67
InformatIon SecurIty PolIcy DeveloPment for comPlIance
a. Formal, documented security assessment and authorization
policies that address purpose, scope, roles, responsibilities,
management commitment, coordination among organiza-
tional entities, and compliance; and
b. Formal, documented procedures to facilitate the implementa-
tion of the security assessment and authorization policies and
associated security assessment and authorization controls.
CA-2 SECURITY ASSESSMENTS
Control: e organization:
a. Dev
elops a security assessment plan that describes the scope
of the assessment including:
•
Sec
urity controls and control enhancements under assess-
ment;
•
Ass
essment procedures to be used to determine security
control eectiveness; ...