Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-2

allocation of resources  

assessment objective:

Determine if the organization:

sa-2(a)

determines information security requirements for the information system or information system service in mission/business process planning;

sa-2(b)

to protect the information system or information system service as part of its capital planning and investment control process:

sa-2(b)[1]

determines the resources required;

sa-2(b)[2]

documents the resources required;

sa-2(b)[3]

allocates the resources required; and

sa-2(c)

establishes a discrete line item for information security in organizational programming and budgeting documentation.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; procedures addressing capital planning and investment control; organizational programming and budgeting documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities; organizational personnel responsible for determining information security requirements for information systems/services; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for determining information security requirements; organizational processes for capital planning, programming, and budgeting; automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting].