Back

Allocate sufficient resources to protect Information Systems during capital planning.


CONTROL ID
01444
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must ensure the necessary staff members, budgets, facilities, and periods are prepared/available for completing system development. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. (App 2-1 Item Number II.3(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization must allocate appropriate resources to maintaining and monitoring Intrusion Detection Systems and Intrusion Prevention Systems. (Control: 1184, Australian Government Information Security Manual: Controls)
  • The information security governance framework should include a process that requires the governing body to supervise Information Security activity overall by allocating sufficient resources. (SG.01.01.05b-3, The Standard of Good Practice for Information Security)
  • The organization should help to ensure the availability of access to information stored in the cloud by providing adequate network bandwidth. (CF.16.04.10c, The Standard of Good Practice for Information Security)
  • The information security governance framework should include a process that requires the governing body to supervise Information Security activity overall by allocating sufficient resources. (SG.01.01.05b-3, The Standard of Good Practice for Information Security, 2013)
  • The organization should help to ensure the availability of access to information stored in the cloud by providing adequate network bandwidth. (CF.16.04.10c, The Standard of Good Practice for Information Security, 2013)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., FedRAMP Security Controls High Baseline, Version 5)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., FedRAMP Security Controls Low Baseline, Version 5)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The resources needed to protect the information system must be allocated for during the capital planning and investment control process. (§ 5.6.14, Exhibit 4 SA-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Make available for expenditure, the planned information security and privacy resources. (PM-3c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Make available for expenditure, the planned information security and privacy resources. (PM-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Make available for expenditure, the planned information security and privacy resources. (PM-3c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure enough resources are allocated to protect the information system in accordance with NIST Special Publication 800-65, resources are allocated on a continuos basis, and specific responsibilities and actions are defined for the implement… (SA-2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensures that information security resources are available for expenditure as planned. (PM-3c., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must determine, document, and allocate the resources for protecting the Information System as part of the Capital Planning and Investment Control process. (App F § SA-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Analyze candidate architectures, allocate security services, and select security mechanisms. (T0307, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process. (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that information security resources are available for expenditure as planned. (PM-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process. (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process. (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process. (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that information security resources are available for expenditure as planned. (PM-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Make available for expenditure, the planned information security and privacy resources. (PM-3c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and (SA-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Make available for expenditure, the planned information security and privacy resources. (PM-3c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensures that information security resources are available for expenditure as planned. (PM-3c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., TX-RAMP Security Controls Baseline Level 1)
  • Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and (SA-2b., TX-RAMP Security Controls Baseline Level 2)