Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
PS-7
Third-party
personnel security
The organization establishes
personnel security requirements,
including security roles and
responsibilities for third-party
providers, and monitors provider
compliance.
PS-8
Personnel sanctions
The organization employs a formal
sanctions process for personnel
failing to comply with established
information security policies and
procedures.
rA
risk Assessment
RA-1
Risk assessment
policy and
procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented risk assessment
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the risk assessment policy and
associated risk assessment
controls.
RA-2
Security
categorization
The organization categorizes the
information system and the
information processed, stored, or
transmitted by the system in
accordance with applicable laws,
executive orders, directives,
policies, regulations, standards,
and guidance and documents the
results (including supporting
rationale) in the system security
plan. Designated senior-level
officials within the organization
review and approve the security
categorizations.
