Enterprise Security Policy, Standards and Guidelines
NOT SELECTED
P1
Yes
February 15, 2018
Information security budgeting and planning initiatives are integrated into the overall agency information resources budgeting strategy.
Management does not support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned.
The organization has long-term and short-term budgeting and capital planning initiatives in place.
State implementation of this standard is incorporated into TAC 202.
Obtain Information security program policy; capital planning and investment policy; procedures addressing management and oversight for information security-related aspects of the capital planning and investment control process; capital planning and investment documentation; documentation of exceptions supporting capital planning and investment requests; business cases; Exhibit 300; Exhibit 53; other relevant documents or records and ascertain if:
(I) the organization includes in its capital planning and investment requests the resources needed to implement the information security program;
(ii) the organization documents all exceptions to the requirement that all capital planning and investment requests include the resources needed to implement the information security program;
(iii) the organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
(iv) the organization makes the required information security resources available for expenditure as planned.
