10%–50%)

Many (>50% but
<100%)

COMP

Are compliance obligations identified
and documented?

No

There is an informal
inventory of
compliance obligations

There is a formal,
documented inventory
for at least one type of
obligation (e.g., human
resources directives)

Yes, formally
documented for
numerous types of
obligations

COMP

Does your organization have a
compliance program to carry out the
activities and practices of the
compliance strategic plan?

No, or there is no
compliance plan

Compliance activities
Yes
are conducted at the
individual
organizational unit or
line of business level but
are not coordinated
across the organization

Yes, and sponsorship
and oversight of the
compliance
program are provided

COMP

Does your organization develop a plan
for managing compliance obligations

No

Plans, resources, and
sponsorship are

Yes, and the plan
and commitments

Yes, a plan is developed
at the enterprise level,

Yes (100%)

Answer 6

as part of its strategic planning
process?

developed at the
and commitments are
organizational unit or
obtained
line of business level but
are not coordinated
across the organization

Page 3 of 26

are revised on a cycle
aligned with the
organization’s
strategic planning
process

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

COMP

Are compliance obligations analyzed
No
and organized to facilitate satisfaction?

Some compliance
obligations or types of
obligations

Yes, most compliance
obligations

Yes, and any
conflicting
obligations are
identified and
documented

CTRL

Has your organization done a baseline
analysis of existing controls against
control objectives to identify gaps
where control objectives are not
adequately satisfied?

No, or control
objectives are not
defined

For some control
objectives, if a problem
is evident

For most control
objectives, as part of a
routine process

Yes, for all control
objectives, as part of
an established
process at levels
commensurate with
their importance in
sustaining
operational resilience

CTRL

Are control objectives defined and
documented to guide the selection,
implementation, and management of

No

In very few
organizational units
(<10%)

In some organizational
units (10%–50%)

In many
organizational units
(>50% but <100%)

Some controls are
assessed periodically

All service- and asset- All controls,
level controls are
including
assessed periodically enterprise-level
controls, are
assessed periodically
as part of an
established process

Yes, in all
organizational units
(100%)

controls?
CTRL

Does your organization assess controls
periodically to verify that they are
continuing to meet control objectives
and satisfy resilience requirements?

No

Controls are reassessed
only after they are
modified

CTRL

Does your organization identify and
implement enterprise-level controls to
protect services and assets from
disruption?

No

Only the minimum
A few types of enterprise
needed to meet
-level controls are
regulatory requirements implemented

Yes, multiple types of
enterprise-level
controls are
implemented

CTRL

Does your organization identify
management directives and
organizational guidelines from which
to derive control objectives, such as

No, or control
objectives are not
defined

Control objectives are
usually based on
resilience requirements
or compliance

Yes, from both
enterprise-level and
organizational-unitlevel sources

Yes, but primarily or only
from organizationalunit-level sources

Answer 6

strategic objectives, resilience

obligations only

requirements for services, and
compliance obligations?

Page 4 of 26

Process Area Compass Question
CTRL

Does your organization identify and
implement service-level and
associated asset-level controls to
protect services and assets from

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

No

For a single asset type,
or in very few
organizational units
(<10%)

For most asset types in
some organizational
units (10%–50%)

For most asset types
in many
organizational units
(>50% but <100%)

Yes, for all asset
types in all
organizational units
(100%)

Answer 6

disruption?
EF

Are data for measuring key resilience
indicators monitored, collected, and
reported to key governance
stakeholders? [EF:SG4.SP2.3]

No

These activities are
planned but have not
been developed

These activities are in
development

These activities have
been partially
implemented

Yes

EF

Is the success of resilience promotion
activities regularly measured?
[EF:SG3.SP2.2]

No

For a few activities
(<10%)

For some activities
(10%–49%)

For many activities
(50%–80%)

Yes, for most
activities (>80%)

EF

Is the performance of higher level
managers measured with respect to
their ability to promote and
communicate the importance of
resilience programs and activities?
[EF:SG3.SP2.3]

No

For up to 30% of
managers

For up to 70% of
managers

Yes

EF

Are rewards and recognition programs
established to support resilience
acculturation? [EF.SG3.SP2.4]

No

Yes, one or two

Yes

EF

Are policy statements established and
disseminated that reflect higher level
managers’ commitments to managing
operational resilience? [EF:SG3.SP3.1]

No

No, but those
commitments are
expressed through
other means

Yes

EF

Has a governance structure been
developed and implemented to
provide oversight for the operational
resilience management system?
[EF:SG4.SP1.1]

No

In development

In progress; less than
30% complete

In progress; less than Yes
70% complete

Yes, and reporting is
performed on a
regular basis
according to
documented
procedures

EF

Have roles and responsibilities for
No
governance over the operational
resilience management system been
developed and assigned? [EF:SG4.SP1.2]

In development

Page 5 of 26

In progress; less than
30% complete

In progress; less than Yes
70% complete

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

EF

Have the procedures, policies,
standards, guidelines, and regulations
that form the basis to govern the
operational resilience management
system been identified? [EF:SG4.SP1.3]

No

In development

In progress; less than
30% complete

In progress; less than Yes
70% complete

EF

Has a governance dashboard or
scorecard been established for
measuring and managing the
performance of the organization’s
operational resilience management
system? [EF:SG4.SP2.2]

No

In development

In progress; less than
30% complete

In progress; less than Yes
70% complete

EF

Has a plan been developed for visible
promotion of a resilience-aware
culture? [EF:SG3.SP2.1]

No

Yes

Yes, and it includes
success metrics

EF

Do key governance stakeholders
regularly review audit reports of the
operational resilience management

No

Very few key
stakeholders (<10%)

Some key stakeholders
(10%- 49%)

