PM-11-727 Mission/Business Process Definition

Mission/Business Process Definition

PM-11-727
Mission/Business Process Definition
Program Management
Identify
Security Assessment and Authorization / Technology Risk Assessments
NOT SELECTED
P1
No
The IT strategy is not aligned with the business strategy or fully understood by the board and executives, sub-optimizing the achievement of value objectives for the organization.
The organization: a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
The organization has a written security mission that is accepted by executive management.
State implementation of this standard is incorporated into TAC 202.
Obtain Information security program policy; risk management policy; procedures addressing security categorization of organizational information and information systems; organizational mission/business processes; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records an ascertain if: (I) the organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and (ii) the organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.