Skip to main content

GOV-04.2: Authoritative Chain of Command

GOV 7 — High Govern

Mechanisms exist to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.

Control Question: Does the organization establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks?

General (6)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.2-POF1 CC1.3 CC1.3-POF1 CC1.3-POF2 CC1.3-POF3 CC1.3-POF4 CC1.3-POF5 CC1.3-POF6 CC1.5-POF1
IMO Maritime Cyber Risk Management 3.3 3.3 3.5.1.2
ISO 42001 2023 5.1 A.3
NIST AI 100-1 (AI RMF) 1.0 GOVERN 1.3 GOVERN 2.1
TISAX ISA 6 1.2.1 1.2.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) GOV-04.2
US (3)
Framework Mapping Values
US CISA CPG 2022 1.B 1.C
US SEC Cybersecurity Rule 17 CFR 229.106(c)(1)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.4(b)
EMEA (4)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.7.5(91)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 4.5 4.6 4.10
EMEA UK CAF 4.0 A1.b
EMEA UK DEFSTAN 05-138 1103
APAC (3)
Framework Mapping Values
APAC Australia Prudential Standard CPS230 21
APAC India SEBI CSCRF GV.OC.S1 GV.PO.S5
APAC New Zealand HISF 2022 HHSP21
Americas (1)
Framework Mapping Values
Americas Canada OSFI B-13 1 1.1.2

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.

Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.

Assessment Objectives

  1. GOV-04.2_A01 a formal organization structure is published.
  2. GOV-04.2_A02 an individual's chain of command is clearly delineated.

Evidence Requirements

E-HRS-15 Organization Chart

Current and accurate organization chart that depicts logical staff hierarchies.

Human Resources

Technology Recommendations

Micro/Small

  • Organization chart

Small

  • Organization chart

Medium

  • Organization chart

Large

  • Organization chart

Enterprise

  • Organization chart

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free