Level 1 | Level 2 | Level 3 | |
---|---|---|---|
ADMINISTRATIVE | ADMINISTRATIVE | ADMINISTRATIVE | |
Risk Management Processes | |||
Risk Decisions | |||
Actionable Executive Decision Making | |||
Comprehensive Risk Management | |||
InfoSec Risk Defined & Documented | |||
Risk Tolerance Determined & Clear | |||
Risk Identified & Prioritized | |||
Threats Identified & Documented | |||
Tolerance Informed by Infrastructure & Sector | |||
PHYSICAL | PHYSICAL | PHYSICAL | |
Evacuation Procedures | |||
Employee Training | |||
Formalized Policies & Procedures | |||
Emergency Response Plan | |||
Security Exercises Conducted | |||
Background Checks | |||
Security Guards | |||
Areas of Refuge | |||
Formal Facility Threat Analysis Every 2 Years | |||
Regular Facility Physical Risk Assessments | |||
INTERNAL TECHNICAL | INTERNAL TECHNICAL | INTERNAL TECHNICAL | |
Firewall Management | |||
Firewall Routing | |||
Data Loss Prevention | |||
DMZ Network | |||
Traffic Reviewed for Malware | |||
Egress Traffic Restrictions | |||
Network-based Intrusion Prevention | |||
Multiple Internet Circuits from Multiple ISPs | |||
Redundant Internet Firewall | |||
Web Content Filtering | |||
EXTERNAL TECHNICAL | EXTERNAL TECHNICAL | EXTERNAL TECHNICAL | |
Blacklists & Whitelists | |||
Isolated Internal Networks | |||
Firewall Auditable Change Control | |||
Formal Firewall Change Approval | |||
Documented Firewall Review Schedule | |||
Network-based Intrusion Prevention Systems | |||
Internet-facing Systems Hardening Documented | |||
Unauthorized Firewall Changes –> Incident Management Process | |||
Additional Protections on Internet-accessible and DMZ Servers | |||
Egress Traffic Filtering Specifically Authorized |