Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
pm-3 |
information security resources |
||
|
assessment objective: Determine if the organization: |
||
pm-3(a) |
pm-3(a)[1] |
ensures that all capital planning and investment requests include the resources needed to implement the information security program plan; |
|
pm-3(a)[2] |
documents all exceptions to the requirement; |
||
pm-3(b) |
employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and |
||
pm-3(c) |
ensures that information security resources are available for expenditure as planned. |
||
potential assessment methods and objects: Examine: [select from: Information security program plan; Exhibits 300; Exhibits 53; business cases for capital planning and investment; procedures for capital planning and investment; documentation of exceptions to capital planning requirements; other relevant documents or records]. Interview: [select from: Organizational personnel with information security program planning responsibilities; organizational personnel responsible for capital planning and investment; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for capital planning and investment; organizational processes for business case/Exhibit 300/Exhibit 53 development; automated mechanisms supporting the capital planning and investment process]. |
|||
