GOV-04: Assigned Cybersecurity & Data Protection Responsibilities
Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and data protection program.
Control Question: Does the organization assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and data protection program?
General (42)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.1 CC1.3 CC5.3-POF2 |
| BSI Standard 200-1 | 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 |
| COBIT 2019 | APO01.05 |
| COSO 2017 | Principle 1 Principle 3 |
| CSA CCM 4 | GRC-06 STA-04 |
| Generally Accepted Privacy Principles (GAPP) | 8.2.7 |
| IMO Maritime Cyber Risk Management | 3.3 3.5.1.1 3.5.1.2 |
| ISO/SAE 21434 2021 | RQ-05-03 RQ-06-04 |
| ISO 22301 2019 | 5.1 5.3 |
| ISO 27001 2022 (source) | 5.1(f) 5.1(h) 5.3 5.3(a) 5.3(b) |
| ISO 27002 2022 | 5.2 |
| ISO 27017 2015 | 6.1.1 |
| ISO 27701 2025 | 5.1 5.3 5.3(a) |
| ISO 42001 2023 | 5.3 5.3(a) 5.3(b) A.3.2 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.C(1) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.3 GOVERN 2.1 GOVERN 2.3 GOVERN 5.0 |
| NIST Privacy Framework 1.0 | ID.IM-P2 GV.PO-P3 CM.PO-P2 |
| NIST 800-37 R2 | P-1 |
| NIST 800-53 R4 | PL-9 PM-2 PM-6 |
| NIST 800-53 R5 (source) | PL-9 PM-2 PM-6 PM-29 |
| NIST 800-53B R5 (privacy) (source) | PL-9 |
| NIST 800-53 R5 (NOC) (source) | PM-2 PM-6 PM-29 |
| NIST 800-161 R1 | PL-9 PM-2 PM-6 PM-29 |
| NIST 800-161 R1 Level 1 | PL-9 PM-2 PM-6 PM-29 |
| NIST 800-161 R1 Level 2 | PL-9 PM-2 PM-6 |
| NIST 800-218 | PO.2.3 |
| NIST CSF 2.0 (source) | GV.RM GV.RM-05 GV.RR-01 GV.RR-02 |
| PCI DSS 4.0.1 (source) | 1.1.2 2.1.2 3.1.2 4.1.2 5.1.2 6.1.2 7.1.2 8.1.2 9.1.2 10.1.2 11.1.2 12.1.3 12.1.4 12.4 A3.1.1 A3.1.3 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 12.1.3 12.1.4 |
| PCI DSS 4.0.1 SAQ B (source) | 12.1.3 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 12.1.3 |
| PCI DSS 4.0.1 SAQ C (source) | 12.1.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 1.1.2 2.1.2 3.1.2 4.1.2 5.1.2 6.1.2 7.1.2 8.1.2 9.1.2 10.1.2 11.1.2 12.1.3 12.1.4 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 1.1.2 2.1.2 3.1.2 5.1.2 6.1.2 7.1.2 8.1.2 9.1.2 10.1.2 11.1.2 12.1.3 12.1.4 |
| PCI DSS 4.0.1 SAQ P2PE (source) | 12.1.3 |
| TISAX ISA 6 | 1.2.1 1.2.2 |
| SCF CORE Fundamentals | GOV-04 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-04 |
| SCF CORE ESP Level 1 Foundational | GOV-04 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-04 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-04 |
| SCF CORE AI Model Deployment | GOV-04 |
US (25)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-5.D.MIL3 THREAT-3.D.MIL3 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-5.D.MIL3 ACCESS-4.D.MIL3 SITUATION-4.D.MIL3 RESPONSE-5.D.MIL3 THIRD-PARTIES-3.D.MIL3 WORKFORCE-4.D.MIL3 ARCHITECTURE-5.D.MIL3 PROGRAM-3.D.MIL3 |
| US CERT RMM 1.2 | EF:SG2.SP2 EF:SG4.SP2 GG2.GP1 MA:SG1.SP1 MON:SG1.SP1 MON:SG1.SP3 |
| US CISA CPG 2022 | 1.B 1.C |
| US CMS MARS-E 2.0 | PM-2 PM-6 |
| US FCA CRM | 609.930(b)(3) |
| US FFIEC | D1.R.St.B.1 D1.TC.Cu.B.1 |
| US GLBA CFR 314 2023 (source) | 314.4(a) 314.4(a)(1) 314.4(a)(2) 314.4(a)(3) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(2) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(2) |
| US HIPAA HICP Small Practice | 5.S.B 10.S.A |
| US HIPAA HICP Medium Practice | 5.M.B 8.M.A |
| US HIPAA HICP Large Practice | 5.M.B 8.M.A 10.M.A |
| US IRS 1075 | 1.5 PM-2 PM-29 |
| US NERC CIP 2024 (source) | CIP-003-8 R4 |
| US NISPOM 2020 | 8-101 8-311 |
| US SEC Cybersecurity Rule | 17 CFR 229.106(b)(1)(ii) 17 CFR 229.106(c)(1) 17 CFR 229.106(c)(2)(i) Form 8-K Item 1.05(a) |
| US - CA CCPA 2025 | 7123(b)(3) |
| US - MA 201 CMR 17.00 | 17.03(2)(a) |
| US - NV NOGE Reg 5 | 5.260.5(a) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.4(a) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(A)(1) |
| US - OR 646A | 622(2)(d)(A)(i) |
| US - TX DIR Control Standards 2.0 | PM-2 PM-6 |
| US - TX SB 820 | 11.175(d) |
| US - VT Act 171 of 2018 | 2447(b)(1) |
EMEA (13)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 17.1(m) |
| EMEA EU EBA GL/2019/04 | 3.3.1(11) 3.3.1(12) 3.7.5(91) |
| EMEA EU DORA | 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 5.2(e) 5.2(f) 5.2(g) 5.2(h) 5.2(i)(i) 5.2(i)(ii) 5.2(i)(iii) 5.3 |
| EMEA EU NIS2 Annex | 1.1.1(g) 1.2.1 1.2.4 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 16 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 4.4 4.5 4.6 |
| EMEA Germany C5 2020 | OIS-03 |
