| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-2 |
FedRAMP_High_R4_SA-2 |
FedRAMP High SA-2 |
System And Services Acquisition |
Allocation Of Resources |
Shared |
n/a |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
Control Enhancements: None.
References: NIST Special Publication 800-65. |
link |
6 |
| FedRAMP_Moderate_R4 |
SA-2 |
FedRAMP_Moderate_R4_SA-2 |
FedRAMP Moderate SA-2 |
System And Services Acquisition |
Allocation Of Resources |
Shared |
n/a |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
Control Enhancements: None.
References: NIST Special Publication 800-65. |
link |
6 |
| hipaa |
0120.05a1Organizational.4-05.a |
hipaa-0120.05a1Organizational.4-05.a |
0120.05a1Organizational.4-05.a |
01 Information Protection Program |
0120.05a1Organizational.4-05.a 05.01 Internal Organization |
Shared |
n/a |
Capital planning and investment requests include the resources needed to implement the security program, employ a business case (or Exhibit 300 and/or 53 for federal government); and the organization ensures the resources are available for expenditure as planned. |
|
8 |
| ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
| ISO27001-2013 |
C.4.3.c |
ISO27001-2013_C.4.3.c |
ISO 27001:2013 C.4.3.c |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information. |
link |
18 |
| ISO27001-2013 |
C.5.1.c |
ISO27001-2013_C.5.1.c |
ISO 27001:2013 C.5.1.c |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
c) ensuring that the resources needed for the information security management system are available. |
link |
10 |
| ISO27001-2013 |
C.5.1.f |
ISO27001-2013_C.5.1.f |
ISO 27001:2013 C.5.1.f |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
f) directing and supporting persons to contribute to the effectiveness of the information security
management system. |
link |
9 |
| ISO27001-2013 |
C.7.1 |
ISO27001-2013_C.7.1 |
ISO 27001:2013 C.7.1 |
Support |
Resources |
Shared |
n/a |
The organization shall determine and provide the resources needed for the establishment, implementation,
maintenance and continual improvement of the information security management system. |
link |
7 |
| NIST_SP_800-53_R4 |
SA-2 |
NIST_SP_800-53_R4_SA-2 |
NIST SP 800-53 Rev. 4 SA-2 |
System And Services Acquisition |
Allocation Of Resources |
Shared |
n/a |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
Control Enhancements: None.
References: NIST Special Publication 800-65. |
link |
6 |
| NIST_SP_800-53_R5 |
SA-2 |
NIST_SP_800-53_R5_SA-2 |
NIST SP 800-53 Rev. 5 SA-2 |
System and Services Acquisition |
Allocation of Resources |
Shared |
n/a |
a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. |
link |
6 |