Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/PL

From FISMApedia
Jump to: navigation, search

SP 800-53Ar1 FPD Assessment Procedure Catalog, with SP 800-53r3 Security Controls


PLANNING

PL-1

FAMILY: PLANNING CLASS: MANAGEMENT


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PL-1


ASSESSMENT PROCEDURE
PL-1 SECURITY PLANNING POLICY AND PROCEDURES
PL-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents security planning policy;
(ii) the organization security planning policy addresses:
(iii) the organization disseminates formal documented security planning policy to elements within the organization having associated security planning roles and responsibilities;
(iv) the organization develops and formally documents security planning procedures;
(v) the organization security planning procedures facilitate implementation of the security planning policy and associated security planning controls; and
(vi) the organization disseminates formal documented security planning procedures to elements within the organization having associated security planning roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning responsibilities].
PL-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of security planning policy reviews/updates;
(ii) the organization reviews/updates security planning policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of security planning procedure reviews/updates;
(iv) the organization reviews/updates security planning procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning responsibilities].


PL-2

FAMILY: PLANNING CLASS: MANAGEMENT


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PL-2


ASSESSMENT PROCEDURE
PL-2 SYSTEM SECURITY PLAN
PL-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a security plan for the information system that:
  • is consistent with the organization's enterprise architecture;
  • explicitly defines the authorization boundary for the system;
  • describes the operational context of the information system in terms of mission and business processes;
  • provides the security categorization of the information system including supporting rationale;
  • describes the operational environment for the information system;
  • describes relationships with or connections to other information systems;
  • provides an overview of the security requirements for the system;
  • describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions; and
  • is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
(ii) the organization defines the frequency of security plan reviews;
(iii) the organization reviews the security plan in accordance with the organization-defined frequency; and
(iv) the organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan for the information system; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/PL-2/1


PL-2(1) SYSTEM SECURITY PLAN
PL-2(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum:
(ii) the organization defines the frequency of reviews and updates to the CONOPS; and
(iii) the organization reviews and updates the CONOPS in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing security CONOPS development; procedures addressing security CONOPS reviews and updates; security CONOPS for the information system; security plan for the information system; records of security CONOPS reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].


SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/PL-2/2


PL-2(2) SYSTEM SECURITY PLAN
PL-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization develops a functional architecture for the information system that identifies and maintains:
  • external interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface;
  • user roles and the access privileges assigned to each role;
  • unique security requirements;
  • types of information processed, stored, or transmitted by the information system and any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; and
  • restoration priority of information or information system services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; access control policy; contingency planning policy; security plan for the information system; contingency plan for the information system; information system design documentation; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].


FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-3 SYSTEM SECURITY PLAN UPDATE

[Withdrawn: Incorporated into PL-2].

PL-3.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into PL-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into PL-2].



PL-4

FAMILY: PLANNING CLASS: MANAGEMENT


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PL-4


ASSESSMENT PROCEDURE
PL-4 RULES OF BEHAVIOR
PL-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes the rules that describe information system user responsibilities and expected behavior with regard to information and information system usage;
(ii) the organization makes the rules available to all information system users; and
(iii) the organization receives a signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing rules of behavior for information system users; rules of behavior; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who are authorized users of the information system and have signed rules of behavior].



SECURITY CONTROL ENHANCEMENT

Template:Doc:NIST SP 800-53r3 Appendix F/PL-4/1


PL-4(1) RULES OF BEHAVIOR
PL-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes in the rules of behavior:
  • explicit restrictions on the use of social networking sites;
  • posting information on commercial websites; and
  • sharing information system account information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing rules of behavior for information system users; rules of behavior; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who are authorized users of the information system and have signed rules of behavior].


PL-5

FAMILY: PLANNING CLASS: MANAGEMENT


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PL-5


ASSESSMENT PROCEDURE
PL-5 PRIVACY IMPACT ASSESSMENT
PL-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization conducts a privacy impact assessment on the information system; and
(ii) the privacy impact assessment is in accordance with OMB policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing privacy impact assessments on the information system; privacy impact assessment; other relevant documents or records].



PL-6

FAMILY: PLANNING CLASS: MANAGEMENT


SECURITY CONTROL

Template:Doc:NIST SP 800-53r3 Appendix F/PL-6


ASSESSMENT PROCEDURE
PL-6 SECURITY-RELATED ACTIVITY PLANNING
PL-6.1 ASSESSMENT OBJECTIVE:
Determine if the organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing security-related activity planning for the information system; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning and plan implementation responsibilities].



Source

Retrieved from "http://fismapedia.org/index.php?title=Doc:NIST_SP_800-53Ar1_FPD_Appendix_F/Enhanced/PL&oldid=52461"