Navigate

CCI-004313

CCI-004313 Definition

Defines the events for reviewing and updating the organization-wide information security program plan.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - the information security program plan is reviewed and updated [PM-01_ODP[01]; the frequency at which to review and update the organization-wide information security program plan is defined]. - the information security program plan is reviewed and updated following [PM-01_ODP[02]; events that trigger the review and update of the organization-wide information security program plan are defined].

Validation Procedures

Examine: [SELECT FROM: Information security program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews and updates; procedures addressing coordination of the program plan with relevant entities; procedures for program plan approvals; records of program plan reviews and updates; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for information security program plan development, review, update, and approval; mechanisms supporting and/or implementing the information security program plan].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004313.

Control	Description
PM-1	a: Develop and disseminate an organization-wide information security program plan that: 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3: Reflects the coordination among organizational entities responsible for information security; and 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b: Review and update the organization-wide information security program plan [the frequency at which to review and update the organization-wide information security program plan is defined;] and following [events that trigger the review and update of the organization-wide information security program plan are defined;] ; and c: Protect the information security program plan from unauthorized disclosure and modification.

Control

Description

PM-1

a: Develop and disseminate an organization-wide information security program plan that:
- 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- 3: Reflects the coordination among organizational entities responsible for information security; and
- 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

b: Review and update the organization-wide information security program plan [the frequency at which to review and update the organization-wide information security program plan is defined;] and following [events that trigger the review and update of the organization-wide information security program plan are defined;] ; and

c: Protect the information security program plan from unauthorized disclosure and modification.