GOV-15.4: Authorize Technology Assets, Applications and/or Services (TAAS)
Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control.
Control Question: Does the organization compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control?
General (7)
| Framework | Mapping Values |
|---|---|
| ISO/SAE 21434 2021 | RQ-06-34.c |
| ISO 29100 2024 | 6.12 |
| NIST 800-171 R3 (source) | 03.15.01.a 03.17.01.a |
| TISAX ISA 6 | 5.3.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-15.4 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-15.4 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-15.4 |
US (5)
| Framework | Mapping Values |
|---|---|
| US FCA CRM | 609.930(a) |
| US FIPPS | 2 |
| US HHS 45 CFR 155.260 | 155.260(a)(4) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(a)(1) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(a)(1) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 7(a) 7(b) 7(c) 7(d) |
| EMEA Qatar PDPPL | 8.3 11.1 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-6-1 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3 2-3-2 |
| EMEA UK CAP 1850 | A5 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0027 |
| APAC New Zealand NZISM 3.6 | 23.2.16.C.03 23.2.16.C.04 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.1.1 2.1.1 |
| Americas Canada ITSP-10-171 | 03.15.01.A 03.17.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control.
Assessment Objectives
- GOV-15.4_A01 roles and responsibilities exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control.
- GOV-15.4_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners obtain authorization for the production use of each system, application and/or service under their control.
Technology Recommendations
Micro/Small
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Small
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Medium
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Large
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)
Enterprise
- SCF Integrated Controls Management (ICM) model (https://securecontrolsframework.com/integrated-controls-management)