With 205 Controls, 423 enhancements and 1,394 definitions, it's overwhelming! Lucky for you, ISL's Cyber Security Professionals are here to help.

Contact us so we can discuss what Cyber Security controls mean to your organization.

PM-3 : INFORMATION SECURITY RESOURCES

FAMILY: Program ManagementCLASS: Management

PM-3 : INFORMATION SECURITY RESOURCES

The organization:

a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;

b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and

c. Ensures that information security resources are available for expenditure as planned.

Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2.
Control Enhancements:
(1) The organization centrally manages malicious code protection mechanisms.
(2) The information system automatically updates malicious code protection mechanisms (including signature definitions).
(3) The information system prevents non-privileged users from circumventing malicious code protection capabilities.
(4) The information system updates malicious code protection mechanisms only when directed by a privileged user.
(5) The organization does not allow users to introduce removable media into the information system.
(6) The organization tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.
References: None.
Priority and Baseline Allocation:
P1 LOW PM-3 MOD PM-3 HIGH PM-3