AST-26: System Administrative Processes

There is no evidence of a capability to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS).

C|P-CMM1 is N/A, since a structured process is required to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS).

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
• Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
• Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
• Technology assets are categorized according to data classification and business criticality.
• Inventories cover technology assets in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
• Software licensing is tracked as part of IT asset inventories.
• Users are educated on their responsibilities to protect technology assets assigned to them or under their supervision.
• IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
• An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
• Technology assets and data are categorized according to data classification and business criticality criteria.
• A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
• Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
• A Governance, Risk & Compliance (GRC) function, or similar function, enables the documentation of Standardized Operating Procedures (SOP), or similar mechanisms, at the business process-level to identify and document day-to-day procedures enabling the proper execution of assigned tasks.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS).

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining Technology Assets, Applications and/or Services (TAAS).