Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pm-10

security authorization process

assessment objective:

Determine if the organization:  

pm-10(a)  

manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;

pm-10(b)

designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

pm-10(c)  

fully integrates the security authorization processes into an organization-wide risk management program.

potential assessment methods and objects:

Examine: [select from: Information security program plan; procedures addressing management (i.e., documentation, tracking, and reporting) of the security authorization process; security authorization documents; lists or other documentation about security authorization process roles and responsibilities; risk assessment results relevant to the security authorization process and the organization-wide risk management program; organizational risk management strategy; other relevant documents or records].

Interview: [select from: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel responsible for management of the security authorization process; authorizing officials; system owners, senior information security officer; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for security authorization; automated mechanisms supporting the security authorization process].