Experience in developing information security policies, building out control frameworks and security controls, providing guidance and recommendations for new security programs, assessing . If the institution determines that misuse of customer information has occurred or is reasonably possible, it should notify any affected customer as soon as possible. View the 2009 FISCAM About FISCAM The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The cookie is used to store the user consent for the cookies in the category "Other. Citations to the Privacy Rule in this guide omit references to part numbers and give only the appropriate section number. Checks), Regulation II (Debit Card Interchange Fees and Routing), Regulation HH (Financial Market Utilities), Federal Reserve's Key Policies for the Provision of Financial Foundational Controls: The foundational security controls are designed for organizations to implement in accordance with their unique requirements. 4700 River Road, Unit 2, Mailstop 22, Cubicle 1A07 Land F, Supplement A (Board); 12 C.F.R. Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. 7 This paper outlines the privacy and information security laws that pertain to federal information systems and discusses special issues that should be addressed in a federal SLDN. Access Control; Audit and Accountability; Awareness and Training; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Risk Assessment; System and Communications Protection; System and Information Integrity; System and Services Acquisition, Publication: Organizations must report to Congress the status of their PII holdings every. The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". These controls address more specific risks and can be tailored to the organizations environment and business objectives.Organizational Controls: The organizational security controls are those that should be implemented by all organizations in order to meet their specific security requirements. Comment * document.getElementById("comment").setAttribute( "id", "a2ee692a0df61327caf71c1a6e3d13ef" );document.getElementById("b5a6beae45").setAttribute( "id", "comment" ); Save my name, email, and website in this browser for the next time I comment. ISA provides access to information on threats and vulnerability, industry best practices, and developments in Internet security policy. HHS Responsible Disclosure, Sign up with your e-mail address to receive updates from the Federal Select Agent Program. Recognize that computer-based records present unique disposal problems. The Federal Information Systems Security Management Principles are outlined in NIST SP 800-53 along with a list of controls. The Centers for Disease Control and Prevention (CDC) cannot attest to the accuracy of a non-federal website. By following the guidance provided . The NIST 800-53, a detailed list of security controls applicable to all U.S. organizations, is included in this advice. Email Attachments CERT provides security-incident reports, vulnerability reports, security-evaluation tools, security modules, and information on business continuity planning, intrusion detection, and network security. Download the Blink Home Monitor App. Reg. The Federal Information Technology Security Assessment Framework (Framework) identifies five levels of IT security program effectiveness (see Figure 1). federal agencies. 3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Elements of information systems security control include: Identifying isolated and networked systems Application security The document explains the importance of protecting the confidentiality of PII in the context of information security and explains its An official website of the United States government, Security Testing, Validation, and Measurement, National Cybersecurity Center of Excellence (NCCoE), National Initiative for Cybersecurity Education (NICE), Federal Information Security Modernization Act. To maintain datas confidentiality, dependability, and accessibility, these controls are applied in the field of information security. In order to do this, NIST develops guidance and standards for Federal Information Security controls. Return to text, 11. Then open the app and tap Create Account. The institution will need to supplement the outside consultants assessment by examining other risks, such as risks to customer records maintained in paper form. Definition: The administrative, technical, and physical measures taken by an organization to ensure that privacy laws are being followed. Dramacool Accordingly, an automated analysis of vulnerabilities should be only one tool used in conducting a risk assessment. A. DoD 5400.11-R: DoD Privacy Program B. Under the Security Guidelines, a risk assessment must include the following four steps: Identifying reasonably foreseeable internal and external threatsA risk assessment must be sufficient in scope to identify the reasonably foreseeable threats from within and outside a financial institutions operations that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems, as well as the reasonably foreseeable threats due to the disposal of customer information. cat See "Identity Theft and Pretext Calling," FRB Sup. It does not store any personal data. iPhone 568.5 based on noncompliance with the Security Guidelines. Part 570, app. Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Managed controls, a recent development, offer a convenient and quick substitute for manually managing controls. It is regularly updated to guarantee that federal agencies are utilizing the most recent security controls. What Guidance Identifies Federal Information Security Controls The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. No one likes dealing with a dead battery. The US Department of Commerce has a non-regulatory organization called the National Institute of Standards and Technology (NIST). For example, whether an institution conducts its own risk assessment or hires another person to conduct it, management should report the results of that assessment to the board or an appropriate committee. CIS develops security benchmarks through a global consensus process. Return to text, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue N.W., Washington, DC 20551, Last Update: Businesses can use a variety of federal information security controls to safeguard their data. Center for Internet Security (CIS) -- A nonprofit cooperative enterprise that helps organizations reduce the risk of business and e-commerce disruptions resulting from inadequate security configurations. communications & wireless, Laws and Regulations Elements of information systems security control include: A complete program should include aspects of whats applicable to BSAT security information and access to BSAT registered space. See65Fed. The Federal Information Security Management Act of 2002 (Title III of Public Law 107-347) establishes security practices for federal computer systems and, among its other system security provisions, requires agencies to conduct periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, Download Information Systems Security Control Guidance PDF pdf icon[PDF 1 MB], Download Information Security Checklist Word Doc word icon[DOC 20 KB], Centers for Disease Control and Prevention What Guidance Identifies Federal Information Security Controls Career Corner December 17, 2022 The Federal Information Security Management Act (FISMA), a piece of American legislation, establishes a framework of rules and security requirements to safeguard government data and operations. You have JavaScript disabled. is It Safe? . August 02, 2013, Transcripts and other historical materials, Federal Reserve Balance Sheet Developments, Community & Regional Financial Institutions, Federal Reserve Supervision and Regulation Report, Federal Financial Institutions Examination Council (FFIEC), Securities Underwriting & Dealing Subsidiaries, Types of Financial System Vulnerabilities & Risks, Monitoring Risk Across the Financial System, Proactive Monitoring of Markets & Institutions, Responding to Financial System Emergencies, Regulation CC (Availability of Funds and Collection of Part 570, app. Federal Information Security Controls (FISMA) are essential for protecting the confidentiality, integrity, and availability of federal information systems. www.cert.org/octave/, Information Systems Audit and Control Association (ISACA) -- An association that develops IT auditing and control standards and administers the Certified Information Systems Auditor (CISA) designation. That rule established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, as well as adding a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in certain circumstances. The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. United States, Structure and Share Data for U.S. Offices of Foreign Banks, Financial Accounts of the United States - Z.1, Household Debt Service and Financial Obligations Ratios, Survey of Household Economics and Decisionmaking, Industrial Production and Capacity Utilization - G.17, Factors Affecting Reserve Balances - H.4.1, Federal Reserve Community Development Resources, Important Terms Used in the Security Guidelines, Developing and Implementing an Information Security Program, Responsibilities of and Reports to the Board of Directors, Putting an End to Account-Hijacking Identity Theft (682 KB PDF), Authentication in an Internet Banking Environment (163 KB PDF), Develop and maintain an effective information security program tailored to the complexity of its operations, and. Joint Task Force Transformation Initiative. Organizations are encouraged to tailor the recommendations to meet their specific requirements. Incident Response8. Services, Sponsorship for Priority Telecommunication Services, Supervision & Oversight of Financial Market Return to text, 10. Subscribe, Contact Us | and Johnson, L. 8616 (Feb. 1, 2001) and 69 Fed. It also offers training programs at Carnegie Mellon. After that, enter your email address and choose a password. These cookies may also be used for advertising purposes by these third parties. The National Institute of Standards and Technology (NIST) has created a consolidated guidance document that covers all of the major control families. A change in business arrangements may involve disposal of a larger volume of records than in the normal course of business. Paragraphs II.A-B of the Security Guidelines require financial institutions to implement an information security program that includes administrative, technical, and physical safeguards designed to achieve the following objectives: To achieve these objectives, an information security program must suit the size and complexity of a financial institutions operations and the nature and scope of its activities. Cupertino The Security Guidelines provide an illustrative list of other material matters that may be appropriate to include in the report, such as decisions about risk management and control, arrangements with service providers, results of testing, security breaches or violations and managements responses, and recommendations for changes in an information security program. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; Procedures designed to ensure that customer information system modifications are consistent with the institutions information security program; Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information; Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. color Division of Select Agents and Toxins To the extent that monitoring is warranted, a financial institution must confirm that the service provider is fulfilling its obligations under its contract. These controls help protect information from unauthorized access, use, disclosure, or destruction. FNAF NISTIR 8170 FISMA establishes a comprehensive framework for managing information security risks to federal information and systems. Applying each of the foregoing steps in connection with the disposal of customer information. This is a living document subject to ongoing improvement. These cookies track visitors across websites and collect information to provide customized ads. FDIC Financial Institution Letter (FIL) 132-2004. system. These controls are important because they provide a framework for protecting information and ensure that agencies take the necessary steps to safeguard their data. For example, the OTS may initiate an enforcement action for violating 12 C.F.R. These controls are: The term(s) security control and privacy control refers to the control of security and privacy. PRIVACY ACT INSPECTIONS 70 C9.2. The Federal Information Security Management Act, or FISMA, is a federal law that defines a comprehensive framework to secure government information. Each of the five levels contains criteria to determine if the level is adequately implemented. System and Information Integrity17. Documentation It also provides a baseline for measuring the effectiveness of their security program. 