Navigate

CCI-000618

CCI-000618 Definition

The organization identifies individuals having information system security roles and responsibilities.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed identifies and documents individuals having information system security roles and responsibilities.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented individuals having information system security roles and responsibilities to ensure the organization being inspected/assessed identifies individuals having information system security roles and responsibilities.

DISA Compelling Evidence

1) Site's SP and System Development Life Cycle (SDLC) documentation must define security roles and responsibilities 2) Reviewer will validate that security roles and responsibilities are documented

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000618.

Control	Description
SA-3	The organization: SA-3a.: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; SA-3b.: Defines and documents information security roles and responsibilities throughout the system development life cycle; SA-3c.: Identifies individuals having information security roles and responsibilities; and SA-3d.: Integrates the organizational information security risk management process into system development life cycle activities.

Control

Description

SA-3

The organization:

SA-3a.: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;

SA-3b.: Defines and documents information security roles and responsibilities throughout the system development life cycle;

SA-3c.: Identifies individuals having information security roles and responsibilities; and

SA-3d.: Integrates the organizational information security risk management process into system development life cycle activities.