Navigate

CCI-000073

CCI-000073 Definition

Develop an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Validation Procedures

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000073.

Control	Description
PM-1	The organization: a: Develops and disseminates an organization-wide information security program plan that: 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b: Reviews the organization-wide information security program plan [one of ]; c: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and d: Protects the information security program plan from unauthorized disclosure and modification.

Control

Description

PM-1

The organization:

a: Develops and disseminates an organization-wide information security program plan that:
- 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- 3: Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
- 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

b: Reviews the organization-wide information security program plan [one of ];

c: Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and

d: Protects the information security program plan from unauthorized disclosure and modification.