User:Shawndouglas/sandbox/sublevel3

From LIMSWiki
Jump to navigationJump to search

PL-1 Security planning policy and procedures

This control recommends the organization develop, document, disseminate, review, and update security planning policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security planning action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

PL-2 System security plan

This control recommends the organization develop, distribute, review, update, and protect a security plan for its information system. The plan should take into consideration the organization's enterprise architecture and the organizations business and cybersecurity goals, defining the logical and physical boundaries of the system based on the architecture and goals. The operational environment, classification of the system's data, security configuration requirements, and necessary and proposed security controls should also be addressed. The plan should be reviewed and approved by designated personnel.

Additional resources:

PL-4 Rules of behavior

This control recommends the organization establish a set of baseline rules of behavior that address organizational expectations and personal responsibilities of users accessing the system. Each individual should sign an acknowledgment that they have read, understand, and agree to abide by the rules of behavior. Those baseline rules should be reviewed at a designated frequency, and if updates are made, the affected individuals should be required to read, understand, and sign acknowledgement of the revised rules.

Additional resources: