Back

Establish, implement, and maintain a security planning policy.


CONTROL ID
14027
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a strategic plan., CC ID: 12784

This Control has the following implementation support Control(s):
  • Include compliance requirements in the security planning policy., CC ID: 14131
  • Include coordination amongst entities in the security planning policy., CC ID: 14130
  • Include management commitment in the security planning policy., CC ID: 14129
  • Include roles and responsibilities in the security planning policy., CC ID: 14128
  • Include the scope in the security planning policy., CC ID: 14127
  • Include the purpose in the security planning policy., CC ID: 14126
  • Disseminate and communicate the security planning policy to interested personnel and affected parties., CC ID: 14125
  • Establish, implement, and maintain security planning procedures., CC ID: 14060


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Based on the determined framework conditions, the formulated security objectives and the intended security level, the person responsible for information security as appointed by the level of management must elaborate a proposal on how the further steps for achieving the short-term and long- term sec… (§ 3.3.5 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security planning policy [FedRAMP Assignment: at least annually]; and (PL-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security planning policy [FedRAMP Assignment: at least every 3 years]; and (PL-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security planning policy [FedRAMP Assignment: at least every 3 years]; and (PL-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Security planning policy [Assignment: organization-defined frequency]; and (PL-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • Security planning policy [TX-RAMP Assignment: at least every 3 years]; and (PL-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PL-1a.1., TX-RAMP Security Controls Baseline Level 2)
  • Security planning policy [TX-RAMP Assignment: at least every 3 years]; and (PL-1b.1., TX-RAMP Security Controls Baseline Level 2)