Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
pm-15 |
contacts with security groups and associations |
|
|
assessment objective: Determine if the organization establishes and institutionalizes contact with selected groups and associations with the security community to: |
|
pm-15(a) |
facilitate ongoing security education and training for organizational personnel; |
|
pm-15(b) |
maintain currency with recommended security practices, techniques, and technologies; and |
|
pm-15(c) |
share current security-related information including threats, vulnerabilities, and incidents. |
|
potential assessment methods and objects: Examine: [select from: Information security program plan; risk management strategy; procedures for contacts with security groups and associations; evidence of established and institutionalized contact with security groups and associations; lists or other documentation about contact with and/or membership in security groups and associations; other relevant documents or records]. Interview: [select from: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel responsible for establishing and institutionalizing contact with security groups and associations; organizational personnel with information security responsibilities; personnel from selected groups and associations with which the organization has established and institutionalized contact]. Test: [select from: Organizational processes for establishing and institutionalizing contact with security groups and associations; automated mechanisms supporting contacts with security groups and associations]. |