GOV-16: Materiality Determination
Mechanisms exist to define materiality threshold criteria capable of designating an incident as material.
Control Question: Does the organization define materiality threshold criteria capable of designating an incident as material?
General (7)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC3.1-POF6 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.E(2)(b) |
| NIST CSF 2.0 (source) | DE.AE-04 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-16 |
| SCF CORE ESP Level 1 Foundational | GOV-16 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-16 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-16 |
US (3)
| Framework | Mapping Values |
|---|---|
| US SEC Cybersecurity Rule | 17 CFR 229.105(a) 17 CFR 229.105(b) 17 CFR 229.106(a) 17 CFR 229.106(b)(2) 17 CFR 229.106(c)(2) Form 8-K Item 1.05(a) |
| US - NV NOGE Reg 5 | 5.260.4 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.4(b) 500.4(b)(3) 500.4(b)(5) 500.9(b)(1) 500.9(b)(2) |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to define materiality threshold criteria capable of designating an incident as material.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to define materiality threshold criteria capable of designating an incident as material.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to define materiality threshold criteria capable of designating an incident as material.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to define materiality threshold criteria capable of designating an incident as material.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define materiality threshold criteria capable of designating an incident as material.
Assessment Objectives
- GOV-16_A01 organization-specific criteria to define a materiality threshold capable of designating an incident as material is documented.
Evidence Requirements
- E-GOV-14 Materiality Threshold Definition
-
Documented evidence of criteria to define the organization's materiality threshold.
Cybersecurity & Data Protection Management
Technology Recommendations
Micro/Small
- SCF Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) (https://securecontrolsframework.com/risk-management-model)
Small
- SCF Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) (https://securecontrolsframework.com/risk-management-model)
Medium
- SCF Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) (https://securecontrolsframework.com/risk-management-model)
Large
- SCF Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) (https://securecontrolsframework.com/risk-management-model)
Enterprise
- SCF Cybersecurity & Data Privacy Risk Management Model (C|P-RMM) (https://securecontrolsframework.com/risk-management-model)