CCI-004616

Implementation Guidance

Determine if the system and the information it processes, stores, and transmits are categorized.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing security categorization of organizational information and systems; security categorization documentation; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security categorization and risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for security categorization].