PM-10-727 Security Authorization Process

Security Authorization Process

Control ID

PM-10-727

Control Name

Security Authorization Process

Control Category

Program Management

Functional Areas

Identify

Sub-Areas

Security Assessment and Authorization / Technology Risk Assessments

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

February 15, 2018

Agency Implementation

Information resources owned by the chief information officer/information resource manager are automatically authorized to operate under the supervision of the chief information security officer. All other Agency-owned information resources require a security review by the chief information security officer and authorization by the chief information officer before the resource may be implemented into a production environment.

Risk Statement

The lack of security authorization process for information systems may result in new information systems causing security and compatibility issues

Control Description

The organization: a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Fully integrates the security authorization processes into an organization-wide risk management program.

Control Example

The organization has defined designated information security roles and responsibilities.

State Implementation

State implementation of this standard is incorporated into TAC 202.

Testing Procedures

Obtain Information security program policy; security assessment and authorization policy; risk management policy; procedures addressing security authorization processes; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records and ascertain if: (I) the organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes; (ii) the organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and (iii) the organization fully integrates the security authorization processes into an organization-wide risk management program.