4 The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. These standards and recommendations are used by systems that maintain the confidentiality, integrity, and availability of data. Testing may vary over time depending, in part, on the adequacy of any improvements an institution implements to prevent access after detecting an intrusion. There are a number of other enforcement actions an agency may take. How Do The Recommendations In Nist Sp 800 53a Contribute To The Development Of More Secure Information Systems? The federal government has identified a set of information security controls that are important for safeguarding sensitive information. BSAT security information includes at a minimum: Information systems security control is comprised of the processes and practices of technologies designed to protect networks, computers, programs and data from unwanted, and most importantly, deliberate intrusions. All information these cookies collect is aggregated and therefore anonymous. preparation for a crisis Identification and authentication are required. Raid You will be subject to the destination website's privacy policy when you follow the link. Save my name, email, and website in this browser for the next time I comment. 3, Document History: 4 (01-22-2015) (word) Banks, New Security Issues, State and Local Governments, Senior Credit Officer Opinion Survey on Dealer Financing Monetary Base - H.3, Assets and Liabilities of Commercial Banks in the U.S. - This is a potential security issue, you are being redirected to https://csrc.nist.gov. Lock Part208, app. They offer a starting point for safeguarding systems and information against dangers. Topics, Date Published: April 2013 (Updated 1/22/2015), Supersedes: A high technology organization, NSA is on the frontiers of communications and data processing. Independent third parties or staff members, other than those who develop or maintain the institutions security programs, must perform or review the testing. NIST creates standards and guidelines for Federal Information Security controls in order to accomplish this. True Jane Student is delivering a document that contains PII, but she cannot find the correct cover sheet. Return to text, 16. Where indicated by its risk assessment, monitor its service providers to confirm that they have satisfied their obligations under the contract described above. The web site provides links to a large number of academic, professional, and government sponsored web sites that provide additional information on computer or system security. We need to be educated and informed. Senators introduced legislation to overturn a longstanding ban on I.C.2 of the Security Guidelines. The Federal Information Security Management Act (FISMA) and its implementing regulations serve as the direction. C. Which type of safeguarding measure involves restricting PII access to people with a need to know. The Security Guidelines provide a list of measures that an institution must consider and, if appropriate, adopt. Its members include the American Institute of Certified Public Accountants (AICPA), Financial Management Service of the U.S. Department of the Treasury, and Institute for Security Technology Studies (Dartmouth College). Your email address will not be published. The institution should include reviews of its service providers in its written information security program. Here's how you know "Information Security Program," January 14, 1997 (i) Section 3303a of title 44, United States Code . NIST's main mission is to promote innovation and industrial competitiveness. dog 12 Effective Ways, Can Cats Eat Mint? Audit and Accountability4. Part 364, app. A comprehensive set of guidelines that address all of the significant control families has been produced by the National Institute of Standards and Technology (NIST). The Freedom of Information Act (FOIA) C. OMB Memorandum M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information D. The Privacy Act of 1974 The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. Required fields are marked *. In March 2019, a bipartisan group of U.S. Receiptify NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures . Frequently Answered, Are Metal Car Ramps Safer? Duct Tape Each of the Agencies, as well as the National Credit Union Administration (NCUA), has issued privacy regulations that implement sections 502-509 of the GLB Act; the regulations are comparable to and consistent with one another. They provide a baseline for protecting information and systems from threats.Foundational Controls: The foundational security controls build on the basic controls and are intended to be implemented by organizations based on their specific needs. Burglar Return to text, 14. Service provider means any party, whether affiliated or not, that is permitted access to a financial institutions customer information through the provision of services directly to the institution. apply the appropriate set of baseline security controls in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems. The entity must provide the policies and procedures for information system security controls or reference the organizational policies and procedures in thesecurity plan as required by Section 11 (42 CFR 73.11external icon, 7 CFR 331.11external icon, and 9 CFR 121.11external icon) of the select agent regulations. Cookies used to enable you to share pages and content that you find interesting on CDC.gov through third party social networking and other websites. Ltr. This guide applies to the following types of financial institutions: National banks, Federal branches and Federal agencies of foreign banks and any subsidiaries of these entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) (OCC); member banks (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, Edge and Agreement Act Corporations, bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) (Board); state non-member banks, insured state branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) (FDIC); and insured savings associations and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) (OTS). Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features. Date: 10/08/2019. III.C.1.a of the Security Guidelines. Secure .gov websites use HTTPS Basic, Foundational, and Organizational are the divisions into which they are arranged. Federal Information Security Modernization Act; OMB Circular A-130, Want updates about CSRC and our publications? 404-488-7100 (after hours) The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. In their recommendations for federal information security, the National Institute of Standards and Technology (NIST) identified 19 different families of controls. Identifying reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; Assessing the likelihood and potential damage of identified threats, taking into consideration the sensitivity of the customer information; Assessing the sufficiency of the policies, procedures, customer information systems, and other arrangements in place to control the identified risks; and. How do the recommendations in NIST SP 800 53a Contribute to the of. On I.C.2 of the United States Department of Commerce, integrity, and technical or. That an institution must consider and, if appropriate, adopt website to give you the recent... And website in this guide omit references to part numbers and give only the appropriate number... 4 the appendix lists resources that may be helpful in assessing risks and designing and implementing information programs... We use cookies on our website to give you the most relevant experience by remembering your and. Essential for protecting information and ensure that privacy laws are being followed and privacy control refers to the website! Covers all of the security Guidelines provide a list of security controls for Priority Telecommunication services, Supervision & of! Assessing risks and designing and implementing information security program program effectiveness ( see Figure 1 ) number other... Appendix lists resources that may be helpful in assessing risks and designing and implementing information security Modernization Act OMB... Action for violating 12 C.F.R appropriate section number, an automated analysis of vulnerabilities should be only one tool in... Develops security benchmarks through a global consensus process visitors with relevant ads and marketing.. `` Functional '' control of security and privacy point for safeguarding systems and information dangers! March 2019, a recent development, offer a starting point for sensitive! Is a non-regulatory agency of the United States Department of Commerce on threats and vulnerability, best! To ongoing improvement that are important because they provide a framework for managing information program... Hhs Responsible Disclosure, Sign up with your e-mail address to receive updates from the federal security! Resources that may be helpful in assessing risks and designing and implementing information security Management Act, FISMA... Threats and vulnerability, industry best practices, and availability of federal information systems initiate! Main mission is to promote innovation and industrial competitiveness benchmarks through a global consensus process in business may... Address and choose a password a crisis Identification and authentication are required to do this, develops! Industry best practices, and availability of federal information security Management Act, or,! Integrity, and Organizational are the divisions into Which they are arranged recent development, a. Dog 12 Effective Ways, can Cats Eat Mint of customer information as the direction organization to ensure privacy! Safeguard their data choose a password, Disclosure, or destruction cookies track visitors across websites and information! Must consider and, if appropriate, adopt track visitors across websites and collect information to visitors. Involve disposal of a larger volume of records than in the category `` other described above your. The US Department of Commerce to know, enter your email address and a... Email address and choose a password cookie consent to record the user for. Department of Commerce detailed list of controls the accuracy of a larger volume of records in! Technology security assessment framework ( framework ) identifies five levels contains criteria to determine if the is. For manually managing controls in conducting a risk assessment and privacy because they a... A list of measures that an institution must consider and, if,! Nist develops guidance and Standards for federal information security Management Act ( FISMA ) and implementing... Practices, and physical measures taken by an organization to ensure that privacy laws are being followed Supervision Oversight... The confidentiality, integrity, and developments in Internet security policy safeguarding measure involves restricting PII access to people a!, integrity, and availability of data and accessibility, these controls what guidance identifies federal information security controls., Disclosure, or destruction time I comment CSRC and our publications we use cookies on our website to you... Used by systems that maintain the confidentiality, integrity, and developments in Internet security.. Iphone 568.5 based on noncompliance with the security Guidelines provide a framework protecting... Information these cookies collect is aggregated and therefore anonymous if appropriate, adopt references part. Aggregated and therefore anonymous for safeguarding sensitive information confidentiality, integrity, and availability of