| EMEA Saudi Arabia ECC-1 2018 | 1-2-2 1-4-1 1-4-2 1-5-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-2 1-2-1-2 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.1.4 |
| EMEA UK CAF 4.0 | A1.b A1.c |
| EMEA UK DEFSTAN 05-138 | 1102 1103 |
APAC (12)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0714 ISM-0717 ISM-0720 ISM-0724 ISM-0725 ISM-0726 ISM-0731 ISM-0732 ISM-0733 ISM-0734 ISM-0735 |
| APAC Australia Prudential Standard CPS230 | 21 24 |
| APAC Australia Prudential Standard CPS234 | 14 19 |
| APAC China Data Security Law | 45 46 |
| APAC China Privacy Law | 52 |
| APAC India DPDPA 2023 | 19(3) |
| APAC India SEBI CSCRF | GV.RR.S1 GV.RR.S2 GV.RR.S3 |
| APAC Japan ISMAP | 4.3.1 4.3.1.1 4.4.1.2 6.1.1.13.PB 6.1.3.13.PB |
| APAC New Zealand HISF 2022 | HHSP21 HHSP27 HML21 HML27 HSUP19 HSUP23 |
| APAC New Zealand HISF Suppliers 2023 | HSUP19 HSUP23 |
| APAC New Zealand NZISM 3.6 | 3.1.8.C.01 3.1.8.C.02 3.1.8.C.03 3.1.9.C.01 3.2.8.C.01 3.2.8.C.02 3.2.8.C.03 3.2.8.C.04 3.2.8.C.05 3.2.9.C.01 3.2.10.C.01 3.2.10.C.02 3.2.10.C.03 3.2.10.C.04 3.2.11.C.01 3.2.11.C.02 3.2.11.C.03 3.2.12.C.01 3.2.12.C.02 3.2.12.C.03 3.2.13.C.01 3.2.13.C.02 3.2.14.C.01 3.2.15.C.01 3.2.16.C.01 3.2.17.C.01 3.2.18.C.01 3.2.19.C.01 |
| APAC Singapore MAS TRM 2021 | 3.1.7(a) 3.1.7(b) 3.1.7(c) 3.1.7(d) 3.1.7(e) 3.1.7(f) 3.1.7(g) 3.1.8(a) 3.1.8(b) 3.1.8(c) 3.1.8(d) 3.1.8(e) |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 5.2 |
| Americas Canada CSAG | 1.1 1.2 6.2 |
| Americas Canada OSFI B-13 | 1 1.1 1.1.1 1.1.2 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and data privacy program.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and data privacy program.
Level 2 — Planned & Tracked
Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
- The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
- A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
- No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
- Compliance requirements for cybersecurity and data privacy are identified and documented.
- Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
- Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
- Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
- Documentation is made available to internal personnel.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and data privacy program.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and data privacy program.
Assessment Objectives
- GOV-04_A01 a senior organizational cybersecurity position is appointed.
- GOV-04_A02 the senior organizational cybersecurity position is provided with the mission and resources to coordinate, develop, implement and maintain an organization-wide cybersecurity program.
Evidence Requirements
- E-HRS-01 Position Categorization
-
Documented evidence of a discrete roles for cybersecurity & data privacy functions (e.g., position categorization).
Human Resources - E-HRS-05 Role Assignment - CISO
-
Documented evidence of a formal role assignment to the Chief Information Security Officer (CISO) position.
Human Resources - E-HRS-06 Role Assignment - COO
-
Documented evidence of a formal role assignment to the Chief Operations Officer (COO) position.
Human Resources - E-HRS-07 Role Assignment - CIO
-
Documented evidence of a formal role assignment to the Chief Information Officer (CIO) position.
Human Resources - E-HRS-08 Role Assignment - CPO
-
Documented evidence of a formal role assignment to the Chief Privacy Officer (CPO) position.
Human Resources - E-HRS-09 Role Assignment - CRO
-
Documented evidence of a formal role assignment to the Chief Risk Officer (CRO) position.
Human Resources - E-HRS-10 Role Assignment - DPO
-
Documented evidence of a formal role assignment to Data Protection Officer (DPO) positions.
Human Resources - E-HRS-13 Defined Cybersecurity & Data Privacy Responsibilities
-
Documented evidence of a role-based cybersecurity & data privacy responsibilities to ensure personnel are both educated on the role and are responsible for the associated control execution.
Human Resources - E-HRS-15 Organization Chart
-
Current and accurate organization chart that depicts logical staff hierarchies.
Human Resources
Technology Recommendations
Micro/Small
- Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)
Small
- Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)
Medium
- Chief Information Security Officer (CISO)
Large
- Chief Information Security Officer (CISO)
Enterprise
- Chief Information Security Officer (CISO)