The objective of this activity is to create departmental security control profiles that are tailored to the
security needs of each department. Depending on their mission (e.g., delivering a single program versus delivering multiple programs) and the complexity of their business activities, departments may have a
single, organization-wide security control profile or several domain-specific profiles called “departmental
domain security control profiles” or simply “domain security control profiles”.
Departmental security control profiles are best developed with the support of several key departmentwide
information and IT management processes. Although outside the scope of the IT security risk
management process, these enterprise processes can help ensure the suitable selection and tailoring of
security controls. These supporting processes are:
• The definition of the departmental business activities that are needed to support departmental
missions;
• The prioritization of departmental business activities with respect to strategic goals and
objectives;
• The definition of the types of information assets needed to successfully execute the departmental
business activities, their criticality and sensitivity, and their flows both internally and externally;
• The incorporation of information security requirements into the mission/business processes; and
• The definition of an enterprise architecture that includes IT security requirements.
There are four steps to developing departmental security control profiles:
• Define business domains;
• Define IT security approaches;
• Develop departmental security control profiles; and
• Approve the departmental security control profiles.
These four steps to developing departmental security control profiles are described in the following
sections.