Control: The organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system.

Supplemental Guidance: The organization includes the determination of security requirements for the information system in mission/business case planning and establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. NIST Special Publication 800-65 provides guidance on integrating security into the capital planning and investment control process.

Control Enhancements: (0) None.

Baseline: LOW SA-2 MOD SA-2 HIGH SA-2

Family: System And Services Acquisition

Class: Management

ISO 17799 mapping: 10.3.1

COBIT 4.1 mapping: PO1.1, PO5.2