Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
pm-14 |
testing, training, and monitoring |
|||
|
assessment objective: Determine if the organization: |
|||
pm-14(a) |
implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: |
|||
pm-14(a)(1) |
pm-14(a)(1)[1] |
are developed; |
||
pm-14(a)(1)[2] |
are maintained; |
|||
pm-14(a)(2) |
continue to be executed in a timely manner; |
|||
pm-14(b) |
reviews testing, training, and monitoring plans for consistency with: |
|||
pm-14(b)[1] |
the organizational risk management strategy; and |
|||
pm-14(b)[2] |
organization-wide priorities for risk response actions. |
|||
potential assessment methods and objects: Examine: [select from: Information security program plan; plans for conducting security testing, training, and monitoring activities; organizational procedures addressing development and maintenance of plans for conducting security testing, training, and monitoring activities; risk management strategy; procedures for review of plans for conducting security testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities; results of risk assessments associated with conducting security testing, training, and monitoring activities; evidence that plans for conducting security testing, training, and monitoring activities are executed in a timely manner; other relevant documents or records]. Interview: [select from: Organizational personnel with responsibility for developing and maintaining plans for conducting security testing, training, and monitoring activities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for development and maintenance of plans for conducting security testing, training, and monitoring activities; automated mechanisms supporting development and maintenance of plans for conducting security testing, training, and monitoring activities]. |