CA-01-727 Security Assessment and Authorization Policy and Procedures

Security Assessment and Authorization Policy and Procedures

CA-01-727
Security Assessment and Authorization Policy and Procedures
Security Assessment and Authorization
Identify
Security Assessment and Authorization / Technology Risk Assessments
LOW, MOD, HIGH
P1
Yes
May 20, 2016

All information resources introduced into the Agency shall be assessed by a qualified security assessor or an information security staff member, and authorized by the chief information security officer, prior to procurement (if commercially obtained) or implementation in a production environment (if internally developed). This requirement applies to all information resources regardless of ownership, custodianship, or usage.

Management does not set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security.
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
The organization has published a policy setting information security expectations for communicating to faculty, staff, business, IT, and other users.
The state organization shall establish a security assessment procedure.
Obtain security assessment and certification and accreditation policies and procedures; other relevant documents or records and ascertain if : (I)the organization develops and documents security assessment and certification and accreditation policies and procedures. (ii)the organization disseminates security assessment and certification and accreditation policies and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review policy and procedures. (iv)the organization updates security assessment and certification and accreditation policies and procedures when organizational review indicates updates are required. (iv)the security assessment and certification and accreditation policies address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (v)the security assessment and certification and accreditation policies are consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vi)the security assessment and certification and accreditation procedures address all areas identified in the security assessment and certification and accreditation policies and address achieving policy-compliant implementations of all associated security assessment and certification and accreditation controls.