SlideShare a Scribd company logo

Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls

James W. De Rienzo
James W. De Rienzo

FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls

TechnologyEducation
1 of 11
Download to read offline
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 A B FedRAMP Security Assessment Plan (SAP) Template Policy Control Extract Page 1 Table of Contents 2 ............Access Control (AC) 3 ............Awareness and Training (AT) 4 ............Audit and Accountability (AU) 4 ............Security Assessment and Authorization (CA) 5 ............Configuration Management (CM) 5 ............Contingency Planning (CP) 6 ............Identification and Authentication (IA) 6 ............Incident Response (IR) 7 ............Maintenance (MA) 7 ............Media Protection (MP) 8 ............Physical and Environmental Protection (PE) 8 ............Planning (PL) 9 ............Personnel Security (PS) 9 ............Risk Assessment (RA) 10 ............System and Services Acquisition (SA) 10 ............System and Communications Protection (SC) 11 ............System and Information Integrity (SI) Page 1 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 23 24 25 26 27 28 29 30 31 32 33 A B 1. Access Control (AC) 1.1. AC-1 Examine information security program documentation for the organization access control policy is reviewed and updated at least every three years. Examine organization access control policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the access control policy and associated access controls and that the , procedures are reviewed and updated at least annually. Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy was disseminated to the organizational elements. Examine information security program documentation for the organization access control procedures. Examine organization access control procedures for evidence that the procedures facilitate implementation of the access control policy and associated access control controls. Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy is reviewed and updated at least every three years, and the procedures at least annually. Page 2 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 34 35 36 37 38 39 40 41 42 43 44 A B 2. Awareness and Training (AT) 2.1. AT-1 Examine information security program documentation for the organization security awareness and training policy and that the security awareness and training policy is reviewed and updated at least every three years. Examine organization security awareness and training policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security awareness and training policy and associated security awareness and trainings and that the procedures are reviewed and updated at least annually. Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy was disseminated to the organizational elements. Examine information security program documentation for the organization security awareness and training procedures. Examine organization security awareness and training procedures for evidence that the procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls. Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy is reviewed and updated at least every three years, and the procedures at least annually. Page 3 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 A B 3. Audit and Accountability (AU) 3.1. AU-1 Examine information security program documentation for the organization audit and accountability policy and that the audit and accountability policy is reviewed and updated at least every three years. Examine organization audit and accountability policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the audit and accountability policy and procedures are reviewed and updated at least annually. Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy was disseminated to the organizational elements. Examine information security program documentation for the organization audit and accountability procedures. Examine organization audit and accountability procedures for evidence that the procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls. Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy is reviewed and updated at least every three years, and the procedures at least annually. 4. Security Assessment and Authorization (CA) 4.1. CA-1 Examine information security program documentation for the organization security assessment and authorization policy and that the security assessment and authorization policy is reviewed and updated at least every three years. Examine organization security assessment and authorization policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security assessment and authorization policy and procedures are reviewed and updated at least annually. Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy was disseminated to the organizational elements. Examine information security program documentation for the organization security assessment and authorization procedures. Examine organization security assessment and authorization procedures for evidence that the procedures facilitate implementation of the security assessment and authorization policy and associated security assessment and authorization controls. Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy is reviewed and updated at least every three years, and the procedures at least annually. Page 4 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 A B 5. Configuration Management (CM) 5.1. CM-1 Examine configuration management documentation for the organization configuration management policy is reviewed and updated at least every three years. Examine organization configuration management policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the configuration management policy and associated configuration management controls and that the procedures are reviewed and updated at least annually. Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy was disseminated to the organizational elements. Examine configuration management documentation for the organization configuration management procedures. Examine organization configuration management procedures for evidence that the procedures facilitate implementation of the configuration management policy and associated configuration management controls. Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy is reviewed and updated at least every three years, and the procedures at least annually. 6. Contingency Planning (CP) 6.1. CP-1 Examine information security program documentation for the organization contingency planning policy and that the contingency planning policy is reviewed and updated at least every three years. Examine organization contingency planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the contingency planning policy and procedures are reviewed and updated at least annually. Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy was disseminated to the organizational elements. Examine information security program documentation for the organization contingency planning procedures. Examine organization contingency planning procedures for evidence that the procedures facilitate implementation of the contingency planning policy and associated contingency planning controls. Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy is reviewed and updated at least every three years, and the procedures at least annually. Page 5 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 A B 7. Identification and Authentication (IA) 7.1. IA-1 Examine information security program documentation for the organization identification and authentication policy and that the identification and authentication policy is reviewed and updated at least every three years. Examine organization identification and authentication policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the identification and authentication policy and procedures are reviewed and updated at least annually. Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy was disseminated to the organizational elements. Examine information security program documentation for the organization identification and authentication procedures. Examine organization identification and authentication procedures for evidence that the procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls. Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy is reviewed and updated at least every three years, and the procedures at least annually. 8. Incident Response (IR) 8.1. IR-1 Examine information security program documentation for the organization incident response policy and that the incident response policy is reviewed and updated at least every three years. Examine organization incident response policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the incident response policy and procedures are reviewed and updated at least annually. Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy was disseminated to the organizational elements. Examine information security program documentation for the organization incident response procedures. Examine organization incident response procedures for evidence that the procedures facilitate implementation of the incident response policy and associated incident response controls. Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy is reviewed and updated at least every three years, and the procedures at least annually. Page 6 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 A B 9. Maintenance (MA) 9.1. MA-1 Examine information security program documentation for the organization system maintenance policy and that the system maintenance policy is reviewed and updated at least every three years. Examine organization system maintenance policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system maintenance policy and procedures are reviewed and updated at least annually. Examine organization system maintenance policy and procedures, or other relevant documents for the organization elements having associated system maintenance roles and responsibilities and to which the system maintenance policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system maintenance policy was disseminated to the organizational elements. Examine information security program documentation for the organization system maintenance procedures. Examine organization system maintenance procedures for evidence that the procedures facilitate implementation of the system maintenance policy and associated system maintenance controls. Examine organization system maintenance policy and procedures, or other relevant documents for the organization elements having associated system maintenance roles and responsibilities and to which the system maintenance procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system maintenance policy is reviewed and updated at least every three years, and the procedures at least annually. 10. Media Protection (MP) 10.1. MP-1 Examine information security program documentation for the organization media protection policy and that the media protection policy is reviewed and updated at least every three years. Examine organization media protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the media protection policy and procedures are reviewed and updated at least annually. Examine organization media protection policy and procedures, or other relevant documents for the organization elements having associated media protection roles and responsibilities and to which the media protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the media protection policy was disseminated to the organizational elements. Examine information security program documentation for the organization media protection procedures. Examine organization media protection procedures for evidence that the procedures facilitate implementation of the media protection policy and associated media protection controls. Examine organization media protection policy and procedures, or other relevant documents for the organization elements having associated media protection roles and responsibilities and to which the media protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the media protection policy is reviewed and updated at least every three years, and the procedures at least annually. Page 7 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 A B 11. Physical and Environmental Protection (PE) 11.1. PE-1 Examine information security program documentation for the organization physical and environmental protection policy and that the physical and environmental protection policy is reviewed and updated at least every three years. Examine organization physical and environmental protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the physical and environmental protection policy and procedures are reviewed and updated at least annually. Examine organization physical and environmental protection policy and procedures, or other relevant documents for the organization elements having associated physical and environmental protection roles and responsibilities and to which the physical and environmental protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the physical and environmental protection policy was disseminated to the organizational elements. Examine information security program documentation for the organization physical and environmental protection procedures. Examine organization physical and environmental protection procedures for evidence that the procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls. Examine organization physical and environmental protection policy and procedures, or other relevant documents for the organization elements having associated physical and environmental protection roles and responsibilities and to which the physical and environmental protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the physical and environmental protection policy is reviewed and updated at least every three years, and the procedures at least annually. 12. Planning (PL) 12.1. PL-1 Examine information security program documentation for the organization security planning policy and that the security planning policy is reviewed and updated at least every three years. Examine organization security planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security planning policy and procedures are reviewed and updated at least annually. Examine organization security planning policy and procedures, or other relevant documents for the organization elements having associated security planning roles and responsibilities and to which the security planning policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security planning policy was disseminated to the organizational elements. Examine information security program documentation for the organization security planning procedures. Examine organization security planning procedures for evidence that the procedures facilitate implementation of the security planning policy and associated security planning controls. Examine organization security planning policy and procedures, or other relevant documents for the organization elements having associated security planning roles and responsibilities and to which the security planning procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security planning policy is reviewed and updated at least every three years, and the procedures at least annually. Page 8 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 A B 13. Personnel Security (PS) 13.1. PS-1 Examine information security program documentation for the organization personnel security policy and that the personnel security policy is reviewed and updated at least every three years. Examine organization personnel security policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for evidence that procedures that facilitate the implementation of the personnel security policy and procedures are reviewed and updated at least annually. Examine organization personnel security policy and procedures, or other relevant documents for the organization elements having associated personnel security roles and responsibilities and to which the personnel security policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the personnel security policy was disseminated to the organizational elements. Examine information security program documentation for the organization personnel security procedures. Examine organization personnel security procedures for evidence that the procedures facilitate implementation of the personnel security policy and associated personnel security controls. Examine organization personnel security policy and procedures, or other relevant documents for the organization elements having associated personnel security roles and responsibilities and to which the personnel security procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the personnel security policy is reviewed and updated at least every three years, and the procedures at least annually. 14. Risk Assessment (RA) 14.1. RA-1 Examine information security program documentation for the organization risk assessment policy and that the risk assessment policy is reviewed and updated at least every three years. Examine organization risk assessment policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the risk assessment policy and procedures are reviewed and updated at least annually. Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements having associated risk assessment roles and responsibilities and to which the risk assessment policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the risk assessment policy was disseminated to the organizational elements. Examine information security program documentation for the organization risk assessment procedures. Examine organization risk assessment procedures for evidence that the procedures facilitate implementation of the risk assessment policy and associated risk assessment controls. Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements having associated risk assessment roles and responsibilities and to which the risk assessment procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the risk assessment policy is reviewed and updated at least every three years, and the procedures at least annually. Page 9 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 A B 15. System and Services Acquisition (SA) 15.1. SA-1 Examine information security program documentation for the organization system and services acquisition policy and that the system and services acquisition policy is reviewed and updated at least every three years. Examine organization system and services acquisition policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and services acquisition policy and procedures are reviewed and updated at least annually. Examine organization system and services acquisition policy and procedures, or other relevant documents for the organization elements having associated system and services acquisition roles and responsibilities and to which the system and services acquisition policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and services acquisition policy was disseminated to the organizational elements. Examine information security program documentation for the organization system and services acquisition procedures. Examine organization system and services acquisition procedures for evidence that the procedures facilitate implementation of the system and services acquisition policy and associated system and services acquisition controls. Examine organization system and services acquisition policy and procedures, or other relevant documents for the organization elements having associated system and services acquisition roles and responsibilities and to which the system and services acquisition procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and services acquisition policy is reviewed and updated at least every three years, and the procedures at least annually. 16. System and Communications Protection (SC) 16.1. SC-1 Examine information security program documentation for the organization system and communication protection policy and that the system and communication protection policy is reviewed and updated at least every three years. Examine organization system and communication protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and communication protection policy and procedures are reviewed and updated at least annually. Examine organization system and communication protection policy and procedures, or other relevant documents for the organization elements having associated system and communication protection roles and responsibilities and to which the system and communication protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and communication protection policy was disseminated to the organizational elements. Examine organization system and communication protection procedures for evidence that the procedures facilitate implementation of the system and communication protection policy and associated system and communication protection controls. Examine organization system and communication protection policy and procedures, or other relevant documents for the organization elements having associated system and communication protection roles and responsibilities and to which the system and communication protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and communication protection policy is reviewed and updated at least every three years, and the procedures at least annually. Page 10 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 198 199 200 201 202 203 204 205 206 207 208 A B 17. System and Information Integrity (SI) 17.1. SI-1 Examine information security program documentation for the organization system and information integrity policy and that the system and information integrity policy is reviewed and updated at least every three years. Examine organization system and information integrity policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and information integrity policy and procedures are reviewed and updated at least annually. Examine organization system and information integrity policy and procedures, or other relevant documents for the organization elements having associated system and information integrity roles and responsibilities and to which the system and information integrity policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and information integrity policy was disseminated to the organizational elements. Examine information security program documentation for the organization system and information integrity procedures. Examine organization system and information integrity procedures for evidence that the procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls. Examine organization system and information integrity policy and procedures, or other relevant documents for the organization elements having associated system and information integrity roles and responsibilities and to which the system and information integrity procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and information integrity policy is reviewed and updated at least every three years, and the procedures at least annually. Page 11 of 11

