Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
pm-1 |
information security program plan |
||||
|
assessment objective: Determine if the organization: |
||||
pm-1(a) |
develops and disseminates an organization-wide information security program plan that: |
||||
pm-1(a)(1) |
pm-1(a)(1)[1] |
provides an overview of the requirements for the security program; |
|||
pm-1(a)(1)[2] |
provides a description of the: |
||||
pm-1(a)(1)[2][a] |
security program management controls in place or planned for meeting those requirements; |
||||
pm-1(a)(1)[2][b] |
common controls in place or planned for meeting those requirements; |
||||
pm-1(a)(2) |
includes the identification and assignment of: |
||||
pm-1(a)(2)[1] |
roles; |
||||
pm-1(a)(2)[2] |
responsibilities; |
||||
pm-1(a)(2)[3] |
management commitment; |
||||
pm-1(a)(2)[4] |
coordination among organizational entities; |
||||
pm-1(a)(2)[5] |
compliance; |
||||
pm-1(a)(3) |
reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); |
||||
pm-1(a)(4) |
is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations, organizational assets, individuals, other organizations, and the Nation; |
||||
pm-1(b) |
pm-1(b)[1] |
defines the frequency to review the security program plan for the information system; |
|||
pm-1(b)[2] |
reviews the organization-wide information security program plan with the organization-defined frequency; |
||||
pm-1(c) |
updates the plan to address organizational: |
||||
pm-1(c)[1] |
changes identified during plan implementation; |
||||
pm-1(c)[2] |
changes identified during security control assessments; |
||||
pm-1(c)[3] |
problems identified during plan implementation; |
||||
pm-1(c)[4] |
problems identified during security control assessments; |
||||
pm-1(d) |
protects the information security program plan from unauthorized: |
||||
pm-1(d)[1] |
disclosure; and |
||||
pm-1(d)[2] |
modification. |
||||
potential assessment methods and objects: Examine: [select from: Information security program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews and updates; procedures addressing coordination of the program plan with relevant entities; procedures for program plan approvals; records of program plan reviews and updates; other relevant documents or records]. Interview: [select from: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for information security program plan development/review/update/approval; automated mechanisms supporting and/or implementing the information security program plan]. |