Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pm-14

testing, training, and monitoring

assessment objective:

Determine if the organization:  

pm-14(a)  

implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:

pm-14(a)(1)  

pm-14(a)(1)[1]  

are developed;

pm-14(a)(1)[2]

are maintained;

pm-14(a)(2)  

continue to be executed in a timely manner;

pm-14(b)  

reviews testing, training, and monitoring plans for consistency with:

pm-14(b)[1]  

the organizational risk management strategy; and

pm-14(b)[2]  

organization-wide priorities for risk response actions.

potential assessment methods and objects:

Examine: [select from: Information security program plan; plans for conducting security testing, training, and monitoring activities; organizational procedures addressing development and maintenance of plans for conducting security testing, training, and monitoring activities; risk management strategy; procedures for review of plans for conducting security testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities; results of risk assessments associated with conducting security testing, training, and monitoring activities; evidence that plans for conducting security testing, training, and monitoring activities are executed in a timely manner; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for developing and maintaining plans for conducting security testing, training, and monitoring activities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for development and maintenance of plans for conducting security testing, training, and monitoring activities; automated mechanisms supporting development and maintenance of plans for conducting security testing, training, and monitoring activities].