Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Program management
Appendix 1.13 Program management
The set of PM controls "are implemented at the organization level and not directed at individual information systems." As such, they have no LIMSpec parallels and are not discussed in detail here. That said, NIST describes the controls of PM as having "been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards." The first control, PM-1, is included here. For more on these controls, consult pages 203–21 of NIST SP 800-53, Rev. 5.
PM-1 Information security program plan
This control recommends the organization develop, document, disseminate, review, and update an organization-wide information security program plan. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of information security program planning but also to address how that plan will be implemented, reviewed, and updated. NIST adds that an information security program plan:
- "provides an overview of the security requirements for an organization-wide information security program";
- "documents implementation details about program management and common controls"; and
- "provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended."
Additional resources:
- NIST Special Publications 800-37, Rev. 2
- NIST Special Publications 800-39
- No LIMSpec comp (organizational policy rather than system specification)