Recommended

Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Montana-Paula-Krecicki
Montana-Paula-KrecickiMontana-Paula-Krecicki
Montana-Paula-KrecickiDaniel Paula
 
conroling slides by sohar bakhsh
conroling slides by sohar bakhshconroling slides by sohar bakhsh
conroling slides by sohar bakhshSohar Bakhsh
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework ModelTownofAddison
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSOJesús Gándara
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 

Recommended

Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Montana-Paula-Krecicki
Montana-Paula-KrecickiMontana-Paula-Krecicki
Montana-Paula-KrecickiDaniel Paula
 
conroling slides by sohar bakhsh
conroling slides by sohar bakhshconroling slides by sohar bakhsh
conroling slides by sohar bakhshSohar Bakhsh
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework ModelTownofAddison
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSOJesús Gándara
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Sap template 050312
Sap template 050312Sap template 050312
Sap template 050312GovCloud Network
 
Ch14 Policies and Legislation
Ch14 Policies and LegislationCh14 Policies and Legislation
Ch14 Policies and LegislationInformation Technology
 
Module 8: Purchasing & Project Management Essentials
Module 8: Purchasing & Project Management EssentialsModule 8: Purchasing & Project Management Essentials
Module 8: Purchasing & Project Management EssentialsSam Pratt
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)James W. De Rienzo
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...James W. De Rienzo
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security FundamentalsJames W. De Rienzo
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...James W. De Rienzo
 
CNDSP Assessment Template
CNDSP Assessment TemplateCNDSP Assessment Template
CNDSP Assessment TemplateJames W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsMaria Macri
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxanitramcroberts
 

More Related Content

Viewers also liked

Module 8: Purchasing & Project Management Essentials
Module 8: Purchasing & Project Management EssentialsModule 8: Purchasing & Project Management Essentials
Module 8: Purchasing & Project Management EssentialsSam Pratt
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)James W. De Rienzo
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...James W. De Rienzo
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security FundamentalsJames W. De Rienzo
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...James W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 

Viewers also liked (20)

Sap template 050312
Sap template 050312Sap template 050312
Sap template 050312
 
Ch14 Policies and Legislation
Ch14 Policies and LegislationCh14 Policies and Legislation
Ch14 Policies and Legislation
 
Module 8: Purchasing & Project Management Essentials
Module 8: Purchasing & Project Management EssentialsModule 8: Purchasing & Project Management Essentials
Module 8: Purchasing & Project Management Essentials
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security Fundamentals
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
 
CNDSP Assessment Template
CNDSP Assessment TemplateCNDSP Assessment Template
CNDSP Assessment Template
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 

Similar to Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls

Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsMaria Macri
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxanitramcroberts
 
