Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pl-8(1)

information security architecture  | defense-in-depth

assessment objective:

Determine if the organization:  

pl-8(1)(a)  

pl-8(1)(a)[1]

defines security safeguards to be allocated to locations and architectural layers within the design of its security architecture;

pl-8(1)(a)[2]

defines locations and architectural layers of its security architecture in which organization-defined security safeguards are to be allocated;

pl-8(1)(a)[3]

designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations and architectural layers; and

pl-8(1)(b)  

designs its security architecture using a defense-in-depth approach that ensures the allocated organization-defined security safeguards operate in a coordinated and mutually reinforcing manner.

potential assessment methods and objects:

Examine: [select from: Security planning policy; procedures addressing information security architecture development; enterprise architecture documentation; information security architecture documentation; security plan for the information system; security CONOPS for the information system; other relevant documents or records].

Interview: [select from: Organizational personnel with security planning and plan implementation responsibilities; organizational personnel with information security architecture development responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for designing the information security architecture; automated mechanisms supporting and/or implementing the design of the information security architecture].