CCI-000080

Include the resources needed to implement the information security programs in capital planning and investment requests and document all exceptions to this requirement.

Implementation Guidance

Determine if: - the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented. - the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; Exhibit 300; Exhibit 53; business cases for capital planning and investment; procedures for capital planning and investment; documentation of exceptions to capital planning requirements; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security program planning responsibilities; organizational personnel with privacy program planning responsibilities; organizational personnel responsible for capital planning and investment; organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities]. Test: [SELECT FROM: Organizational processes for capital planning and investment; organizational processes for business case, Exhibit 300, and Exhibit 53 development; mechanisms supporting the capital planning and investment process].

The controls below (if any) were marked by NIST as being related to CCI-000080.