Enterprise Security Policy, Standards and Guidelines
LOW, MOD, HIGH
P1
Yes
May 20, 2016
During the first quarter of each fiscal year, the chief information security officer shall deliver to the agency director a report of the Agency information security program, which includes a: (a) summary of the most recent information risk assessment, (b) agency security plan on each even-numbered year, and (c) report of the information security program, including the plan of action and milestones for the upcoming year.
Information security is not defined in a framework within the organizational environment.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].
The organization has written, documented security policies and procedure in place.
As required by TAC 202.23/73(a), the state organization delivers, at least annually, to the organization head a report on state organization information security program.
Obtain security planning policy and procedures; other relevant documents or records and ascertain if :
(I)the organization develops and documents security planning policy and procedures.
(ii)the organization disseminates security planning policy and procedures to appropriate elements within the organization.
(iii)responsible parties within the organization periodically review security planning policy and procedures.
(iv)the organization updates security planning policy and procedures when organizational review indicates updates are required.
(v)the security planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
(vi)the security planning policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.
(vii)the security planning procedures address all areas identified in the security planning policy and address achieving policy-compliant implementations of all associated security planning controls.
