Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/PM

Template:Doc:NIST SP 800-53r3 Appendix F/PM-1

Determine if: (i) the organization develops an information security program plan for the organization that: provides an overview of the requirements for the security program; provides a description of the security program management controls and common controls in place or planned for meeting security program requirements; provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended; includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance; is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations and the Nation; (ii) the organization defines the frequency of information security program plan reviews; (iii) the organization reviews the organization-wide information security program plan in accordance with the organization-defined frequency; (iv) the organization revises the plan to address organizational changes and problems identified during plan implementation or security control assessments; and (v) the organization disseminates the most recent information security program plan to appropriate entities in the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; procedures addressing information security program plan development and implementation; procedures addressing information security program plan reviews and updates; information security program plan; program management controls documentation; common controls documentation; records of information security program plan reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security planning and plan implementation responsibilities for the information security program].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-2

Determine if: (i) organization appoints a senior information security officer to coordinate, develop, implement, and maintain an organization-wide information security program; and (ii) the organization empowers the senior information security officer with the mission and resources required to coordinate, develop, implement, and maintain an organization-wide information security program.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; information security program plan; documentation addressing roles and responsibilities of the senior information security officer position; information security program mission statement; other relevant documents or records].

Interview: [SELECT FROM: Organizational person appointed to the senior information security officer position].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-3

Determine if: (i) the organization includes in its capital planning and investment requests the resources needed to implement the information security program; (ii) the organization documents all exceptions to the requirement that all capital planning and investment requests include the resources needed to implement the information security program; (iii) the organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and (iv) the organization makes the required information security resources available for expenditure as planned.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; capital planning and investment policy; procedures addressing management and oversight for information security-related aspects of the capital planning and investment control process; capital planning and investment documentation; documentation of exceptions supporting capital planning and investment requests; business cases; Exhibit 300; Exhibit 53; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel managing and overseeing the information security-related aspects of the capital planning and investment control process].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-4

Determine if: (i) the organization implements a process to maintain plans of action and milestones for the security program and the associated organizational information systems; and (ii) the organization implements a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; plan of action and milestones policy; procedures addressing plan of action and milestones process; plan of action and milestones for the security program; plan of action and milestones for organizational information systems; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-5

Determine if: (i) the organization develops an inventory of its information systems; and (ii) the organization maintains an inventory of its information systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; procedures addressing information system inventory development and maintenance; information system inventory records, other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system inventory development and maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-6

Determine if: (i) the organization develops information security measures of performance; (ii) the organization monitors information security measures of performance; and (iii) the organization reports on the results of information security measures of performance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; procedures addressing development, monitoring, and reporting of information security performance measures; information security performance metrics; information security performance measures; results of information security performance measures; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-7

Determine if the organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; enterprise architecture policy; procedures addressing information security-related aspects of enterprise architecture development; system development life cycle documentation; enterprise architecture documentation; enterprise security architecture documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-8

Determine if: (i) the organization develops and documents a critical infrastructure and key resource protection plan; (ii) the organization updates the critical infrastructure and key resource protection plan; and (iii) the organization addresses information security issues in the critical infrastructure and key resource protection plan.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; critical infrastructure protection policy; procedures addressing critical infrastructure plan development and implementation; procedures addressing critical infrastructure plan reviews and updates; records of critical infrastructure plan reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with critical infrastructure plan development and implementation responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-9

Determine if: (i) the organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and (ii) the organization implements that strategy consistently across the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; risk management policy; procedures addressing risk management strategy development and implementation; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with risk management strategy development and implementation responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-10

Determine if: (i) the organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes; (ii) the organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and (iii) the organization fully integrates the security authorization processes into an organization-wide risk management program.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; security assessment and authorization policy; risk management policy; procedures addressing security authorization processes; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security authorization responsibilities for information systems; organizational personnel with risk management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PM-11

Determine if: (i) the organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and (ii) the organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information security program policy; risk management policy; procedures addressing security categorization of organizational information and information systems; organizational mission/business processes; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with mission/business process definition responsibilities; organizational personnel with security categorization and risk management responsibilities for the information security program].