Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-15(3)

development process, standards, and tools  | criticality analysis

assessment objective:

Determine if the organization:

sa-15(3)[1]

defines the breadth of criticality analysis to be performed by the developer of the information system, system component, or information system service;

sa-15(3)[2]

defines the depth of criticality analysis to be performed by the developer of the information system, system component, or information system service;

sa-15(3)[3]

defines decision points in the system development life cycle when a criticality analysis is to be performed for the information system, system component, or information system service; and

sa-15(3)[4]

requires the developer of the information system, system component, or information system service to perform a criticality analysis at the organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing criticality analysis requirements for the information system, system component, or information system service; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; criticality analysis documentation; business impact analysis documentation; software development life cycle documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsibility for performing criticality analysis; system developer].

Test: [select from: Organizational processes for performing criticality analysis; automated mechanisms supporting and/or implementing criticality analysis].