AST-15: Logical Tampering Protection

There is no evidence of a capability to assess the integrity of critical Technology Assets, Applications and/or Services (TAAS) to detect evidence of tampering, where: (1) Logical assessments evaluate the integrity of critical components (e.g., configuration settings); and (2) Physical assessments evaluate assets for evidence of unauthorized access and/or modifications.

Asset Management (AST) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
• Asset inventories are performed in an ad hoc manner.
• Software licensing is tracked as part of IT asset inventories.
• Data process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.
• IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
• Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
• Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
• Technology Assets, Applications and/or Services (TAAS) are categorized according to data classification and business criticality.
• Inventories cover Technology Assets, Applications and/or Services (TAAS) in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
• Software licensing is tracked as part of IT asset inventories.
• Users are educated on their responsibilities to protect Technology Assets, Applications and/or Services (TAAS) assigned to them or under their supervision.
• IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.
• Security awareness training covers reporting of unauthorized alterations and evidence of tampering.
• Users traveling to high threat countries use tamper-resistant tape to aid in detecting physical tampering and/ or use a specially hardened device besides their normal company issued device.

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
• An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
• Technology Assets, Applications and/or Services (TAAS) and data are categorized according to data classification and business criticality criteria.
• A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
• Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
• Security awareness training covers reporting of unauthorized alterations and evidence of tampering.
• Users traveling to high threat countries use tamper-resistant tape to aid in detecting physical tampering and/ or use a specially hardened device besides their normal company issued device.

Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Asset Management (AST) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
• Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.