Navigate

CCI-000074

CCI-000074 Definition

Develop an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to Organizational operations (including mission, functions, image, and reputation), Organizational assets, individuals, other organizations, and the Nation.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews and updates; procedures addressing coordination of the program plan with relevant entities; procedures for program plan approvals; records of program plan reviews and updates; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for information security program plan development, review, update, and approval; mechanisms supporting and/or implementing the information security program plan].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000074.

Control	Description
PM-1	a: Develop and disseminate an organization-wide information security program plan that: 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3: Reflects the coordination among organizational entities responsible for information security; and 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b: Review and update the organization-wide information security program plan [the frequency at which to review and update the organization-wide information security program plan is defined;] and following [events that trigger the review and update of the organization-wide information security program plan are defined;] ; and c: Protect the information security program plan from unauthorized disclosure and modification.

Control

Description

PM-1

a: Develop and disseminate an organization-wide information security program plan that:
- 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
- 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
- 3: Reflects the coordination among organizational entities responsible for information security; and
- 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

b: Review and update the organization-wide information security program plan [the frequency at which to review and update the organization-wide information security program plan is defined;] and following [events that trigger the review and update of the organization-wide information security program plan are defined;] ; and

c: Protect the information security program plan from unauthorized disclosure and modification.