SC-01-727 System and Communications Protection Policy and Procedures

System and Communications Protection Policy and Procedures

Control ID

SC-01-727

Control Name

System and Communications Protection Policy and Procedures

Control Category

System and Communications Protection

Functional Areas

Protect

Sub-Areas

System Communications Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Information resource owners, working with the responsible information resource custodians and information technology staff, shall ensure all appropriate system and communications protection controls are implemented on the information resource consistent with the resource's risk level.

Risk Statement

IT security procedures are not documented and communicated.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and b. Reviews and updates the current: 1. System and communications protection policy [Assignment: organization-defined frequency]; and 2. System and communications protection procedures [Assignment: organization-defined frequency].

Control Example

The organization has documented policies and supporting processes for defining and enforcing requirements to protect data transmissions and system-to-system communications, including analyzing the identity of communicators (for example, over the Internet, within the organization, private networks, etc.).

State Implementation

The state organization develops, disseminates, and periodically reviews/updates: • a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and • formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

Testing Procedures

Obtain system and communications protection policy and procedures; other relevant documents or records and ascertain if : (I)the organization develops and documents system and communications protection policy and procedures. (ii)the organization disseminates system and communications protection policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review system and communications protection policy and procedures. (iv)the organization updates system and communications protection policy and procedures when organizational review indicates updates are required. (v)the system and communications protection policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (vi)the system and communications protection policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vii)the system and communications protection procedures address all areas identified in the system and communications protection policy and address achieving policy-compliant implementations of all associated system and communications protection controls.