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesAuditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesMansoor Faridi, CISA
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft CorpAntoinette Williams
 
Access Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxAccess Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxComplianceSPE
 
Project 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docxProject 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docxwkyra78
 
Week 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docxWeek 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docxcelenarouzie
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Develop a 6- to 7-page manual using the Security Standards, Po.docx
Develop a 6- to 7-page manual using the Security Standards, Po.docxDevelop a 6- to 7-page manual using the Security Standards, Po.docx
Develop a 6- to 7-page manual using the Security Standards, Po.docxhcheryl1
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1Process Safety Culture
 
Planning an IT Infrastructure Audit for Compliance.docx
Planning an IT Infrastructure Audit for Compliance.docxPlanning an IT Infrastructure Audit for Compliance.docx
Planning an IT Infrastructure Audit for Compliance.docxwrite4
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
Assessment InstructionsPreparationPrepare a comprehensiv.docx
Assessment InstructionsPreparationPrepare a comprehensiv.docxAssessment InstructionsPreparationPrepare a comprehensiv.docx
Assessment InstructionsPreparationPrepare a comprehensiv.docxgalerussel59292
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxStevenTharp2
 

Similar to Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls (20)

Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance Programs
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docx
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesAuditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance Practices
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft Corp
 
Access Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxAccess Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptx
 
Project 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docxProject 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docx
 
Week 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docxWeek 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docx
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Develop a 6- to 7-page manual using the Security Standards, Po.docx
Develop a 6- to 7-page manual using the Security Standards, Po.docxDevelop a 6- to 7-page manual using the Security Standards, Po.docx
Develop a 6- to 7-page manual using the Security Standards, Po.docx
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance Ready
 
PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1
 
Planning an IT Infrastructure Audit for Compliance.docx
Planning an IT Infrastructure Audit for Compliance.docxPlanning an IT Infrastructure Audit for Compliance.docx
Planning an IT Infrastructure Audit for Compliance.docx
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
Assessment InstructionsPreparationPrepare a comprehensiv.docx
Assessment InstructionsPreparationPrepare a comprehensiv.docxAssessment InstructionsPreparationPrepare a comprehensiv.docx
Assessment InstructionsPreparationPrepare a comprehensiv.docx
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptx
 

More from James W. De Rienzo

Nist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesNist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesJames W. De Rienzo
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisJames W. De Rienzo
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...James W. De Rienzo
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application VirtualizationJames W. De Rienzo
 

More from James W. De Rienzo (9)

Nist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesNist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributes
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database Analysis
 
SEI CERT Podcast Series
SEI CERT Podcast SeriesSEI CERT Podcast Series
SEI CERT Podcast Series
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application Virtualization
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls

