AR 380-19 Information Systems Security

Appendix F

Management Control Evaluation Checklist

F-1. Function. The function covered by this checklist is the administration of the Army Information System Security Program.

F-2. Purpose. The purpose of this checklist is to assist Assessable Unit Manager and Management Control Administrators in evaluating the key management controls outlined below. It is not intended to cover all controls.

F-3. Instruction. Answers must be based on the actual testing of key management controls (e.g., document analysis, direct observation, sampling, simulation, other). Answers that indicate deficiencies must be explained and corrective action indicated in supporting documentation. These key management controls must be formally evaluated at least once every five years. Certification that this evaluation has been conducted must be accomplished on DA form 11-2R (Management Control Evaluation Certification Statement).

F-4. Test Questions.

a. Are appropriate security personnel (e.g., ISSPM, ISSM or ISSO) appointed?

b. Are risk analysis/vulnerability assessments (e.g., VAAP) performed on any systems that processes Army information at the appropriate levels?

c. Are the appropriate leadership/management personnel aware of the results of risk analysis/vulnerability assessments?

d. Are countermeasures identified based on the results of risk analysis/vulnerability assessments?

e. Are countermeasures in place commensurate with risk/vulnerability?

f. Is there a written security plan to document implementation of countermeasures?

g. Has leadership/management formally accepted the risk to process the information involved? (Are the systems accredited?)

h. Are countermeasures routinely tested (e.g., user IDs, passwords, audit trails)?

I. Is Information System Security training performed at appropriate levels?

k. Are security incidents/violations (e.g., viruses, unauthorized entries or attempts) reported and investigated?

l. Have plans been developed to ensure continued operation in the event of major disruption (e.g., fire, natural disaster, bomb threat, civil disorder)?

m. Has a Configuration Control Board approved each network? Is there an appropriate security official a member of each board?

F-5. Supersession. This checklist replaces the checklist for “Intelligence Activities/Army Information System Security Program (AISSP)” previously published in DA Circular 11-92-1.

F-6. Comments. Help to make this a better tool for evaluating management controls. Submit comments to: HQDA (DAMI-IM), 1000 Army Pentagon, Washington, DC 20310-1000.