myctrl.tools
Compare

PM-3Information Security And Privacy Resources

PRIVACY

>Control Description

a

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;

b

Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and

c

Make available for expenditure, the planned information security and privacy resources.

>Cross-Framework Mappings

SCF

PRM-02
Compare

>Supplemental Guidance

Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

>Related Controls

PM-4
SA-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining the information security strategy?
  • How does the information security strategy align with organizational mission, business objectives, and risk tolerance?
  • Who reviews and approves the information security strategy, and what is the review frequency?
  • How is the information security strategy communicated across the organization?
  • What governance exists for measuring progress toward information security strategy goals?

Technical Implementation:

  • How is the information security strategy documented and communicated?
  • What systems track progress toward information security strategy objectives?
  • What metrics or analytics support information security strategy monitoring?

Evidence & Documentation:

  • Provide the current information security strategy document.
  • Provide evidence of information security strategy review and approval by senior leadership.
  • Provide documentation of strategy alignment with organizational mission and objectives.
  • Provide metrics or reports showing progress toward strategy goals.
  • Provide records of strategy updates in response to changing threats or organizational changes.

Ask AI

Configure your API key to use AI features.