Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

pm-15

contacts with security groups and associations

assessment objective:

Determine if the organization establishes and institutionalizes contact with selected groups and associations with the security community to:  

pm-15(a)  

facilitate ongoing security education and training for organizational personnel;

pm-15(b)  

maintain currency with recommended security practices, techniques, and technologies; and

pm-15(c)  

share current security-related information including threats, vulnerabilities, and incidents.

potential assessment methods and objects:

Examine: [select from: Information security program plan; risk management strategy; procedures for contacts with security groups and associations; evidence of established and institutionalized contact with security groups and associations; lists or other documentation about contact with and/or membership in security groups and associations; other relevant documents or records].

Interview: [select from: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel responsible for establishing and institutionalizing contact with security groups and associations; organizational personnel with information security responsibilities; personnel from selected groups and associations with which the organization has established and institutionalized contact].

Test: [select from: Organizational processes for establishing and institutionalizing contact with security groups and associations; automated mechanisms supporting contacts with security groups and associations].