Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pe-17

alternate work site

assessment objective:

Determine if the organization:  

pe-17(a)  

pe-17(a)[1]

defines security controls to be employed at alternate work sites;

pe-17(a)[2]

employs organization-defined security controls at alternate work sites;

pe-17(b)  

assesses, as feasible, the effectiveness of security controls at alternate work sites; and

pe-17(c)  

provides a means for employees to communicate with information security personnel in case of security incidents or problems.

potential assessment methods and objects:

Examine: [select from: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; security plan; list of security controls required for alternate work sites; assessments of security controls at alternate work sites; other relevant documents or records].

Interview: [select from: Organizational personnel approving use of alternate work sites; organizational personnel using alternate work sites; organizational personnel assessing controls at alternate work sites; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for security at alternate work sites; automated mechanisms supporting alternate work sites; security controls employed at alternate work sites; means of communications between personnel at alternate work sites and security personnel].