August 15, 2020

Info Protection Processes and Procedures (PR.IP)

Objectives for Info Protection Processes and Procedures

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
  • PR.IP-2: A System Development Life Cycle to manage systems is implemented
  • PR.IP-3: Configuration change control processes are in place
  • PR.IP-4: Backups of information are conducted, maintained, and tested periodically
  • PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
  • PR.IP-6: Data is destroyed according to policy.  Use SP 800-88r1.
  • PR.IP-7: Protection processes are continuously improved
  • PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
  • PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
  • PR.IP-10: Response and recovery plans are tested
  • PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
  • PR.IP-12: A vulnerability management plan is developed and implemented