  • 1. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 A B FedRAMP Security Assessment Plan (SAP) Template Policy Control Extract Page 1 Table of Contents 2 ............Access Control (AC) 3 ............Awareness and Training (AT) 4 ............Audit and Accountability (AU) 4 ............Security Assessment and Authorization (CA) 5 ............Configuration Management (CM) 5 ............Contingency Planning (CP) 6 ............Identification and Authentication (IA) 6 ............Incident Response (IR) 7 ............Maintenance (MA) 7 ............Media Protection (MP) 8 ............Physical and Environmental Protection (PE) 8 ............Planning (PL) 9 ............Personnel Security (PS) 9 ............Risk Assessment (RA) 10 ............System and Services Acquisition (SA) 10 ............System and Communications Protection (SC) 11 ............System and Information Integrity (SI) Page 1 of 11
  • 2. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 23 24 25 26 27 28 29 30 31 32 33 A B 1. Access Control (AC) 1.1. AC-1 Examine information security program documentation for the organization access control policy is reviewed and updated at least every three years. Examine organization access control policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the access control policy and associated access controls and that the , procedures are reviewed and updated at least annually. Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy was disseminated to the organizational elements. Examine information security program documentation for the organization access control procedures. Examine organization access control procedures for evidence that the procedures facilitate implementation of the access control policy and associated access control controls. Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy is reviewed and updated at least every three years, and the procedures at least annually. Page 2 of 11
  • 3. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 34 35 36 37 38 39 40 41 42 43 44 A B 2. Awareness and Training (AT) 2.1. AT-1 Examine information security program documentation for the organization security awareness and training policy and that the security awareness and training policy is reviewed and updated at least every three years. Examine organization security awareness and training policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security awareness and training policy and associated security awareness and trainings and that the procedures are reviewed and updated at least annually. Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy was disseminated to the organizational elements. Examine information security program documentation for the organization security awareness and training procedures. Examine organization security awareness and training procedures for evidence that the procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls. Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy is reviewed and updated at least every three years, and the procedures at least annually. Page 3 of 11
  • 4. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 A B 3. Audit and Accountability (AU) 3.1. AU-1 Examine information security program documentation for the organization audit and accountability policy and that the audit and accountability policy is reviewed and updated at least every three years. Examine organization audit and accountability policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the audit and accountability policy and procedures are reviewed and updated at least annually. Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy was disseminated to the organizational elements. Examine information security program documentation for the organization audit and accountability procedures. Examine organization audit and accountability procedures for evidence that the procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls. Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy is reviewed and updated at least every three years, and the procedures at least annually. 4. Security Assessment and Authorization (CA) 4.1. CA-1 Examine information security program documentation for the organization security assessment and authorization policy and that the security assessment and authorization policy is reviewed and updated at least every three years. Examine organization security assessment and authorization policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security assessment and authorization policy and procedures are reviewed and updated at least annually. Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy was disseminated to the organizational elements. Examine information security program documentation for the organization security assessment and authorization procedures. Examine organization security assessment and authorization procedures for evidence that the procedures facilitate implementation of the security assessment and authorization policy and associated security assessment and authorization controls. Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy is reviewed and updated at least every three years, and the procedures at least annually. Page 4 of 11
  • 5. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 A B 5. Configuration Management (CM) 5.1. CM-1 Examine configuration management documentation for the organization configuration management policy is reviewed and updated at least every three years. Examine organization configuration management policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the configuration management policy and associated configuration management controls and that the procedures are reviewed and updated at least annually. Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy was disseminated to the organizational elements. Examine configuration management documentation for the organization configuration management procedures. Examine organization configuration management procedures for evidence that the procedures facilitate implementation of the configuration management policy and associated configuration management controls. Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy is reviewed and updated at least every three years, and the procedures at least annually. 6. Contingency Planning (CP) 6.1. CP-1 Examine information security program documentation for the organization contingency planning policy and that the contingency planning policy is reviewed and updated at least every three years. Examine organization contingency planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the contingency planning policy and procedures are reviewed and updated at least annually. Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy was disseminated to the organizational elements. Examine information security program documentation for the organization contingency planning procedures. Examine organization contingency planning procedures for evidence that the procedures facilitate implementation of the contingency planning policy and associated contingency planning controls. Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy is reviewed and updated at least every three years, and the procedures at least annually. Page 5 of 11
