Level 1Level 2Level 3
ADMINISTRATIVEADMINISTRATIVEADMINISTRATIVE
Risk Management Processes
Risk Decisions
Actionable Executive Decision Making
Comprehensive Risk Management
InfoSec Risk Defined & Documented
Risk Tolerance Determined & Clear
Risk Identified & Prioritized
Threats Identified & Documented
Tolerance Informed by Infrastructure & Sector
PHYSICALPHYSICALPHYSICAL
Evacuation Procedures
Employee Training
Formalized Policies & Procedures
Emergency Response Plan
Security Exercises Conducted
Background Checks
Security Guards
Areas of Refuge
Formal Facility Threat Analysis Every 2 Years
Regular Facility Physical Risk Assessments
INTERNAL TECHNICALINTERNAL TECHNICALINTERNAL TECHNICAL
Firewall Management
Firewall Routing
Data Loss Prevention
DMZ Network
Traffic Reviewed for Malware
Egress Traffic Restrictions
Network-based Intrusion Prevention
Multiple Internet Circuits from Multiple ISPs
Redundant Internet Firewall
Web Content Filtering
EXTERNAL TECHNICALEXTERNAL TECHNICALEXTERNAL TECHNICAL
Blacklists & Whitelists
Isolated Internal Networks
Firewall Auditable Change Control
Formal Firewall Change Approval
Documented Firewall Review Schedule
Network-based Intrusion Prevention Systems
Internet-facing Systems Hardening Documented
Unauthorized Firewall Changes –> Incident Management Process
Additional Protections on Internet-accessible and DMZ Servers
Egress Traffic Filtering Specifically Authorized