Description
Develop and disseminate an organization-wide information security program plan that: a. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; b. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; c. Reflects the coordination among organizational entities responsible for information security; and d. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.
Supplemental Guidance
An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. The plan can be represented in a single document or compilations of documents. The plan documents the program management controls and organization-defined common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments.
Changes from Rev 4
Title unchanged. Incorporates guidance from multiple sources. Discussion expanded to address program plan updates and organizational changes.