Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
sa-2 |
allocation of resources |
||
|
assessment objective: Determine if the organization: |
||
sa-2(a) |
determines information security requirements for the information system or information system service in mission/business process planning; |
||
sa-2(b) |
to protect the information system or information system service as part of its capital planning and investment control process: |
||
sa-2(b)[1] |
determines the resources required; |
||
sa-2(b)[2] |
documents the resources required; |
||
sa-2(b)[3] |
allocates the resources required; and |
||
sa-2(c) |
establishes a discrete line item for information security in organizational programming and budgeting documentation. |
||
potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; procedures addressing capital planning and investment control; organizational programming and budgeting documentation; other relevant documents or records]. Interview: [select from: Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities; organizational personnel responsible for determining information security requirements for information systems/services; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for determining information security requirements; organizational processes for capital planning, programming, and budgeting; automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting]. |