GOV-15.3: Assess Controls
Mechanisms exist to compel data and/or process owners to assess if required cybersecurity and data protection controls for each Technology Asset, Application and/or Service (TAAS) under their control are implemented correctly and are operating as intended.
Control Question: Does the organization compel data and/or process owners to assess if required cybersecurity and data protection controls for each Technology Asset, Application and/or Service (TAAS) under their control are implemented correctly and are operating as intended?
General (9)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC4.2-POF1 |
| ISO/SAE 21434 2021 | RQ-09-11.a RQ-09-11.b RQ-10-10.a RQ-10-10.b RQ-10-10.c RQ-10-10.d RQ-10-11 RQ-10-12 RQ-10-13 RQ-11-01.a RQ-11-01.b RQ-11-01.c RQ-11-01.d RQ-11-02 |
| ISO 29100 2024 | 6.12 |
| ISO 42001 2023 | 8.1 |
| NIST 800-171 R3 (source) | 03.15.01.a 03.17.01.a |
| TISAX ISA 6 | 5.3.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-15.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-15.3 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-15.3 |
US (6)
| Framework | Mapping Values |
|---|---|
| US FCA CRM | 609.930(a) |
| US FIPPS | 2 |
| US HHS 45 CFR 155.260 | 155.260(a)(4) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(a)(1) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(a)(1) |
| US NNPI (unclass) | 14.1 |
EMEA (7)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.6(41) 3.4.6(42) 3.4.6(43) 3.4.6(43)(a) 3.4.6(43)(b) 3.4.6(44) 3.4.6(45) 3.4.6(46) 3.4.6(47) 3.4.6(48) |
| EMEA EU DORA | 7(a) 7(b) 7(c) 7(d) |
| EMEA Qatar PDPPL | 8.3 11.1 11.2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-6-1 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3 2-3-2 |
| EMEA Serbia 87/2018 | 50 51 |
| EMEA UK CAP 1850 | A5 A6 B4 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1636 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.1.1 2.1.1 |
| Americas Canada ITSP-10-171 | 03.15.01.A 03.17.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to compel data and/ or process owners to assess if required cybersecurity and data protection controls for each system, application and/ or service under their control are implemented correctly and are operating as intended.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to assess if required cybersecurity and data protection controls for each system, application and/ or service under their control are implemented correctly and are operating as intended.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to assess if required cybersecurity and data protection controls for each system, application and/ or service under their control are implemented correctly and are operating as intended.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data protection, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data protection programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to compel data and/ or process owners to assess if required cybersecurity and data protection controls for each system, application and/ or service under their control are implemented correctly and are operating as intended.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to compel data and/ or process owners to assess if required cybersecurity and data protection controls for each system, application and/ or service under their control are implemented correctly and are operating as intended.
Assessment Objectives
- GOV-15.3_A01 roles and responsibilities exist to compel data and/or process owners to assess if required cybersecurity / data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.
- GOV-15.3_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners assess if required cybersecurity / data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.
Technology Recommendations
Micro/Small
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Small
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Medium
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Large
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Enterprise
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)