AST-04.2: Control Applicability Boundary Graphical Representation
Mechanisms exist to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.
Control Question: Does the organization ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries?
General (13)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF11 CC5.2-POF2 |
| MPA Content Security Program 5.1 | TS-2.2 |
| NIST 800-171 R3 (source) | 03.04.11.a 03.04.11.b 03.15.02.a.04 |
| NIST CSF 2.0 (source) | ID.AM-03 |
| PCI DSS 4.0.1 (source) | 1.2.3 12.5.2.1 A3.2.5 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 1.2.3 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 1.2.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 1.2.3 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 1.2.3 12.5.2.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | AST-04.2 |
| SCF CORE ESP Level 1 Foundational | AST-04.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | AST-04.2 |
| SCF CORE ESP Level 3 Advanced Threats | AST-04.2 |
US (3)
| Framework | Mapping Values |
|---|---|
| US CISA CPG 2022 | 2.P |
| US DHS ZTCF | BAS-03 |
| US TSA / DHS 1580/82-2022-01 | III.B.1.c |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia OTCC-1 2022 | 2-4-1-16 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.04.11.A 03.04.11.B 03.15.02.A.04 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.
Level 3 — Well Defined
Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
- An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
- Technology assets and data are categorized according to data classification and business criticality criteria.
- A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
- Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
- Stakeholders create network diagrams that graphically represent compliance boundaries (e.g., in-scope vs out-of-scope).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure control applicability is appropriately-determined for Technology Assets, Applications and/or Services (TAAS) and third parties by graphically representing applicable boundaries.
Assessment Objectives
- AST-04.2_A01 one or more diagrams graphically depict control applicability boundaries for systems, applications, services and third parties to clarify "in-scope versus out-of-scope" determinations.
Evidence Requirements
- E-AST-02 Asset Scoping Guidance
-
Documented evidence of an asset scoping guidance. This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on defining in-scope systems, applications, services, processes and third-parties.
Asset Management - E-CPL-02 Defined Compliance Scope (DCS)
-
Documented evidence of a formal scoping document that identifies applicable statutory, regulatory and/or contractual obligations for the organization. Defines the affected Lines of Business (LOB), internal / external stakeholders and facilities for the specific scope of compliance obligations.
Compliance
Technology Recommendations
Micro/Small
- Unified Scoping Guide (https://unified-scoping-guide.com)
Small
- Unified Scoping Guide (https://unified-scoping-guide.com)
Medium
- Unified Scoping Guide (https://unified-scoping-guide.com)
Large
- Unified Scoping Guide (https://unified-scoping-guide.com)
Enterprise
- Unified Scoping Guide (https://unified-scoping-guide.com)