CCI-000073

Develop an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

Implementation Guidance

Determine if: - the information security program plan provides an overview of the requirements for the security program. - the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements. - the information security program plan provides a description of the common controls in place or planned for meeting those requirements.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews and updates; procedures addressing coordination of the program plan with relevant entities; procedures for program plan approvals; records of program plan reviews and updates; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for information security program plan development, review, update, and approval; mechanisms supporting and/or implementing the information security program plan].

The controls below (if any) were marked by NIST as being related to CCI-000073.