Inadequate mechanisms to test, monitor and remediate information security capabilities may result in suspicious or anomalous activities going undetected.
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization has an information security training program specific to organizational systems.
State implementation of this standard is incorporated into TAC 202.
Obtain organizational plans for conducting security testing, training, and monitoring activities and ascertain if
(i) the plan is developed and maintained to be consistent with the risk management strategy and priorities for risk response actions; and
(ii) the plan is executed in a timely manner
