GOV-15.1: Select Controls
Mechanisms exist to compel data and/or process owners to select required cybersecurity and data protection controls for each Technology Asset, Application and/or Service (TAAS) under their control.
Control Question: Does the organization compel data and/or process owners to select required cybersecurity and data protection controls for each Technology Asset, Application and/or Service (TAAS) under their control?
General (10)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC5.1 |
| IEC TR 60601-4-5 2021 | 4.1 4.6.1 |
| ISO 29100 2024 | 6.12 |
| ISO 42001 2023 | 8.1 |
| MPA Content Security Program 5.1 | OR-1.0 |
| NIST 800-171 R3 (source) | 03.15.01.a 03.17.01.a |
| TISAX ISA 6 | 1.2.1 1.2.4 5.3.1 5.3.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-15.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-15.1 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-15.1 |
US (8)
| Framework | Mapping Values |
|---|---|
| US DFARS Cybersecurity 252.204-70xx | 252.204-7008(c)(1) 252.204-7012(b) |
| US FCA CRM | 609.930(a) |
| US FIPPS | 2 |
| US HHS 45 CFR 155.260 | 155.260(a)(4) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(a)(1) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(a)(1) |
| US NNPI (unclass) | 15.1 15.2 15.3 15.4 |
| US TSA / DHS 1580/82-2022-01 | III.B III.C.1 III.C.1.a III.C.1.b III.C.3 |
EMEA (12)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.3.4(22) 3.3.4(23) 3.4.1(30)(a) 3.4.1(30)(b) 3.4.1(30)(c) 3.4.1(30)(d) 3.4.1(30)(e) 3.4.1(30)(f) 3.4.1(30)(g) |
| EMEA EU DORA | 7(a) 7(b) 7(c) 7(d) |
| EMEA EU NIS2 | 21.1 21.2(a) 21.2(b) 21.2(c) 21.2(d) 21.2(e) 21.2(f) 21.2(g) 21.2(h) 21.2(i) 21.2(j) |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 5.1 |
| EMEA Qatar PDPPL | 8.3 11.1 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-6-1 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3 2-3-2 |
| EMEA Serbia 87/2018 | 50 51 |
| EMEA Spain BOE-A-2022-7191 | 3.3 28.1(a) 28.1(b) 28.1(c) 28.2 28.3 37 |
| EMEA Spain 311/2022 | 28.1(a) 28.1(b) 28.1(c) 28.2 28.3 3.3 37 |
| EMEA UK CAF 4.0 | B4.a |
| EMEA UK CAP 1850 | A5 A6 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1634 |
| APAC Australia Prudential Standard CPS230 | 29 |
| APAC New Zealand NZISM 3.6 | 3.2.10.C.04 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.1.1 2.1.1 |
| Americas Canada ITSP-10-171 | 03.15.01.A 03.17.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to compel data and/ or process owners to select required cybersecurity and data protection controls for each system, application and/ or service under their control.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to select required cybersecurity and data protection controls for each system, application and/ or service under their control.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to select required cybersecurity and data protection controls for each system, application and/ or service under their control.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data protection, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data protection programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to compel data and/ or process owners to select required cybersecurity and data protection controls for each system, application and/ or service under their control.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to compel data and/ or process owners to select required cybersecurity and data protection controls for each system, application and/ or service under their control.
Assessment Objectives
- GOV-15.1_A01 roles and responsibilities exist to compel data and/or process owners to select required cybersecurity / data privacy controls for each system, application and/or service under their control.
- GOV-15.1_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners select required cybersecurity / data privacy controls for each system, application and/or service under their control.
Technology Recommendations
Micro/Small
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Small
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Medium
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Large
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Enterprise
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)