PR.IP: Information Protection Processes and Procedures
Description
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
Framework Subcategories
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-2: A System Development Life Cycle to manage systems is implemented
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-3: Configuration change control processes are in place
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-4: Backups of information are conducted, maintained, and tested
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-6: Data is destroyed according to policy
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-7: Protection processes are improved
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-8: Effectiveness of protection technologies is shared
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-10: Response and recovery plans are tested
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
[csf.tools Note: Subcategories do not have detailed descriptions.]
PR.IP-12: A vulnerability management plan is developed and implemented
[csf.tools Note: Subcategories do not have detailed descriptions.]