GOV-18: Quality Management System (QMS)

There is no evidence of a capability to govern a Quality Management System (QMS) to ensure cybersecurity and data protection processes conform with applicable statutory, regulatory and/or contractual obligations.

C|P-CMM1 is N/A, since a structured process is required to govern a Quality Management System (QMS) to ensure cybersecurity and data protection processes conform with applicable statutory, regulatory and/or contractual obligations.

C|P-CMM2 is N/A, since a well-defined process is required to govern a Quality Management System (QMS) to ensure cybersecurity and data protection processes conform with applicable statutory, regulatory and/or contractual obligations.

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
• A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
• Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
• Controls are standardized across the organization to ensure uniformity and consistent execution.
• Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
• Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
• Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
• The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
• Risk management processes are defined, to include materiality considerations.

Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to govern a Quality Management System (QMS) to ensure cybersecurity and data protection processes conform with applicable statutory, regulatory and/or contractual obligations.