PM-10-727 Security Authorization Process

Security Authorization Process

PM-10-727
Security Authorization Process
Program Management
Identify
Security Assessment and Authorization / Technology Risk Assessments
NOT SELECTED
P1
No
February 15, 2018

Information resources owned by the chief information officer/information resource manager are automatically authorized to operate under the supervision of the chief information security officer. All other Agency-owned information resources require a security review by the chief information security officer and authorization by the chief information officer before the resource may be implemented into a production environment.

The lack of security authorization process for information systems may result in new information systems causing security and compatibility issues
The organization: a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Fully integrates the security authorization processes into an organization-wide risk management program.
The organization has defined designated information security roles and responsibilities.
State implementation of this standard is incorporated into TAC 202.
Obtain Information security program policy; security assessment and authorization policy; risk management policy; procedures addressing security authorization processes; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records and ascertain if: (I) the organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes; (ii) the organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and (iii) the organization fully integrates the security authorization processes into an organization-wide risk management program.