AST-05.1: Management Approval For External Media Transfer
Mechanisms exist to obtain management approval for any sensitive/regulated media that is transferred outside of the organization's facilities.
Control Question: Does the organization obtain management approval for any sensitive/regulated media that is transferred outside of its facilities?
General (10)
| Framework | Mapping Values |
|---|---|
| PCI DSS 4.0.1 (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ A (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ B (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ C (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 9.4.4 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 9.4.4 |
| SWIFT CSF 2023 | 2.5A 2.9 |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia CSCC-1 2019 | 2-6-1-5 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to obtain management approval for any sensitive/regulated media that is transferred outside of its facilities.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to obtain management approval for any sensitive/regulated media that is transferred outside of its facilities.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to obtain management approval for any sensitive/regulated media that is transferred outside of its facilities.
Level 3 — Well Defined
Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
- An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
- Technology assets and data are categorized according to data classification and business criticality criteria.
- A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
- Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
- Data classification and handling criteria govern user behavior for media handling.
- Organizational policies and standards cover media handling requirements.
- Users are educated on their responsibilities to strictly control sensitive/regulated media (e.g., USBs, mobile devices, external drives, etc.).
- Users are required to obtain management approval for any sensitive/regulated media before it is transferred outside of the organization's facilities.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to obtain management approval for any sensitive/regulated media that is transferred outside of its facilities.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to obtain management approval for any sensitive/regulated media that is transferred outside of its facilities.
Assessment Objectives
- AST-05.1_A01 written management approval is obtained prior to the transfer of any sensitive / regulated media outside of the organization's facilities.