CFG-08: Sensitive / Regulated Data Access Enforcement

There is no evidence of a capability to configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data.

C|P-CMM1 is N/A, since a structured process is required to configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data.

Configuration Management (CFG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Configuration management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for configuration management.
• Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
• Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
• Apart from workstation and server operating system baselines, configuration management is decentralized.
• Cybersecurity personnel use a structured process to design, build and maintain secure configurations for test, development, staging and production environments.
• Deviations to baseline configurations are required to have a risk assessment and the business process owner acceptance of the risk(s) associated with the deviation.
• Unauthorized configuration changes are investigated to determine if the unauthorized configuration is malicious in nature.
• Logical Access Control (LAC) is enforced to prohibit non-administrative users from being able to install unauthorized software.

Configuration Management (CFG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• The configuration management function is formally assigned with defined roles and responsibilities.
• An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
• Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
• Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
• Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
• Deviations to baseline configurations are required to have a risk assessment and business process owner approval of the risk(s) associated with the deviation.
• Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
• An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
• Logical Access Control (LAC) is used to limit the ability of non-administrators from making configuration changes to systems, applications and services, including the of installation of unauthorized software.
• A Security Incident Event Manager (SIEM), or similar automated tool, monitors for unauthorized activities, accounts, connections, devices and software.
• Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to configure Technology Assets, Applications and/or Services (TAAS) to restrict access to sensitive/regulated data.