Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: CA-FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION

CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

ca-1	security assessment and authorization policy and procedures
	assessment objective: Determine if the organization:
	ca-1(a)(1)	ca-1(a)(1)[1]	develops and documents a security assessment and authorization policy that addresses:
			ca-1(a)(1)[1][a]	purpose;
			ca-1(a)(1)[1][b]	scope;
			ca-1(a)(1)[1][c]	roles;
			ca-1(a)(1)[1][d]	responsibilities;
			ca-1(a)(1)[1][e]	management commitment;
			ca-1(a)(1)[1][f]	coordination among organizational entities;
			ca-1(a)(1)[1][g]	compliance;
		ca-1(a)(1)[2]	defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;
		ca-1(a)(1)[3]	disseminates the security assessment and authorization policy to organization-defined personnel or roles;
	ca-1(a)(2)	ca-1(a)(2)[1]	develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;
		ca-1(a)(2)[2]	defines personnel or roles to whom the procedures are to be disseminated;
		ca-1(a)(2)[3]	disseminates the procedures to organization-defined personnel or roles;
	ca-1(b)(1)	ca-1(b)(1)[1]	defines the frequency to review and update the current security assessment and authorization policy;
		ca-1(b)(1)[2]	reviews and updates the current security assessment and authorization policy with the organization-defined frequency;
	ca-1(b)(2)	ca-1(b)(2)[1]	defines the frequency to review and update the current security assessment and authorization procedures; and
		ca-1(b)(2)[2]	reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.
	potential assessment methods and objects: Examine: [select from: Security assessment and authorization policy and procedures; other relevant documents or records]. Interview: [select from: Organizational personnel with security assessment and authorization responsibilities; organizational personnel with information security responsibilities].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056