Security Assessment and Authorization / Technology Risk Assessments
NOT SELECTED
P1
No
February 15, 2018
Information resources owned by the chief information officer/information resource manager are automatically authorized to operate under the supervision of the chief information security officer. All other Agency-owned information resources require a security review by the chief information security officer and authorization by the chief information officer before the resource may be implemented into a production environment.
The lack of security authorization process for information systems may result in new information systems causing security and compatibility issues
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program.
The organization has defined designated information security roles and responsibilities.
State implementation of this standard is incorporated into TAC 202.
Obtain Information security program policy; security assessment and authorization policy; risk management policy; procedures addressing security authorization processes; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records and ascertain if:
(I) the organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes;
(ii) the organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
(iii) the organization fully integrates the security authorization processes into an organization-wide risk management program.