CCI-002990

CCI-002990 Definition

Protect the information security program plan from unauthorized modification.

Status
Type	CheckType.policy

The controls below (if any) were marked by NIST as being related to CCI-002990.

Control	Description
PM-1	The organization: a: Develops and disseminates an organization-wide information security program plan that: 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b: Reviews the organization-wide information security program plan [one of ]; c: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and d: Protects the information security program plan from unauthorized disclosure and modification.

Control

Description

a: Develops and disseminates an organization-wide information security program plan that:
- 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- 3: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
- 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

c: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and

d: Protects the information security program plan from unauthorized disclosure and modification.