No

A process is planned but A process is in
has not been developed development

A process has been
Yes
partially implemented

Many key
stakeholders (50%99%)

Yes (100%)

system to identify problems?
[EF:SG4.SP2.4]
EF

Does a process exist for handling
exceptions to acceptable behaviors
(violations of resilience procedures,
policies, standards, guidelines, and
regulations)? [EF:SG4.SP2.5]

EF

Are key resilience indicators that do
No, or there are no
not meet established criteria
metrics
identified and analyzed? [EF:SG4.SP3.1]

This activity is planned
but has not been
developed

This activity is in
development

This activity has been Yes
partially
implemented

EF

Are corrective actions developed to
address performance issues when key
resilience indicators do not meet
established criteria? [EF:SG4.SP3.2]

No

For very few of such
cases (<10%)

For some of such cases
(10%–49%)

For many of such
cases (50%–80%)

Yes, for most of
such cases (>80%)

EF

Are the persons or groups that are

Corrective actions

No

Only in an ad hoc

Yes

Yes, and they have

Answer 6

responsible for implementing and
managing corrective actions for

are not developed

performance issues identified?
[EF:SG4.SP3.3
Page 6 of 26

manner

the requisite skills
and training

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

There is no
program

No

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

Yes

Yes, and corrective
actions are
implemented when
necessary

EF

Is oversight over the operational
resilience management program
provided? [EF:SG2.SP2.4]

EF

Have key governance stakeholders for No
the operational resilience management
system been identified? [EF:SG4.SP2.1]

In development

In progress; less than
30% complete

In progress; less than Yes
70% complete

EF

Is corrective action taken as necessary
to achieve critical success factors?
[EF:SG1.SP2.4]

No

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

Yes

EF

Is funding for the operational
resilience management program
included as a regular part of the
organization’s strategic planning and
budgeting exercise? [EF:SG3.SP1.2]

No

For a few activities
(<10%)

For some activities
(10%–49%)

For many activities
(50%–80%)

Yes, for most
activities (>80%)

EF

Is an allocation of funding for the
operational resilience management
program approved by higher level
management? [EF:SG3.SP1.3]

No

For a few activities
(<10%)

For some activities
(10%–49%)

For many activities
(50%–80%)

Yes, for most
activities (>80%)

EF

Are strategic objectives (in the form of
a strategic plan) used as the basis for
resilience activities? [EF:SG1.SP1.2]

Strategic objectives
are not developed

No

For up to 30% of
resilience activities

For up to 70% of
resilience activities

Yes

EF

Have critical success factors been
developed that reflect strategic
objectives? [EF:SG1.SP2.1]

No

Not formally, but they
are generally known

Yes

EF

Are key performance indicators
identified to measure accomplishment
of each critical success factor?
[EF:SG1.SP2.3]

No

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

EF

Have the services that are performed
to achieve the organization’s mission

No

Only in an ad hoc
manner, so probably

Yes

Yes

been identified? [EF:SG1.SP3.1]

not all have been
identified

Page 7 of 26

Process Area Compass Question
EF

Are the attributes of services (such as
their inputs and outputs, associated
assets, owners, and stakeholders)
defined in service profiles?

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6

No

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

Yes, but only two or
three attributes are
described for each
service

Yes

Yes, and profiles are
revised as needed to
keep them up-to-date

No

No, but high-value
services are identified in
some other way

For selected services, but Yes
high-value services are
identified from that set

No

For a few activities
(<10%)

For some activities
(10%–49%)

For many activities
(50%–80%)

Yes, for most
activities (>80%)

Yes, and they are
confirmed on a
cycle
commensurate with
the organization’s
strategic business
planning process

[EF:SG1.SP3.2]
EF

Is affinity analysis or some other
method used to compare
organizational services against
objective measures (such as strategic
objectives and critical success factors)
to identify high-value services?
[EF:SG1.SP3.3]

EF

Is a sound business case developed to
ensure that tangible, measureable, and
demonstrable value is provided to the
organization for its investment in
resilience activities? [EF:SG3.SP1.1]

EF

Are commitments to perform the
No, or there is no
activities of the operational resilience
plan
management plan obtained from staff?
[EF:SG2.SP1.2]

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

Yes

EF

Has an operational resilience
management program been
established for implementing the
activities of the operational resilience
management plan? [EF:SG2.SP2.1]

No, or there is no
plan

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

Yes

EF

Is the operational resilience
management program adequately
funded? [EF:SG2.SP2.2]

There is no
program

No

For a few activities
(<10%)

For some activities
(10%–49%)

For many activities
(50%–80%)

Yes, for most activities
(>80%)

EF

Are staff assigned to execute the
activities of the operational resilience
management program? [EF:SG2.SP2.3]

There is no
program

Page 8 of 26

No

For a few activities
(<10%)

For some activities
(10%–49%)

For many activities
(50%–80%)

Yes, for most activities
(>80%)

Process Area Compass Question
EF

Is an operational resilience
management plan developed in
conjunction with the development of
the organization’s strategic plan?
[EF:SG2.SP1.1]

EF

Is affinity analysis or some other
method performed to document the
relationship between the
organization’s strategic objectives and
critical success factors? [EF:SG1.SP2.2]

EF

Are defined statements of the
organization’s mission, vision, values,
and purpose readily available for use

Answer 1

Answer 2

Answer 3

Answer 4

No

A plan is developed, but Yes
not in conjunction
with the strategic plan

Yes, and it is revised
on a cycle
commensurate with
the organization’s
strategic business
planning process

For up to 30% of
strategic objectives

For up to 70% of
resilience activities

Yes

No

One or two of those,
but not all

Yes, but they are too
general to be useful in
resilience planning

Yes

Answer 5

for resilience planning?
IMC

Does your organization develop an
incident response to prevent or limit
the impact of incidents?

