NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls
PLANNING
PL-1 SECURITY PLANNING POLICY AND PROCEDURES
| FAMILY: PLANNING
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
| PL-1
|
Security Planning Policy and Procedures
|
P1
|
LOW PL-1
|
MOD PL-1
|
HIGH PL-1
|
| ASSESSMENT PROCEDURE
|
| PL-1 |
SECURITY PLANNING POLICY AND PROCEDURES
|
| PL-1.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops and formally documents security planning policy;
- (ii) the organization security planning policy addresses:
- (iii) the organization disseminates formal documented security planning policy to elements within the organization having associated security planning roles and responsibilities;
- (iv) the organization develops and formally documents security planning procedures;
- (v) the organization security planning procedures facilitate implementation of the security planning policy and associated security planning controls; and
- (vi) the organization disseminates formal documented security planning procedures to elements within the organization having associated security planning roles and responsibilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security planning responsibilities].
|
| PL-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of security planning policy reviews/updates;
- (ii) the organization reviews/updates security planning policy in accordance with organization-defined frequency; and
- (iii) the organization defines the frequency of security planning procedure reviews/updates;
- (iv) the organization reviews/updates security planning procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with security planning responsibilities].
|
PL-2 SYSTEM SECURITY PLAN
| FAMILY: PLANNING
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
| PL-2
|
System Security Plan
|
P1
|
LOW PL-2
|
MOD PL-2
|
HIGH PL-2
|
| ASSESSMENT PROCEDURE
|
| PL-2 |
SYSTEM SECURITY PLAN
|
| PL-2.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops a security plan for the information system that:
- is consistent with the organization's enterprise architecture;
- explicitly defines the authorization boundary for the system;
- describes the operational context of the information system in terms of mission and business processes;
- provides the security categorization of the information system including supporting rationale;
- describes the operational environment for the information system;
- describes relationships with or connections to other information systems;
- provides an overview of the security requirements for the system;
- describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions; and
- is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
- (ii) the organization defines the frequency of security plan reviews;
- (iii) the organization reviews the security plan in accordance with the organization-defined frequency; and
- (iv) the organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan for the information system; records of security plan reviews and updates; other relevant documents or records].
- Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].
|
PL-4 RULES OF BEHAVIOR
| FAMILY: PLANNING
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
| PL-4
|
Rules of Behavior
|
P1
|
LOW PL-4
|
MOD PL-4
|
HIGH PL-4
|
| ASSESSMENT PROCEDURE
|
| PL-4 |
RULES OF BEHAVIOR
|
| PL-4.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization establishes the rules that describe information system user responsibilities and expected behavior with regard to information and information system usage;
- (ii) the organization makes the rules available to all information system users; and
- (iii) the organization receives a signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security planning policy; procedures addressing rules of behavior for information system users; rules of behavior; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel who are authorized users of the information system and have signed rules of behavior].
|
PL-5 PRIVACY IMPACT ASSESSMENT
| FAMILY: PLANNING
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
| PL-5
|
Privacy Impact Assessment
|
P1
|
LOW PL-5
|
MOD PL-5
|
HIGH PL-5
|
| ASSESSMENT PROCEDURE
|
| PL-5 |
PRIVACY IMPACT ASSESSMENT
|
| PL-5.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: Security planning policy; procedures addressing privacy impact assessments on the information system; privacy impact assessment; other relevant documents or records].
|
Source
