CCI-004337

Implementation Guidance

Determine if: - information security measures of performance are developed. - information security measures of performance are monitored. - the results of information security measures of performance are reported. - privacy measures of performance are developed. - privacy measures of performance are monitored. - the results of privacy measures of performance are reported.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; information security measures of performance; privacy measures of performance; procedures addressing the development, monitoring, and reporting of information security and privacy measures of performance; risk management strategy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing, monitoring, and reporting information security and privacy measures of performance; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for developing, monitoring, and reporting information security and privacy measures of performance; mechanisms supporting the development, monitoring, and reporting of information security and privacy measures of performance].