No

Only for high-impact
incidents

Yes, designated people
Yes, according to
plan necessary responses preplanned
procedures and/or
strategies

IMC

Has your organization identified the
most appropriate ways to
communicate with relevant
stakeholders with whom it must
communicate regarding incidents?

No

Relevant stakeholders
haven’t been identified,
but incident
information is sent to
anyone who requests it

Relevant stakeholders
have been identified but
not categorized, so
communication with
them is not tailored

Communications are Yes, for all types of
tailored for some
stakeholders
types of
stakeholders, such as
higher level
managers

IMC

Has your organization developed and
implemented an incident management
communications plan?

No

No, incident
management
communications are ad
hoc

There is no
communications plan,
but incident
management staff are
trained in incident
management related
communications

Yes

IMC

Are incidents closed after relevant
actions have been taken by your

Yes

Yes, and they are
marked as closed in the

Yes, according to a
defined closure

Yes, and incidents
that are not marked

Yes, and the plan is
regularly improved
based on incident
communications
experience

Answer 6

organization?

incident knowledgebase procedure

Page 9 of 26

as closed are tracked
until they are resolved

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Yes, for almost all
incidents (>80%)

Yes, for almost all
incidents (>80%),
and results are
documented both
in closure reports
and in the incident
knowledgebase

IMC

Do you perform post-incident review
using root-cause analysis or other
techniques to determine underlying
causes of incidents?

No

For some incidents
(10%–49%)

For most incidents
(50%–80%)

IMC

Are lessons learned from incident
management routinely used to
improve protection, security, and/or
continuity strategies?

No, or lessonslearned
information is not
collected

Only lessons learned
from high-impact
incidents

Yes

IMC

Are incidents escalated to appropriate
stakeholders for input and resolution?

No

On an ad hoc basis

Yes, incident
management staff know
how and to whom to
escalate incidents

Yes, according to
predefined criteria
and procedures

IMC

Have staff been assigned to all roles
and responsibilities detailed in the
incident management plan?

No staff are
assigned to
incident response
(there may or may
not be an incident
management plan)

There is no incident
management plan, but
some staff members are
assigned responsibilities
for responding to
incidents

Incident management
roles are assigned as
needed to handle an
incident

Yes, all staff roles and
responsibilities are
identified and
assigned

IMC

Is there a link (through the incident
knowledgebase or some other means)
between your organization’s incident
management process and its problem
management process?

No, or there is no
problem
management
process

There is no formal link
between the processes,
but some incident
information is passed
along to the problem
management process

Yes

Yes, and problem
reports are
periodically reviewed
to determine
whether any action
should be taken
related to incident
detection and
analysis methods or
incident response
procedures

IMC

Are incidents analyzed and any needed
information collected to determine an
appropriate response?

No

Only for some incidents

Yes, analysis and
information collection is
done for all incidents,

Yes, and extensive
analysis is done for
some types of

Answer 6

and results are
documented in incident
analysis reports

Page 10 of 26

incidents to
determine
underlying causes

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

IMC

Does your organization declare
incidents according to established
criteria or thresholds?

No

Incidents are declared in Yes, authorized staff use
an ad hoc or
identified criteria or
inconsistent manner
thresholds to identify
and declare incidents

Yes, and incident
declaration criteria
are updated based
on experience with
prior incidents

IMC

Does your organization assign a
disposition (or status) to events and
either close them or route them to the
incident management team or other
appropriate entity?

No

No, but all events are
routed to the incident
management team

Yes, and dispositions are
recorded in the incident
knowledgebase

Yes, and the process
includes periodic
review of the
incident
knowledgebase to
follow up on events
that have not been
closed or for which
there is no disposition

IMC

Are events triaged—that is,
categorized as to type and extent,
correlated to other events, and
prioritized as to the order in which
they should be addressed or assigned?

No

Some triage is done
(prioritization or
categorization)

Yes, depending on the
type or potential impact
of the event

Yes, through a
defined procedure

IMC

Does your organization ensure that
event evidence is properly collected,
handled, documented, preserved, and
protected as may be required by law
or other obligations?

No

For some types of events For most types of events

IMC

Is there an incident knowledgebase or
some other mechanism that enables
consistent logging of event data?

No

No, but there are
informal methods for
logging events

Yes, for all types of
events and as
required by relevant
rules, laws,
regulations, and
policies

Yes, for some event data, Yes, for
such as date and time,
comprehensive
description, and source
event data, such as
event description,
associated costs, and
the assets, services,
and organizational

Answer 5

Yes, through a
defined procedure
and using the
organization’s
standard event
categories and
prioritization
scheme

Answer 6

units that are
affected by the
event

Page 11 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5
Yes, events are
detected through
external as well as
internal methods
and sources (e.g.,
forwarded from law
enforcement,
vendors, or other
security
organizations, or
viewed through
various media
channels)

IMC

Does your organization use multiple
internal and external methods and
sources for detecting events?

No

No, but everyone knows Methods exist only for
who to contact if an
detecting events that
incident is suspected
affect technical
infrastructure (e.g.,
network monitoring,
application data
monitoring)

Events are detected
through numerous
internal methods
and sources (e.g.,
network and system
monitoring, service
desk issues, staff
observations of
malicious or
suspicious activities)

IMC

Does your organization have a
documented plan for performing
incident management?

No

In some organizational
There is a documented
units or lines of business plan, but no one
formally commits to it

Yes, both a
documented plan
and documented
commitments to the
plan

IMC

Has your organization established a
process for reporting events?

No

Events are reported via
email or phone to the
service desk

Yes, there is an
established process for
documenting events and
reporting them to the
service desk, appropriate
incident management
staff, or other
authorized entity

KIM

Are administrative, technical, and
physical controls identified and
implemented as needed to meet
resilience requirements for
information assets?

