
242 ◾ Information Security Management Handbook
question, why would a CSP go to the time and expense to have a 3PAO evaluated any product against
the low-risk security control baseline? From a business perspective, it makes infinitely more sense to
have all CSP products and services evaluated against the moderate-risk security control baseline.
Part of this exercise involves completing a security control tailoring workbook and generating
a security control implementation summary. In addition, the CSP is responsible for generating the
following NIST compliant documents:
◾ System security plan
◾ Information security policies
◾ User guide
◾ Rules ...