PM-3: INFORMATION SECURITY RESOURCES
PROGRAM MANAGEMENT & INDUSTRIAL CONTROL SYSTEMS
ICS Control Baselines:
- Program Management is baseline independent.
The organization:
- a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
- b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
- c. Ensures that information security resources are available for expenditure as planned.
SUPPLEMENTAL GUIDANCE
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process.
ICS SUPPLEMENTAL GUIDANCE
Capital planning and investment decisions address all of the relevant technologies and all phases of the life cycle and needs to be informed by ICS experts as well as other subject matter experts (e.g., information security). Marshaling interdisciplinary working teams to advise capital planning and investment decisions can help tradeoff and balance among conflicting equities, objectives, and responsibilities such as capability, adaptability, resilience, safety, security, usability, and efficiency.
RELATED CONTROLS: PM-3
CONTROL ENHANCEMENTS
NO CONTROL ENHANCEMENTS
REFERENCES:
- NIST Special Publication 800-82
- NIST Special Publication 800-65