No

Some controls are
implemented, but they
are not aligned with
resilience requirements
(or there are no
documented
requirements)

Controls are
implemented for all
high-priority
information assets, but
they are not aligned with
resilience requirements
(or there are no
documented
requirements)

KIM

Does your organization use an
information asset sensitivity

No

Only for classified assets Yes, for all categories,
but its use is not

Yes, in some
Yes
organizational units
or for certain
categories or types
of information assets

Yes, for all categories

Answer 6

categorization scheme that covers all

enforced or monitored

categories of information assets
(public, internal use only, confidential,
secret, etc.)?

Page 12 of 26

Process Area Compass Question
KIM

Are resilience requirements (for
confidentiality, integrity, and
availability) assigned to information
assets and documented in asset

Answer 1

Answer 2

Answer 3

Answer 4

No

In some organizational
units or for certain
categories or types of
information assets

documented in asset
definitions

Yes

Answer 5

definitions?
KIM

Using organizationally defined
criteria, has your organization selected
certain information assets for periodic
risk assessment?

No risk assessments An initial risk assessment In some organizational
are done on
is done for new assets, units
information assets
but no periodic
assessments are done

KIM

As a result of periodic risk assessments
of selected information assets, are risk
mitigation strategies developed for
risks the organization decides to
mitigate, and are they validated by

No periodic risk
assessments of
selected
information assets
are done

Risk mitigation
strategies are not
developed

Risk mitigation strategies Yes, they are
are developed but are
developed and
not validated
validated

Yes

comparing them to existing strategies?

KIM

Does your organization have policies
and procedures for encrypting
information assets as appropriate or
required for their asset sensitivity
categorization?

No, there are no
such policies and
procedures

There are no
documented policies or
procedures, but staff
members know how
and when to encrypt
information

There are policies or
Yes
procedures for
encryption, but they are
not tied to asset
sensitivity categorizations

KIM

Do you implement access controls for
information assets as needed to satisfy
confidentiality- and privacy-related
resilience requirements (including
those imposed by laws and

No

Access controls are
implemented for certain
categories or types of
information assets, but
selection of access
controls is not based on
requirements of any
kind

Access controls are
implemented for
information assets only
as needed to satisfy
confidentiality- and
privacy-related resilience
requirements imposed
by laws and regulations

regulations)?

Yes, access controls
are implemented as
needed to satisfy all
confidentiality- and
privacy-related
resilience
requirements,
including those
imposed by laws and
regulations

Yes, they are
developed,
validated, and
implemented, and
risk mitigation
strategies are
monitored for
effectiveness after
implementation

Yes, and access
controls are
managed on an
ongoing basis to
ensure continued
satisfaction of
requirements

Answer 6

Page 13 of 26

Process Area Compass Question
KIM

Are organizational guidelines followed
for disposing of information assets in
a manner appropriate to their
resilience requirements and sensitivity
categorizations and in accordance with

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

No

There are guidelines,
but they are not well
documented,
communicated, or
implemented

Guidelines are followed
for disposing of assets in
accordance with
applicable rules, laws,
and regulations, but not
for other reasons

Guidelines for
proper disposal of
assets for all reasons
have been
communicated to all
staff who are
responsible for the
resilience of
information assets,
but adherence to
the guidelines is not
enforced or
monitored

Yes, and adherence
to the guidelines is
enforced and
monitored

No

Only access controls are
used

Yes, multiple types of
controls are used

Yes, and audits of
modification logs
are performed
periodically and
anomalies are
addressed

any applicable rules, laws, and
regulations?

KIM

Is the integrity of high-value
information assets preserved by
controlling their modification using
access controls, monitoring and
logging modification activity, and
other means?

KIM

Is the integrity of information assets
preserved by using configuration
control policies, procedures, and
techniques to manage changes to
assets?

No

Baselines are
established, but
changes are not always
managed

Yes, baselines are
established and changes
are managed through
configuration control

Yes, and
configuration
control logs are
reviewed and
anomalies are
addressed

KIM

Does your organization use controls to
sustain and verify the validity and
reliability of information assets as they
are altered through the information
processing cycle (used by a service)?

No

There are controls and
procedures in some
services or for certain
categories or types of
information assets

Yes, data validation
controls are used for
information assets

Yes, and monitoring
and auditing are
done to periodically
verify that changes
are valid and
authorized

KIM

Are high-value information assets
backed up and retained so that they
are available when needed?

No, no backup is
done

Some backup is done,
but there are no
guidelines about which

Assets that support high- Yes, high-value
value services are backed information assets
up but not necessarily
are backed up and

Yes, and the
organization’s
backup and storage

Answer 6

information assets
should be backed up

Page 14 of 26

other high-value
information assets such
as intellectual property

retained

procedures and
guidelines are
periodically tested
to ensure
continued validity
as operational
conditions change

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6
Yes, and procedures
for regular
identification,
capture, and revision
of institutional
knowledge have been
developed and
implemented

KIM

Is the institutional knowledge of staff
members that is vitally important to
normal operations duplicated in some
way (such as documentation or crosstraining)?

No, because staff
members who may
have institutional
knowledge have
not been identified
for this purpose

Staff members who may
have institutional
knowledge have been
identified, but their
knowledge is not
duplicated

Staff members with vital
institutional knowledge
are encourage to
document their
knowledge, but there are
no policies or
procedures for doing so

In some
organizational units
or for certain kinds
of institutional
knowledge

Yes

KIM

Has your organization prioritized its
information assets by their importance
in supporting the delivery of highvalue services or some other criteria so
that it knows which assets should be

No

Not formally, but that
priority is generally
known

In some organizational
units or for certain
categories or types of
information assets

Yes

Yes, and the
prioritization is
periodically
updated and
validated

Yes, for most (>80%)
operational
resilience
management
processes and
activities

the focus of operational risk and
resilience activities?
MON

Have plans for the involvement of
relevant internal and external
stakeholders in the monitoring process
been developed?

No

Stakeholders are
involved in the
monitoring process, but
there is no process for
identifying relevant
stakeholders and no
plans are developed to
describe their
involvement

For some (10%-49%)
operational resilience
management processes
and activities

For many (50%-80%)
operational
resilience
management
processes and
activities

MON

Has your organization established
distribution infrastructure, methods,
and channels that make monitoring

No, or stakeholder
requirements are
not identified

For some types (10%49%) of monitoring
data

For many types (50%80%) of monitoring data

Yes, for most types
(>80%) of
monitoring data

No

Some monitoring data
is collected and
recorded, but
stakeholder
requirements are not

For some (10%-49%)
operational resilience
management processes
and activities

For many (50%-80%)
operational
resilience
management
processes and

data available to stakeholders in the
form and at the frequency they have
requested?
MON

Is monitoring data relevant to the
operational resilience management
system collected and recorded on
appropriate media according to
stakeholders’ requirements?

Yes, for most (>80%)
operational
resilience
management
processes and

identified

MON

Have standards and parameters for
collecting, handling, and storing
monitoring data been developed?

No

For some types (10%49%) of monitoring
data

Page 15 of 26

activities
For many types (50%80%) of monitoring data

Yes, for most types
(>80%) of
monitoring data

activities

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

MON

Is infrastructure in place that is
sufficient for meeting monitoring
requirements and program objectives?

No, or that
information is not
known

Most (>80%) of the
monitoring
requirements specify
infrastructure that is
not in place

Many (50%-80%) of the
monitoring
requirements specify
infrastructure that is not
in place

Some (10%-49%) of
the monitoring
requirements specify
infrastructure that is
not in place

Very few (<10%) of
the monitoring
requirements
specify
infrastructure that
is not in place

MON

Are monitoring requirements for each
stakeholder identified and
documented?

No

For some (10%-49%)
operational resilience
management processes
and activities

For many (50%-80%)
operational resilience
management processes
and activities

Yes, for most (>80%)
operational
resilience
management
processes and
activities

Yes, for most
(>80%) operational
resilience
management
processes and
activities, and the
requirements are
reviewed, validated,
and updated on a
regular basis

MON

Have a plan and program for
identifying, recording, collecting, and
distributing operational resilience
monitoring information been
established?

No

Some monitoring of
operational resilience
management processes
and activities is
performed, but there is
no plan or program for
it

Yes, a plan for a
monitoring program has
been developed and
documented

Yes, and those
responsible have
committed in
writing to
implement and
support the plan

Yes, and the plan
and commitments
to the plan are
revised as necessary
as part of an
established periodic
review process

MON

Are monitoring requirements analyzed
to determine whether they can be
satisfied (in terms of resources and
infrastructure)?

No, or
requirements are
not identified

For some types (10%49%) of operational
resilience management
processes and activities

For many types (50%80%) of operational
resilience management
processes and activities

Yes, for most types
(>80%) of
operational
resilience
management
processes and
activities

RISK

Are risks prioritized based on assigned
risk valuations to determine the risks
that most need attention?

No, or risk
valuations are not
determined

Risks are prioritized, but
prioritization is based
on some criteria other
than assigned risk

Risks in some categories
are prioritized based on
assigned risk valuations

yes

Answer 6

valuations

Page 16 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

RISK

Is a strategy for managing operational
risk that aligns with the organization’s
overall enterprise risk management
strategy established and maintained?

No

Risk management is
performed, but there is
no documented
strategy for it

There is a strategy for
Yes
managing operational
risk, but it doesn’t align
with the organization’s
enterprise risk
management strategy (or
there is no enterpriselevel strategy

Yes, and the
operational risk
management
strategy is aligned
with the
organization’s
strategic objectives

RISK

Does your organization compare risk
mitigation plans to existing service
continuity plans and revise or create

No

For few services (<10%)

For some services
(10%–50%)

For many services
(>50% but <80%)

Yes, for most
services (>80%) or all
high-value assets

No

For few assets (<10%)

For some assets
(10%–50%)

For many assets
(>50% but <80%)

Yes, for most assets
(>80%) or all highvalue assets

Some categories of risk,
or in some
organizational units or
lines of business

Most categories of risk,
or in most
organizational units or
lines of business

Yes

service continuity plans as needed?
RISK

Does your organization compare risk
mitigation plans to existing strategies
for protecting assets and revise or add
controls in those strategies as needed?

RISK

Does your organization periodically
No
review identified risks to determine
whether there have been changes in the
risk environment that would warrant
changes in their risk dispositions?

RISK

Are risk mitigation plans monitored
for effectiveness?

No, or there are no For some categories of
risk mitigation plans risk, or in some
organizational units or
lines of business

For most categories of
risk, or in most
organizational units or
lines of business

Yes

RISK

Are risk mitigation plans developed
for risks that the organization decides
to mitigate?

No

Plans are developed for
all categories of risk that
describe what will be
done, when, and by whom

Plans are developed
for all categories of
risk that describe
what will be done,
when, and by whom;
the cost of the plan,
with a cost-benefit
analysis; and

Plans are developed for
some categories of risk
that describe what will
be done, when, and by
whom

Answer 6

identification of any
residual risk that will
not be addressed by
the plan

Page 17 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

RISK

Is the disposition (Risk: acceptance,
avoidance, transfer, monitor,
research/defer, mitigation) of each
identified risk documented and
approved?

