PM-2—Information Security Program Leadership Role
>Control Description
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
>Cross-Framework Mappings
>Supplemental Guidance
The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •Who is designated as the senior information security officer, and what are their responsibilities?
- •How does the information security officer coordinate with other senior officials and organizational programs?
- •What authority does the information security officer have to enforce security requirements?
- •How does the information security officer report to senior leadership on security posture and risks?
- •What governance exists for ensuring the information security officer has adequate resources and independence?
Technical Implementation:
- •What reporting or dashboard systems support the information security officer's responsibilities?
- •How does the information security officer access system and security data for oversight?
- •What communication and collaboration tools support security program coordination?
Evidence & Documentation:
- •Provide documentation designating the senior information security officer and defining responsibilities.
- •Provide evidence of information security officer reporting to senior leadership.
- •Provide records of coordination activities between the CISO and other officials.
- •Provide security posture reports prepared by the information security officer.
Ask AI
Configure your API key to use AI features.