To deploy the mandated security controls in information systems, the IT security coordinator promulgates
the use of the departmental security control profiles by IT projects and IT operations groups. To that end,
IT security coordinators implement a process to disseminate their departmental security control profiles
along with departmental threat assessment reports to communities across their organization that are
responsible for the implementation and operation of information systems. The promulgation can be done
through various means (e.g., monthly IT security bulletins, departmental IT or IT security steering
committee or review board).
IT security coordinators also inform program and service delivery managers and security assessors of the
availability of departmental security control profiles. Program and service delivery managers and security assessors in turn can mandate the use of these appropriate departmental security control profiles by IT
projects and IT operations group that relate to their area of responsibility.
IT projects and IT operations groups implement and operate security controls in information systems
following the IT security risk management activities described in Annex 2 of ITSG-33 [Reference 2].