Security Assessment and Authorization / Technology Risk Assessments
NOT SELECTED
P1
No
The IT strategy is not aligned with the business strategy or fully understood by the board and executives, sub-optimizing the achievement of value objectives for the organization.
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
The organization has a written security mission that is accepted by executive management.
State implementation of this standard is incorporated into TAC 202.
Obtain Information security program policy; risk management policy; procedures addressing security categorization of organizational information and information systems; organizational mission/business processes; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records an ascertain if:
(I) the organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
(ii) the organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.