GOV-15: Operationalizing Cybersecurity & Data Protection Practices
Mechanisms exist to compel data and/or process owners to operationalize cybersecurity and data protection practices for each Technology Asset, Application and/or Service (TAAS) under their control.
Control Question: Does the organization compel data and/or process owners to operationalize cybersecurity and data protection practices for each Technology Asset, Application and/or Service (TAAS) under their control?
General (18)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.1-POF1 CC2.1-POF2 CC2.1-POF3 CC2.1-POF4 CC3.1-POF5 CC5.1 CC5.1-POF1 CC5.1-POF2 CC5.1-POF3 CC5.1-POF4 CC5.1-POF5 CC5.1-POF6 |
| IEC TR 60601-4-5 2021 | 4.1 4.6.1 5.1 |
| IMO Maritime Cyber Risk Management | 3.5 |
| ISO 27701 2025 | 5.1 |
| ISO 29100 2024 | 6.12 |
| ISO 42001 2023 | 5.1 8.1 |
| MPA Content Security Program 5.1 | OR-1.0 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.D(2)(g) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 4.0 |
| NIST 800-171 R3 (source) | 03.15.01.a 03.17.01.a |
| NIST 800-171A R3 (source) | A.03.16.01 |
| TISAX ISA 6 | 1.2.1 5.3.1 5.3.2 |
| SCF CORE Fundamentals | GOV-15 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-15 |
| SCF CORE ESP Level 1 Foundational | GOV-15 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-15 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-15 |
| SCF CORE AI Model Deployment | GOV-15 |
US (11)
| Framework | Mapping Values |
|---|---|
| US Data Privacy Framework (DPF) | II.4.a |
| US DHS CISA SSDAF | 1.f |
| US EO 14028 | 4e(i)(F) |
| US FCA CRM | 609.930(a) |
| US FIPPS | 2 |
| US HHS 45 CFR 155.260 | 155.260(a)(3)(viii) 155.260(a)(4) 155.260(a)(4)(i) 155.260(a)(4)(iii) 155.260(c) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(a)(1) 164.306(b)(1) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(a)(1) 164.306(b)(1) |
| US NNPI (unclass) | 15.1 15.2 15.3 15.4 |
| US SEC Cybersecurity Rule | 17 CFR 229.106(b)(1)(i) |
| US - CA CCPA 2025 | 7123(b)(3) |
EMEA (14)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 17.2 |
| EMEA EU EBA GL/2019/04 | 3.3.4(22) 3.4.1(30)(a) 3.4.1(30)(b) 3.4.1(30)(c) 3.4.1(30)(d) 3.4.1(30)(e) 3.4.1(30)(f) 3.4.1(30)(g) |
| EMEA EU DORA | 7 7(a) 7(b) 7(c) 7(d) 9.3 |
| EMEA EU NIS2 | 21.1 21.2(a) 21.2(b) 21.2(c) 21.2(d) 21.2(e) 21.2(f) 21.2(g) 21.2(h) 21.2(i) 21.2(j) |
| EMEA EU NIS2 Annex | 6.2.1 6.7.1 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 5.1 |
| EMEA Qatar PDPPL | 8.3 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-6-1 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3 2-3-2 |
| EMEA Serbia 87/2018 | 50 51 |
| EMEA Spain BOE-A-2022-7191 | 5 5(a) 5(b) 5(c) 5(d) 5(e) 5(f) 5(g) 8.1 8.2 8.3 8.4 8.5 28.1 37 |
| EMEA Spain 311/2022 | 28.1 37 5 5(a) 5(b) 5(c) 5(d) 5(e) 5(f) 5(g) 8.1 8.2 8.3 8.4 8.5 |
| EMEA UK CAF 4.0 | B4.a |
| EMEA UK CAP 1850 | A5 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1633 ISM-1634 ISM-1635 ISM-1636 |
| APAC Australia Prudential Standard CPS230 | 29 |
| APAC India SEBI CSCRF | GV.RM.S2 |
| APAC New Zealand HISF 2022 | HHSP11 HHSP16 HHSP28 HML11 HML16 HML28 HSUP14 HSUP24 |
| APAC New Zealand HISF Suppliers 2023 | HSUP14 HSUP24 |
| APAC New Zealand NZISM 3.6 | 3.2.10.C.04 3.4.11.C.01 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.1.1 2.1.1 3.2.1 |
| Americas Canada ITSP-10-171 | 03.15.01.A 03.17.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to compel data and/ or process owners to operationalize cybersecurity and data protection practices for each system, application and/ or service under their control.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to operationalize cybersecurity and data protection practices for each system, application and/ or service under their control.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to operationalize cybersecurity and data protection practices for each system, application and/ or service under their control.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data protection, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data protection programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to compel data and/ or process owners to operationalize cybersecurity and data protection practices for each system, application and/ or service under their control.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to compel data and/ or process owners to operationalize cybersecurity and data protection practices for each system, application and/ or service under their control.
Assessment Objectives
- GOV-15_A01 roles and responsibilities exist to compel data and/or process owners to operationalize cybersecurity / data privacy practices for each system, application and/or service under their control.
- GOV-15_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners operationalized cybersecurity / data privacy practices for each system, application and/or service under their control.
- GOV-15_A03 organization-defined systems security engineering principles are applied to the development or modification of the system and system components.
- GOV-15_A04 <A.03.16.01.ODP[01]: systems security engineering principles> are applied to the development or modification of the system and system components.
Technology Recommendations
Micro/Small
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Small
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Medium
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Large
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Enterprise
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)