SA-02-727 Allocation of Resources

Allocation of Resources

SA-02-727
Allocation of Resources
Security Assessment and Authorization
Protect
Enterprise Architecture, Roadmap and Emerging Technology
LOW, MOD, HIGH
P1
Yes
May 20, 2016
The chief information officer and information resource owner shall determine information security requirements for an information resource as part of the planning process, as well as determine, document, and allocate resources required to protect the information resource as part of its capital planning and investment control process.
Management has not aligned the information technology architecture with corporate strategy.
The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Resource allocation is a part of the general budgeting strategy for the organization.
The state organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system.
Obtain system and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; NIST Special Publication 800-64; information system development life cycle documentation; other relevant documents or records and ascertain if : (I)the organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system by verifying that the organization: -defines security requirements for the information system in mission/business planning. -establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. -integrates information system security into the capital planning and investment control process in accordance with the guidance in NIST Special Publication 800-65.