No

For some risks (<50%) or For many risks (50%–80%) Yes, for most risks
some categories of risk
(80%–100%)

RISK

Are identified risks evaluated and
assigned qualitative or quantitative
valuations using the defined risk
parameters and risk measurement
criteria?

No

Very few identified risks
(<10%)

Some identified risks
(10%–50%)

Many identified risks
(>50% but <80%)

Yes, most identified
risks (>80%)

RISK

Do risk statements for high-value
assets include information about the
potential effect on the services they

No, or there are no
risk statements

For very few identified
risks (<10%)

For some identified risks
(10%–50%)

For many identified
risks (>50% but
<80%)

Yes, for most
identified risks
(>80%)

Answer 6

support if the risk is realized?
RISK

Does your organization use various
techniques and methods to identify
operational risks to high-value assets?

No

No, but risks are
documented when they
become known

Risk identification is
done for some highvalue assets (10%–50%)

Risk identification is
done for many highvalue assets (>50%
but <80%)

Yes, for most highvalue assets (>80%)

RISK

Are risk parameters (operational risk
thresholds and impact and probability
criteria) defined for each category of

No, or risks are not
categorized

For very few categories
(<10%) or for some
specific risks

For some categories
(10%–50%)

For many categories
(>50% but <100%)

Yes (100%)

risk?
RISK

Are operational risks categorized and
organized in some way that is relevant
to the organization?

No

Some categorization is
done

Some sources of risk are
categorized and
organized in a taxonomy

Yes

RISK

Does your organization categorize
risks according to its defined risk
categories or other forms of
categorization?

No, or risk
categories are not
determined

Very few identified risks
(<10%)

Some identified risks
(10%–50%)

Many identified risks
(>50% but <80%)

Yes, most identified
risks (>80%)

Yes, most identified
risks (>80%), and the
cause-and-effect
relationship between
related risks is identified

RISK

Does your organization identify and
document the sources from which
operational risk to its assets and
services may originate?

No

A few general sources
have been identified,
but no analysis is
conducted to identify
most or all sources

Page 18 of 26

In some organizational
units or lines of business
or for certain asset types

Yes, possible risk
sources are
identified and
documented

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

No, or
organizational
impact areas have
not been defined

Some risk measurement
and evaluation criteria
have been developed,
but organizational
impact areas have not
been identified

For some organizational
units or lines of business

Yes

Yes, and they are
applied consistently
across all
operational risks

Yes

Yes, and versions of
existing plans are
incremented
according to the
organization’s
versioning protocol
and standards

Yes, and new
versions of plans are
communicated to
relevant
stakeholders

RISK

Are criteria for measuring and
evaluating the impact of realized risk
defined and documented for
organizational impact areas?

SC

Are changes made to service continuity No
plans based on organizationally
defined change criteria?

There are no
documented criteria or
conditions, but service
continuity plans are
updated in response to
various events and
conditions

SC

Have a program, standards, and
schedules for testing service continuity
plans been implemented?

No

There are schedules but There are schedules and
no test program or
either a test program or
standards
standards

SC

Are service continuity test plans
developed and reviewed with
stakeholders before being
implemented?

No

Test plans are developed Test plans are developed Yes, test plans are
and documented for
and documented for
developed and
some services (<50%)
many services (50%-80%) documented for
most or all services
(>80%) and are
reviewed with
stakeholders

SC

Are service continuity plans tested on
an organizationally defined basis using
necessary staff and resources, and are
the results documented?

No

Some plans (10%-49%)

Many plans (50%-80%)

Yes, most plans
(>80%)

SC

Are test results compared with test
objectives to identify needed
improvements to both service
continuity plans and test plans? ]

No

Needed improvements
to service continuity
plans are identified and
documented

Yes

Yes, needed
improvements to
both service
continuity plans and
test plans are

Yes

Yes, and
documentation of
results is done in
accordance with
the organization’s
testing standards

Answer 6

identified and
documented

Page 19 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Yes, and controls
are in place to
ensure that vital
records and
databases are
protected,
accessible, and
usable if a
disruption occurs

SC

Do owners of service continuity plans
execute specific plans in response to
specific conditions?

No

No, they execute plans
only when directed to
(by the incident
management team,
higher level managers,
or others)

Yes, owners of service
continuity plans know
the conditions under
which plans must be
executed and have the
authority and
responsibility to execute
the plans if necessary

SC

Have criteria for making changes to
service continuity plans been defined?

No

No, but criteria for
making changes to
service continuity plans
are generally known by
plan owners

Yes, criteria for making
changes to service
continuity plans have
been developed and
documented

SC

Are vital records and databases
identified and documented?

No

They are identified and Yes
documented within
certain organizational
units or lines of business
but not organizationwide

Yes, including a
directory of vital
staff and their
specific roles in
high-value services

SC

Are conflicts between service
continuity plans (in use of resources)
identified through plan review and
resolved?

No

Conflicts aren’t
identified through plan
review, but if they are
identified through plan
testing or execution,
they are resolved

Yes, conflicts are
identified, and most
conflicts are reduced or
eliminated

Yes, conflicts are
reduced or
eliminated, and
plans are rewritten
and revised as
necessary

SC

Are post-execution reviews of service
continuity plans performed to identify
corrective actions?

No

For some plans (10%49%)

For many plans (50%80%)

Yes, for most plans
(>80%)

Yes, for most plans
(>80%), and areas of
improvement for
plans are
documented

SC

Has your organization developed and
documented a plan for its service
continuity process?

No, there is no
service continuity
process

No, no plan has been
developed or
documented for the

There is no plan, but
some aspects of the
service continuity

Yes, planning is
performed

Yes, planning is
performed and a
program has been

Answer 6

service continuity
process

Page 20 of 26

process are documented

developed and
documented

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4
Yes, and training
materials and
resources have been
developed to
conduct training on
a regular and
ongoing basis

SC

Does your organization provide
training as needed to staff assigned to
service continuity plans?