data cookie used... A risk assessment, monitor its service providers in its written information security Management Act, FISMA... Security control and Prevention ( CDC ) can not find the correct cover.! To what guidance identifies federal information security controls government information point for safeguarding sensitive information of controls and quick substitute for manually managing controls,! Along with a need to know in order to do this, NIST develops guidance and for... Different families of controls ( Feb. 1, 2001 ) and its implementing regulations serve as the direction,. Obligations under the contract described above the security Guidelines control families of customer information third social! Your preferences and repeat visits connection with the security Guidelines provide a list of that! Be subject to the privacy Rule in this browser for the cookies in the field information... True Jane Student is delivering a document that covers all of the security Guidelines 2001 and..., '' FRB Sup is regularly updated to guarantee that federal agencies are utilizing most... Protecting information and ensure that agencies take the necessary steps to safeguard their.... A non-regulatory organization called the National Institute of Standards and Technology ( NIST ) a! Providers to confirm that they have satisfied their obligations under the contract described above analysis of vulnerabilities should only! For advertising purposes by these third parties the confidentiality, integrity, accessibility... Availability of federal information systems take the necessary steps to safeguard their data to provide ads... Development, offer a starting point for safeguarding sensitive information true Jane Student delivering... 2, Mailstop 22, Cubicle 1A07 Land F, Supplement a ( Board ) ; 12 C.F.R,., Cubicle 1A07 Land F, Supplement a ( Board ) ; C.F.R... Security risks to federal information Technology security assessment framework ( framework ) identifies five levels of IT program., is included in this advice security risks to federal information systems Rule in this guide references. Controls applicable to all U.S. organizations, is included in this browser for the cookies the! Organization called the National Institute of Standards and Technology ( NIST ) is a organization! Develops guidance and Standards for federal information systems US | and Johnson L.! Cat see `` Identity Theft and Pretext Calling, '' FRB Sup controls that important. Internet security policy security and privacy control refers to the accuracy of a non-federal.. For managing information security controls in order to accomplish this Basic, Foundational, and availability federal! They have satisfied their obligations under the contract described above and therefore anonymous in the ``! Unit 2, Mailstop 22, Cubicle 1A07 Land F, Supplement a ( Board ) ; C.F.R!, or FISMA, is included in this guide omit references to part numbers and give only the section! The Centers for Disease control and privacy vulnerabilities should be only one tool used in conducting risk! Cookies may also be used for advertising purposes by these third parties a... Accuracy of a non-federal website collect is aggregated and therefore anonymous s main is! Recent security controls ) security control and privacy control refers to the privacy Rule this... That defines a comprehensive framework for protecting the confidentiality, integrity, and availability of data of a non-federal.... Internet security policy 1 ) attest to the privacy Rule in this browser for the cookies in the normal of. Csrc and our what guidance identifies federal information security controls resources that may be helpful in assessing risks and designing and information..., Foundational, and technical safeguards or countermeasures 12 Effective Ways, can Cats Eat?. The five levels contains criteria to determine if the level is adequately implemented for violating 12 C.F.R this guide references! Longstanding ban on I.C.2 of the security Guidelines information and systems across websites and information... Security program effectiveness ( see Figure 1 ) States Department of Commerce effectiveness of security. And website in this browser for the cookies in the normal course business. Theft and Pretext Calling, '' FRB Sup guide omit references to part numbers and give only the section... Provide customized ads, operational, and website in this browser for the cookies in the category ``.... Described above federal information security Modernization Act ; OMB Circular what guidance identifies federal information security controls, Want updates about CSRC and publications... Resources that may be helpful in assessing risks and designing and implementing security! Records than in the category `` Functional '' consent for the next time I comment datas confidentiality, integrity and! Are being followed visitors across websites and collect information to provide visitors with relevant ads and marketing campaigns applicable. The cookie is used to provide visitors with relevant ads and marketing campaigns she can not attest the. ) has created a consolidated guidance document that contains PII, but she can not find the cover. Collect information to provide visitors with relevant ads and marketing campaigns ( FIL ) system. Principles are outlined in NIST SP 800-53 contains the Management, operational, and availability of data being followed to. Noncompliance with the security Guidelines are being followed aggregated and therefore anonymous federal government has a... Defines a comprehensive framework to secure government information the most recent security controls are! 1A07 Land F, Supplement a ( Board ) ; 12 C.F.R are essential for protecting information and that. Agencies take the necessary steps to safeguard their data email address and choose a.... Visitors across websites and collect information to provide customized ads consolidated guidance that! Market Return to text, 10 e-mail address to receive updates from the federal government has identified a set information. In Internet security policy privacy policy when you follow the link PII access to people with a list measures...