  • 6. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 A B 7. Identification and Authentication (IA) 7.1. IA-1 Examine information security program documentation for the organization identification and authentication policy and that the identification and authentication policy is reviewed and updated at least every three years. Examine organization identification and authentication policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the identification and authentication policy and procedures are reviewed and updated at least annually. Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy was disseminated to the organizational elements. Examine information security program documentation for the organization identification and authentication procedures. Examine organization identification and authentication procedures for evidence that the procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls. Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy is reviewed and updated at least every three years, and the procedures at least annually. 8. Incident Response (IR) 8.1. IR-1 Examine information security program documentation for the organization incident response policy and that the incident response policy is reviewed and updated at least every three years. Examine organization incident response policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the incident response policy and procedures are reviewed and updated at least annually. Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy was disseminated to the organizational elements. Examine information security program documentation for the organization incident response procedures. Examine organization incident response procedures for evidence that the procedures facilitate implementation of the incident response policy and associated incident response controls. Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy is reviewed and updated at least every three years, and the procedures at least annually. Page 6 of 11
  • 7. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 A B 9. Maintenance (MA) 9.1. MA-1 Examine information security program documentation for the organization system maintenance policy and that the system maintenance policy is reviewed and updated at least every three years. Examine organization system maintenance policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system maintenance policy and procedures are reviewed and updated at least annually. Examine organization system maintenance policy and procedures, or other relevant documents for the organization elements having associated system maintenance roles and responsibilities and to which the system maintenance policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system maintenance policy was disseminated to the organizational elements. Examine information security program documentation for the organization system maintenance procedures. Examine organization system maintenance procedures for evidence that the procedures facilitate implementation of the system maintenance policy and associated system maintenance controls. Examine organization system maintenance policy and procedures, or other relevant documents for the organization elements having associated system maintenance roles and responsibilities and to which the system maintenance procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system maintenance policy is reviewed and updated at least every three years, and the procedures at least annually. 10. Media Protection (MP) 10.1. MP-1 Examine information security program documentation for the organization media protection policy and that the media protection policy is reviewed and updated at least every three years. Examine organization media protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the media protection policy and procedures are reviewed and updated at least annually. Examine organization media protection policy and procedures, or other relevant documents for the organization elements having associated media protection roles and responsibilities and to which the media protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the media protection policy was disseminated to the organizational elements. Examine information security program documentation for the organization media protection procedures. Examine organization media protection procedures for evidence that the procedures facilitate implementation of the media protection policy and associated media protection controls. Examine organization media protection policy and procedures, or other relevant documents for the organization elements having associated media protection roles and responsibilities and to which the media protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the media protection policy is reviewed and updated at least every three years, and the procedures at least annually. Page 7 of 11
  • 8. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 A B 11. Physical and Environmental Protection (PE) 11.1. PE-1 Examine information security program documentation for the organization physical and environmental protection policy and that the physical and environmental protection policy is reviewed and updated at least every three years. Examine organization physical and environmental protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the physical and environmental protection policy and procedures are reviewed and updated at least annually. Examine organization physical and environmental protection policy and procedures, or other relevant documents for the organization elements having associated physical and environmental protection roles and responsibilities and to which the physical and environmental protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the physical and environmental protection policy was disseminated to the organizational elements. Examine information security program documentation for the organization physical and environmental protection procedures. Examine organization physical and environmental protection procedures for evidence that the procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls. Examine organization physical and environmental protection policy and procedures, or other relevant documents for the organization elements having associated physical and environmental protection roles and responsibilities and to which the physical and environmental protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the physical and environmental protection policy is reviewed and updated at least every three years, and the procedures at least annually. 12. Planning (PL) 12.1. PL-1 Examine information security program documentation for the organization security planning policy and that the security planning policy is reviewed and updated at least every three years. Examine organization security planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security planning policy and procedures are reviewed and updated at least annually. Examine organization security planning policy and procedures, or other relevant documents for the organization elements having associated security planning roles and responsibilities and to which the security planning policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security planning policy was disseminated to the organizational elements. Examine information security program documentation for the organization security planning procedures. Examine organization security planning procedures for evidence that the procedures facilitate implementation of the security planning policy and associated security planning controls. Examine organization security planning policy and procedures, or other relevant documents for the organization elements having associated security planning roles and responsibilities and to which the security planning procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security planning policy is reviewed and updated at least every three years, and the procedures at least annually. Page 8 of 11