No

The organization
doesn’t identify skill
gaps, but training is
available

yes

SC

Is there a service continuity plan
repository or database, and are access
controls used to ensure that service
continuity plans can be accessed only

No

There is a repository for
service continuity plans,
but no access controls
are used on it

Yes, service continuity
plans are stored and
access controls are used

Yes, a single means is used Yes, multiple means
are used, such as
business impact
analysis, risk
assessment activities,
and lessons learned
from past disruptions

Answer 5

by authorized individuals?
SC

Does your organization identify
service continuity plans to be
developed?

No

Existing service
continuity plans are
maintained, but no
means are used to
identify new plans
needed

SC

Are any external entities that the
organization depends on to provide
high-value services, such as public
utilities and contractors, identified and
documented?

No

There are records that
Yes
identify and document
such external entities,
but specific
dependencies of highvalue services on those
entities isn’t documented

SC

Are the associations between the highvalue services of the organization and
the assets that support them (people,
information, technology, and facilities)
identified?

High-value services
have not been
identified

High-value services have
been identified but not
associations between
them and their
supporting assets

Associations have been
identified between some
high-value services
(<50%) and their
supporting assets or for
certain categories of
supporting assets

Associations
between many highvalue services (50%80%) and their
supporting assets
have been identified,
but certain

Yes, for most or all
high-value services
(>80%) and their
supporting assets

Answer 6

categories of
supporting assets
tend to be
overlooked

Page 21 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4
Yes, guidelines and
standards have been
developed and
communicated for
most aspects of the
service continuity
program

Answer 5

SC

Are service continuity guidelines and
standards (regarding standard content
of plans, testing requirements, plan
versioning, etc.) developed and
communicated?

No

Basic guidelines and
standards, such as
requirements for plans
and plan creation
templates, have been
developed for some
aspects of the service
continuity program,
but they are not well
communicated

Additional guidelines
and standards, such as
standard content of
plans, testing
requirements for plans,
stakeholder involvement,
and plan change
control, have been
developed and
communicated for some
aspects of the service
continuity program

SC

Are service continuity plans objectively
reviewed to ensure that they conform
to the organization’s standards and
requirements for plan development?

No

Plans are evaluated
against development
standards or guidelines
but not against
requirements

Plans are evaluated
Yes
against requirements but
not against
development standards
or guidelines

SC

Are staff members assigned to execute
specific service continuity plans?

No

No, but there is a list of
staff that is required to
execute service
continuity plans

Yes

TM

Are audits of technology asset
modification logs performed
periodically, and are any anomalies
discovered addressed?

There are no
technology asset
modification logs

No

Audits are rarely
Yes
performed, but any
anomalies discovered are
addressed

TM

Are selected technology assets placed
No
under configuration management using
organizational standards, guidelines,
policies, and tools?

There are no
organizational
standards, etc., but
some technology assets
are placed under
configuration control

In some organizational
units or for certain
categories or types of
technology assets

Yes

Yes, and
configuration
control logs are
reviewed
periodically to
identify anomalies

TM

Are changes to technology assets
managed using organizational change

There are no
organizational policies,

In some organizational
units or for certain

Yes

Yes, including
analysis of impacts

No

Answer 6

Yes, and
appropriate plan
updates and
remediation actions
are developed if
necessary

Yes, and the integrity
of configuration item
baselines is audited
regularly to ensure
that they are complete
and correct

control policies, procedures and
techniques?

etc., but change
management is done
for some technology
assets

Page 22 of 26

categories or types of
technology assets

of changes
proposed and
required approval
of changes by
relevant
stakeholders

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

TM

Does your organization use release
management or iteration control for
technology assets that are released
into the production environment?

No

Only for some types of
technology assets

For most types of
technology assets

Yes

TM

Does your organization help ensure the No
availability and functionality of highvalue technology assets by developing
plans to sustain them (such as business
continuity plans)?

Only for a few types of
high-value technology
assets

Yes

Yes, and the plans
refer to metrics such
as availability
metrics, recovery
time objectives, and
recovery time
objectives

TM

Are corrective, preventive, and other
types of maintenance performed on
technology assets that require it?

No

Corrective maintenance
is performed when
there is a maintenance
issue

Yes, all types of
maintenance are
performed

Yes, all types of
maintenance are
performed, and
equipment suppliers’
recommended
service intervals and
specifications are
used when available

TM

Does your organization have a
strategy for managing the
interoperability of technology assets?

No

No, but some
interoperability
architecture and design
principles are
commonly used

Interoperability
standards have been
established related to
architecture and design,
minimizing complexity,
preventing operational
risk, etc.

Yes, there is a
strategy for
managing
interoperability that
is used across the
enterprise

Yes, and risks that
are identified
through
interoperability
management are
referred to the risk
management
process

TM

Does your organization implement
access management policies and
procedures for requesting and

No

For few technology
assets (<10%)

For some technology
assets (10%–49%)

For many
technology assets
(50%–80%)

Yes, for most
technology assets
(>80%)

No

For certain categories of For most controls
controls or for certain

approving access privileges to
technology assets?
TM

Is the effectiveness of controls
monitored so as to identify any

Yes, for all controls

Answer 6

deficiencies?

categories or types of
technology assets

Page 23 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Answer 5

Answer 6
Yes, for most
technology assets
(>80%), and capacity
management
strategies are
periodically validated
and updated based on
operational and
organizational
environmental changes

TM

Is capacity management and planning
done for technology assets that
require it?

