Skip to main content

GOV-13: State-Sponsored Espionage

GOV 10 — Critical Govern

Mechanisms exist to constrain the host government's ability to leverage the organization's Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.

Control Question: Does the organization constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities?

General (1)
Framework Mapping Values
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) GOV-13
APAC (3)
Framework Mapping Values
APAC China Cybersecurity Law 28
APAC China Data Security Law 7 8 9 11 14 15 16 18 19 20 28 31 32 33 36 37 38 48 53
APAC China Privacy Law 11 12 38(4) 40 47(5) 60 63(3) 63(4) 64

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.

Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.

Assessment Objectives

  1. GOV-13_A01 an executive steering committee, or advisory board, evaluates business practices for possible instances where host nation business practices could leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.
  2. GOV-13_A02 measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate host nation business practices to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.
  3. GOV-13_A03 actions are taken to prevent and/or block potential instances where host nation business practices could leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.

Technology Recommendations

Micro/Small

  • Legal review

Small

  • Legal review

Medium

  • Legal review
  • Steering committee
  • Board of Directors (BoD)

Large

  • Legal review
  • Steering committee
  • Board of Directors (BoD)

Enterprise

  • Legal review
  • Steering committee
  • Board of Directors (BoD)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free