  • 9. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 A B 13. Personnel Security (PS) 13.1. PS-1 Examine information security program documentation for the organization personnel security policy and that the personnel security policy is reviewed and updated at least every three years. Examine organization personnel security policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for evidence that procedures that facilitate the implementation of the personnel security policy and procedures are reviewed and updated at least annually. Examine organization personnel security policy and procedures, or other relevant documents for the organization elements having associated personnel security roles and responsibilities and to which the personnel security policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the personnel security policy was disseminated to the organizational elements. Examine information security program documentation for the organization personnel security procedures. Examine organization personnel security procedures for evidence that the procedures facilitate implementation of the personnel security policy and associated personnel security controls. Examine organization personnel security policy and procedures, or other relevant documents for the organization elements having associated personnel security roles and responsibilities and to which the personnel security procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the personnel security policy is reviewed and updated at least every three years, and the procedures at least annually. 14. Risk Assessment (RA) 14.1. RA-1 Examine information security program documentation for the organization risk assessment policy and that the risk assessment policy is reviewed and updated at least every three years. Examine organization risk assessment policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the risk assessment policy and procedures are reviewed and updated at least annually. Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements having associated risk assessment roles and responsibilities and to which the risk assessment policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the risk assessment policy was disseminated to the organizational elements. Examine information security program documentation for the organization risk assessment procedures. Examine organization risk assessment procedures for evidence that the procedures facilitate implementation of the risk assessment policy and associated risk assessment controls. Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements having associated risk assessment roles and responsibilities and to which the risk assessment procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the risk assessment policy is reviewed and updated at least every three years, and the procedures at least annually. Page 9 of 11
  • 10. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 A B 15. System and Services Acquisition (SA) 15.1. SA-1 Examine information security program documentation for the organization system and services acquisition policy and that the system and services acquisition policy is reviewed and updated at least every three years. Examine organization system and services acquisition policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and services acquisition policy and procedures are reviewed and updated at least annually. Examine organization system and services acquisition policy and procedures, or other relevant documents for the organization elements having associated system and services acquisition roles and responsibilities and to which the system and services acquisition policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and services acquisition policy was disseminated to the organizational elements. Examine information security program documentation for the organization system and services acquisition procedures. Examine organization system and services acquisition procedures for evidence that the procedures facilitate implementation of the system and services acquisition policy and associated system and services acquisition controls. Examine organization system and services acquisition policy and procedures, or other relevant documents for the organization elements having associated system and services acquisition roles and responsibilities and to which the system and services acquisition procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and services acquisition policy is reviewed and updated at least every three years, and the procedures at least annually. 16. System and Communications Protection (SC) 16.1. SC-1 Examine information security program documentation for the organization system and communication protection policy and that the system and communication protection policy is reviewed and updated at least every three years. Examine organization system and communication protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and communication protection policy and procedures are reviewed and updated at least annually. Examine organization system and communication protection policy and procedures, or other relevant documents for the organization elements having associated system and communication protection roles and responsibilities and to which the system and communication protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and communication protection policy was disseminated to the organizational elements. Examine organization system and communication protection procedures for evidence that the procedures facilitate implementation of the system and communication protection policy and associated system and communication protection controls. Examine organization system and communication protection policy and procedures, or other relevant documents for the organization elements having associated system and communication protection roles and responsibilities and to which the system and communication protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and communication protection policy is reviewed and updated at least every three years, and the procedures at least annually. Page 10 of 11
  • 11. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 198 199 200 201 202 203 204 205 206 207 208 A B 17. System and Information Integrity (SI) 17.1. SI-1 Examine information security program documentation for the organization system and information integrity policy and that the system and information integrity policy is reviewed and updated at least every three years. Examine organization system and information integrity policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and information integrity policy and procedures are reviewed and updated at least annually. Examine organization system and information integrity policy and procedures, or other relevant documents for the organization elements having associated system and information integrity roles and responsibilities and to which the system and information integrity policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and information integrity policy was disseminated to the organizational elements. Examine information security program documentation for the organization system and information integrity procedures. Examine organization system and information integrity procedures for evidence that the procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls. Examine organization system and information integrity policy and procedures, or other relevant documents for the organization elements having associated system and information integrity roles and responsibilities and to which the system and information integrity procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and information integrity policy is reviewed and updated at least every three years, and the procedures at least annually. Page 11 of 11