No

Yes, for a few
technology assets
(<10%)

Yes, for some technology Yes, for many
assets (10%–49%)
technology assets
(50%–80%)

Yes, for most
technology assets
(>80%)

TM

Does your organization prioritize
Technology assets relative to their
importance in supporting the delivery

No

Few technology assets
(<10%)

Some technology assets
(10%–49%)

Many technology
assets (50%–80%)

Yes, most
technology assets
(>80%)

Risk mitigation
strategies are not
developed

Yes, they are developed
and implemented

Yes, they are
developed and
implemented, and
risk mitigation
strategies are
monitored for
effectiveness after
implementation

of high-value services?
TM

As a result of periodic risk assessments
of selected technology assets, are risk
mitigation strategies developed and
implemented for risks the organization
decides to mitigate?

No periodic risk
assessments of
technology assets
are done

TM

Using organizationally defined
criteria, does your organization
periodically identify and assess risks to
technology assets?

No risk assessments An initial risk assessment For some categories or
are done on
is done for new assets, types of technology
technology assets
but no periodic
assets
assessments are done

Yes

TM

Are controls over the design,
construction, and acquisition of
technology assets specified?

No

In very few
organizational units or
for one or two
categories or types of
technology assets

In some organizational
units or for some
categories or types of
technology assets

Yes

TM

Are administrative, technical, and
physical controls identified and

No

Some controls are
implemented, but they

Controls are
implemented for all

In some
organizational units

Yes

implemented as needed to meet
resilience requirements for technology
assets?

are not aligned with
resilience requirements
(or there are no
documented
requirements)

Page 24 of 26

high-priority technology
assets, but they are not
aligned with resilience
requirements (or there
are no documented
requirements)

or for certain
categories or types
of technology assets

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4
Yes

Answer 5

TM

Are resilience requirements that have
been defined assigned to technology
assets?

No

In some organizational
units or for certain
categories or types of
technology assets

Resilience requirements
are assigned and are
documented in some
manner, but they are not
documented in asset
definitions

TM

Are technology assets that specifically
support execution of service continuity
and service restoration plans

No

For a few service
continuity plans (<10%)

For some service
For many service
continuity plans (10%–49 continuity plans
(50%–80%)

Yes, for most (>80%)
service continuity
plans

No

For few technology
assets (<10%)

For some technology
assets (10%–49%)

For many
technology assets
(50%–80%)

Yes, for most
technology assets
(>80%)

identified and documented?
TM

Have organizationally acceptable
tools, techniques, and methods for
controlling access to technology assets
been established?

TM

Does your organization identify staff
authorized to modify technology
assets and ensure that their access
privileges align with their current job
responsibilities?

No

Such staff are identified,
but they tend to just be
given extensive
privileges

Such staff are identified,
and their privileges are
scrutinized if they
change jobs

Such staff are
identified, and their
privileges are
scrutinized if there is
any change at all in
their job
responsibilities

VAR

Does your organization develop
resolution strategies for
vulnerabilities to which exposure must
be reduced or eliminated (if they

No

No, vulnerability
management staff
handle resolution
activities

Yes, workarounds for
identified vulnerabilities
are developed and
implemented

Yes, and relevant
stakeholders are
informed of
resolution activities

No

No analysis is done, but
certain kinds of
vulnerabilities are
routinely fixed through
methods such as patch
management

Yes

Yes, and
documented
prioritization
guidelines are used
to sort and prioritize
vulnerabilities
consistently

require more than a simple fix such as a
patch supplied by a software vendor)?
VAR

Are vulnerabilities analyzed to
determine whether they have to be
reduced or eliminated, and are they
prioritized for disposition?

Answer 6

according to their
relevance to the
organization

Page 25 of 26

Process Area Compass Question

Answer 1

Answer 2

Answer 3

Answer 4

Vulnerabilities are
discovered as part of a
periodic threat and risk
assessment or audit
process

Yes, there is a
process for extensive
vulnerability
discovery, using
multiple sources and
tools and a
vulnerability
repository, and staff
receive training as
needed

VAR

Does your organization have a process
for actively discovering vulnerabilities?

No

Vulnerability discovery
is done by performing
internal vulnerability
assessments and by
subscribing to
vulnerability catalogs
and vendor notification
lists

VAR

Are reputable sources of vulnerability
information, both internal and
external, identified in your
organization?

No

A few sources of
Yes, multiple sources of
vulnerability
vulnerability information
information have been
have been identified
indentified and are used and are used

VAR

Has your organization developed an
operational vulnerability analysis and
resolution strategy?

No

No strategy has been
developed, but some
vulnerability analysis
and resolution activities
are being performed

There is no strategy, but Yes
resources are assigned to
vulnerability analysis
and resolution roles and
responsibilities

VAR

Is root-cause analysis performed on
identified vulnerabilities using
appropriate tools, techniques and
methods?

No

Yes, on some
vulnerabilities

Yes, on most
vulnerabilities that
warrant it

Yes, on most
vulnerabilities that
warrant it, and
strategies to address
root causes are
developed,
implemented, and
monitored

VAR

Does your organization define the
No
scope of its vulnerability analysis and
resolution activities by identifying the
high-value assets and related
operational environments that must be

Yes, but for information
and technology assets
only

Yes, for all asset types
(information,
technology, and
facilities)

Yes, for all asset types
, and the scope of
vulnerability analysis
and resolution
activities is
documented

Answer 5

Answer 6

Yes, and the
strategy is
communicated to
all relevant
stakeholders

Yes, and stakeholders’
commitment to the
activities described in
the strategy has been
obtained

Yes, multiple sources,
and the source list
is updated as new
sources become
available

examined for vulnerabilities?
160

Page 26 of 26


File Typeapplication/pdf
AuthorSAM
File Modified2011-10-05
File Created2011-10-05

© 2024 OMB.report | Privacy Policy