compliance controls are associated with this Policy definition 'Secure commitment from leadership' (70057208-70cc-7b31-3c3a-121af6bc1966)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-2 |
FedRAMP_High_R4_SA-2 |
FedRAMP High SA-2 |
System And Services Acquisition |
Allocation Of Resources |
Shared |
n/a |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
Control Enhancements: None.
References: NIST Special Publication 800-65. |
link |
6 |
| FedRAMP_High_R4 |
SC-6 |
FedRAMP_High_R4_SC-6 |
FedRAMP High SC-6 |
System And Communications Protection |
Resource Availability |
Shared |
n/a |
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.
Control Enhancements: None.
References: None. |
link |
3 |
| FedRAMP_Moderate_R4 |
SA-2 |
FedRAMP_Moderate_R4_SA-2 |
FedRAMP Moderate SA-2 |
System And Services Acquisition |
Allocation Of Resources |
Shared |
n/a |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
Control Enhancements: None.
References: NIST Special Publication 800-65. |
link |
6 |
| FedRAMP_Moderate_R4 |
SC-6 |
FedRAMP_Moderate_R4_SC-6 |
FedRAMP Moderate SC-6 |
System And Communications Protection |
Resource Availability |
Shared |
n/a |
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.
Control Enhancements: None.
References: None. |
link |
3 |
| hipaa |
0120.05a1Organizational.4-05.a |
hipaa-0120.05a1Organizational.4-05.a |
0120.05a1Organizational.4-05.a |
01 Information Protection Program |
0120.05a1Organizational.4-05.a 05.01 Internal Organization |
Shared |
n/a |
Capital planning and investment requests include the resources needed to implement the security program, employ a business case (or Exhibit 300 and/or 53 for federal government); and the organization ensures the resources are available for expenditure as planned. |
|
8 |
| hipaa |
0818.01w3System.12-01.w |
hipaa-0818.01w3System.12-01.w |
0818.01w3System.12-01.w |
08 Network Protection |
0818.01w3System.12-01.w 01.06 Application and Information Access Control |
Shared |
n/a |
Shared system resources (e.g., registers, main memory, secondary storage) are released back to the system, protected from disclosure to other systems/applications/users, and users cannot intentionally or unintentionally access information remnants. |
|
4 |
| ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
| ISO27001-2013 |
C.4.3.c |
ISO27001-2013_C.4.3.c |
ISO 27001:2013 C.4.3.c |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information. |
link |
18 |
| ISO27001-2013 |
C.5.1.c |
ISO27001-2013_C.5.1.c |
ISO 27001:2013 C.5.1.c |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
c) ensuring that the resources needed for the information security management system are available. |
link |
10 |
| ISO27001-2013 |
C.5.1.f |
ISO27001-2013_C.5.1.f |
ISO 27001:2013 C.5.1.f |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
f) directing and supporting persons to contribute to the effectiveness of the information security
management system. |
link |
9 |
| ISO27001-2013 |
C.7.1 |
ISO27001-2013_C.7.1 |
ISO 27001:2013 C.7.1 |
Support |
Resources |
Shared |
n/a |
The organization shall determine and provide the resources needed for the establishment, implementation,
maintenance and continual improvement of the information security management system. |
link |
7 |
| NIST_SP_800-53_R4 |
SA-2 |
NIST_SP_800-53_R4_SA-2 |
NIST SP 800-53 Rev. 4 SA-2 |
System And Services Acquisition |
Allocation Of Resources |
Shared |
n/a |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
Control Enhancements: None.
References: NIST Special Publication 800-65. |
link |
6 |
| NIST_SP_800-53_R4 |
SC-6 |
NIST_SP_800-53_R4_SC-6 |
NIST SP 800-53 Rev. 4 SC-6 |
System And Communications Protection |
Resource Availability |
Shared |
n/a |
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.
Control Enhancements: None.
References: None. |
link |
3 |
| NIST_SP_800-53_R5 |
SA-2 |
NIST_SP_800-53_R5_SA-2 |
NIST SP 800-53 Rev. 5 SA-2 |
System and Services Acquisition |
Allocation of Resources |
Shared |
n/a |
a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. |
link |
6 |
| NIST_SP_800-53_R5 |
SC-6 |
NIST_SP_800-53_R5_SC-6 |
NIST SP 800-53 Rev. 5 SC-6 |
System and Communications Protection |
Resource Availability |
Shared |
n/a |
Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (OneOrMore): priority;quota; [Assignment: organization-defined controls] ] . |
link |
3 |