Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
pl-8 |
information security architecture |
||
|
assessment objective: Determine if the organization: |
||
pl-8(a) |
develops an information security architecture for the information system that describes: |
||
pl-8(a)(1) |
the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; |
||
pl-8(a)(2) |
how the information security architecture is integrated into and supports the enterprise architecture; |
||
pl-8(a)(3) |
any information security assumptions about, and dependencies on, external services; |
||
pl-8(b) |
pl-8(b)[1] |
defines the frequency to review and update the information security architecture; |
|
pl-8(b)[2] |
reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture; |
||
pl-8(c) |
ensures that planned information security architecture changes are reflected in: |
||
pl-8(c)[1] |
the security plan; |
||
pl-8(c)[2] |
the security Concept of Operations (CONOPS); and |
||
pl-8(c)[3] |
the organizational procurements/acquisitions. |
||
potential assessment methods and objects: Examine: [select from: Security planning policy; procedures addressing information security architecture development; procedures addressing information security architecture reviews and updates; enterprise architecture documentation; information security architecture documentation; security plan for the information system; security CONOPS for the information system; records of information security architecture reviews and updates; other relevant documents or records]. Interview: [select from: Organizational personnel with security planning and plan implementation responsibilities; organizational personnel with information security architecture development responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for developing, reviewing, and updating the information security architecture; automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture]. |
|||
