Planning

• PL-1       Security Planning Policy and Procedures
• PL-2       System Security Plan
• PL-3       System Security Plan Update
• PL-4       Rules of Behavior
• PL-5       Privacy Impact Assessment

PL-1        Security Planning Policy and Procedures

Control: The organization develops disseminates and periodically reviews/updates:

• a formal, documented, security planning policy that addresses purpose, scope, roles, responsibilities and compliance
• formal, documented procedures to facilitate the implementation of the security planning policy and its associated controls.

Supplemental Guidance: The security planning policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards and guidance.

For guidance on security planning, see:
NIST Special Publication 800-18 (pdf)
(http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf)

For guidance on security policies and procedures, see:
NIST Special Publication 800-12
(http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/index.html)

Control Enhancements: None

Control Recommendations:
Low: PL-1
Moderate: PL-1
High: PL-1

PL-2        System Security Plan

Control: The organization develops and implements a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan.

Supplemental Guidance: For guidance on security planning, see:
NIST Special Publication 800-18 (pdf)
(http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf)

Control Enhancements: None

Control Recommendations:
Low: PL-2
Moderate: PL-2
High: PL-2

PL-3        System Security Plan Update

Control: The organization reviews the security plan for the information system at least every 3 years and revises the plan to address system/organizational changes or problems identified during plan implementation or security control assessments.

Supplemental Guidance: Significant changes are defined in advance by the organization and identified in the configuration management process.

Control Enhancements: None

Control Recommendations:
Low: PL-3
Moderate: PL-3
High: PL-3

PL-4        Rules of Behavior

Control: The organization:

• establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information system usage.
• receives signed acknowledgement from users indicating that they have read, understand and agree to abide by the rules of behavior before authorizing their access to the information system.

Supplemental Guidance: Electronic signatures are acceptable for use in acknowledging rules of behavior. For guidance on preparing rules of behavior, see:
NIST Special Publication 800-18 (pdf)
(http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf)

Control Enhancements: None

Control Recommendations:
Low: PL-4
Moderate: PL-4
High: PL-4

PL-5        Privacy Impact Assessment

Control: The organization conducts a privacy impact assessment on the information system at least once every three years.

Supplemental Guidance: The organization implements a formal process of assessing the privacy implications of the information system, especially in relation to changes in privacy laws.

Control Enhancements: None

Control Recommendations:
Low: PL-5
Moderate: PL-5
High: PL-5

Go to ITD Security main page.

Content reviewed on July 3, 2006 by Jeff Webster
Page last modified July 17, 2006 by cawalker