Develop, review, and approve a plan to assess the security controls in a system and the organization.