Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: SC-FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION

SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

sc-1	system and communications protection policy and procedures
	assessment objective: Determine if the organization:
	sc-1(a)(1)	sc-1(a)(1)[1]	develops and documents a system and communications protection policy that addresses:
			sc-1(a)(1)[1][a]	purpose;
			sc-1(a)(1)[1][b]	scope;
			sc-1(a)(1)[1][c]	roles;
			sc-1(a)(1)[1][d]	responsibilities;
			sc-1(a)(1)[1][e]	management commitment;
			sc-1(a)(1)[1][f]	coordination among organizational entities;
			sc-1(a)(1)[1][g]	compliance;
		sc-1(a)(1)[2]	defines personnel or roles to whom the system and communications protection policy is to be disseminated;
		sc-1(a)(1)[3]	disseminates the system and communications protection policy to organization-defined personnel or roles;
	sc-1(a)(2)	sc-1(a)(2)[1]	develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;
		sc-1(a)(2)[2]	defines personnel or roles to whom the procedures are to be disseminated;
		sc-1(a)(2)[3]	disseminates the procedures to organization-defined personnel or roles;
	sc-1(b)(1)	sc-1(b)(1)[1]	defines the frequency to review and update the current system and communications protection policy;
		sc-1(b)(1)[2]	reviews and updates the current system and communications protection policy with the organization-defined frequency;
	sc-1(b)(2)	sc-1(b)(2)[1]	defines the frequency to review and update the current system and communications protection procedures; and
		sc-1(b)(2)[2]	reviews and updates the current system and communications protection procedures with the organization-defined frequency.
	potential assessment methods and objects: Examine: [select from: System and communications protection policy and procedures; other relevant documents or records]. Interview: [select from: Organizational personnel with system and communications protection responsibilities; organizational personnel with information security responsibilities].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056