SA-02-727 Allocation of Resources

Allocation of Resources

Control ID

SA-02-727

Control Name

Allocation of Resources

Control Category

Security Assessment and Authorization

Functional Areas

Protect

Sub-Areas

Enterprise Architecture, Roadmap and Emerging Technology

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

The chief information officer and information resource owner shall determine information security requirements for an information resource as part of the planning process, as well as determine, document, and allocate resources required to protect the information resource as part of its capital planning and investment control process.

Risk Statement

Management has not aligned the information technology architecture with corporate strategy.

Control Description

The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.

Control Example

Resource allocation is a part of the general budgeting strategy for the organization.

State Implementation

The state organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system.

Testing Procedures

Obtain system and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; NIST Special Publication 800-64; information system development life cycle documentation; other relevant documents or records and ascertain if : (I)the organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system by verifying that the organization: -defines security requirements for the information system in mission/business planning. -establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. -integrates information system security into the capital planning and investment control process in accordance with the guidance in NIST Special Publication 800-65.