CCI-000227

Develop a comprehensive strategy to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.

Implementation Guidance

Determine if a comprehensive strategy is developed to manage security risk to Organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of Organizational systems.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; procedures addressing the development, implementation, review, and update of the risk management strategy; risk assessment results relevant to the risk management strategy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the development, implementation, review, and update of the risk management strategy; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for the development, implementation, review, and update of the risk management strategy; mechanisms supporting the development, implementation, review, and update of the risk management strategy].

The controls below (if any) were marked by NIST as being related to CCI-000227.