CA-01-727 Security Assessment and Authorization Policy and Procedures

Security Assessment and Authorization Policy and Procedures

Control ID

CA-01-727

Control Name

Security Assessment and Authorization Policy and Procedures

Control Category

Security Assessment and Authorization

Functional Areas

Identify

Sub-Areas

Security Assessment and Authorization / Technology Risk Assessments

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

All information resources introduced into the Agency shall be assessed by a qualified security assessor or an information security staff member, and authorized by the chief information security officer, prior to procurement (if commercially obtained) or implementation in a production environment (if internally developed). This requirement applies to all information resources regardless of ownership, custodianship, or usage.

Risk Statement

Management does not set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

Control Example

The organization has published a policy setting information security expectations for communicating to faculty, staff, business, IT, and other users.

State Implementation

The state organization shall establish a security assessment procedure.

Testing Procedures

Obtain security assessment and certification and accreditation policies and procedures; other relevant documents or records and ascertain if : (I)the organization develops and documents security assessment and certification and accreditation policies and procedures. (ii)the organization disseminates security assessment and certification and accreditation policies and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review policy and procedures. (iv)the organization updates security assessment and certification and accreditation policies and procedures when organizational review indicates updates are required. (iv)the security assessment and certification and accreditation policies address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (v)the security assessment and certification and accreditation policies are consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vi)the security assessment and certification and accreditation procedures address all areas identified in the security assessment and certification and accreditation policies and address achieving policy-compliant implementations of all associated security assessment and certification and accreditation controls.