GOV-02.1: Exception Management

There is no evidence of a capability to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.

Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• No formal cybersecurity and/ or data privacy principles are identified for the organization.
• No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.
• Governance efforts are narrowly-limited to certain compliance requirements.
• Formal roles and responsibilities for cybersecurity and/ or data privacy may exist.
• Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.
• Basic cybersecurity policies and standards are documented [not based on any industry framework]
• Basic procedures are established for important tasks, but are ad hoc and not formally documented.
• Documentation is made available to internal personnel.
• Organizational leadership maintains an informal process to review and respond to observed trends.

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
• The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
• A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
• No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
• Compliance requirements for cybersecurity and data privacy are identified and documented.
• Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
• Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
• Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
• Documentation is made available to internal personnel.

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
• A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
• Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
• Controls are standardized across the organization to ensure uniformity and consistent execution.
• Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
• Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
• Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
• The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
• Risk management processes are defined, to include materiality considerations.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.