SG-14—Information Security Resources

>Control Description

Information systems security implementation and management are included as part of the budget required to support the Organization Security Program.

Theme

Process

Type

Preventive

Policy/Standard

Information Security Management Standard

>Implementation Guidance

1. Allocate resources as per the Organization's Security program and the defined budget. 2. Ensure management meets monthly or on a need-to-know basis to discuss the critical security requirements across organization based on multiple factors as well as justifications basis which budget is allocated for management of Organization's security program and corresponding records are maintained. 3. Each department spend and allocate resources as per the defined budget and security program which aligns with the business objectives. 4. Ensure budget is approved by top management for spending to be aligned with business justification.

>Testing Procedure

1. Inspect all the security requirements for which budget is required as a part of Organization's Security program and corresponding business justification are identified, documented and maintained. 2. Ensure that as a part of regular periodic management review meetings identified critical security requirements across organization are reviewed as well as analyzed and based on multiple factors as well as justifications basis which budget is allocated for management of Organization's security program and corresponding records are maintained. 3. Inspect documentation around representation from all the key departments to ensure allocation of budget for security program is aligned with business objectives. 4. Inspect the approval obtained by top management for spending of allocated budget to be aligned with business justification.