PRM-04: Cybersecurity & Data Protection In Project Management
Mechanisms exist to assess cybersecurity and data protection controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.
Control Question: Does the organization assess cybersecurity and data protection controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements?
General (43)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC3.1 CC4.1 CC5.2 |
| BSI Standard 200-1 | 8.2 |
| COBIT 2019 | EDM03.01 BAI01.01 BAI01.02 BAI01.03 BAI01.04 BAI01.05 BAI01.06 BAI01.07 BAI01.08 BAI01.09 BAI02.01 BAI02.02 BAI02.03 BAI02.04 BAI03.01 BAI03.02 BAI03.03 BAI03.04 BAI03.05 BAI03.06 BAI03.07 BAI03.08 BAI03.09 BAI03.10 BAI03.11 BAI03.12 BAI04.01 BAI04.02 BAI04.03 BAI04.04 BAI04.05 BAI11.01 BAI11.02 BAI11.03 BAI11.04 BAI11.05 BAI11.06 BAI11.07 BAI11.08 BAI11.09 |
| COSO 2017 | Principle 6 Principle 11 Principle 16 |
| CSA IoT SCF 2 | LGL-02 SET-05 |
| GovRAMP Low | CA-02 |
| GovRAMP Low+ | CA-02 |
| GovRAMP Moderate | CA-02 |
| GovRAMP High | CA-02 |
| ISO/SAE 21434 2021 | RQ-05-05.a RQ-05-05.b RC-05-10 RC-05-15 RC-05-16 RQ-06-01 RQ-06-05.a RQ-06-05.b RQ-06-11 RQ-06-12 |
| ISO 27002 2022 | 5.8 |
| ISO 27017 2015 | 6.1.5 |
| ISO 31010 2009 | 4.3.1 4.3.2 |
| ISO 42001 2023 | 7.4 A.4.2 A.6.2.2 |
| MITRE ATT&CK 10 | T1190, T1195, T1195.001, T1195.002, T1210 |
| MPA Content Security Program 5.1 | TS-1.12 |
| NIST Privacy Framework 1.0 | CM.AW-P3 CT.PO-P1 CT.DM-P1 CT.DM-P2 CT.DM-P3 CT.DM-P4 CT.DM-P5 CT.DM-P6 CT.DM-P7 CT.DM-P8 CT.DM-P9 CT.DM-P10 CT.PO-P4 |
| NIST 800-53 R4 | CA-2 |
| NIST 800-53 R4 (low) | CA-2 |
| NIST 800-53 R4 (moderate) | CA-2 |
| NIST 800-53 R4 (high) | CA-2 |
| NIST 800-53 R5 (source) | CA-2 |
| NIST 800-53B R5 (privacy) (source) | CA-2 |
| NIST 800-53B R5 (low) (source) | CA-2 |
| NIST 800-53B R5 (moderate) (source) | CA-2 |
| NIST 800-53B R5 (high) (source) | CA-2 |
| NIST 800-82 R3 LOW OT Overlay | CA-2 |
| NIST 800-82 R3 MODERATE OT Overlay | CA-2 |
| NIST 800-82 R3 HIGH OT Overlay | CA-2 |
| NIST 800-160 | 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 3.4.8 3.4.9 3.4.10 3.4.11 3.4.12 3.4.13 3.4.14 |
| NIST 800-161 R1 | CA-2 |
| NIST 800-161 R1 C-SCRM Baseline | CA-2 |
| NIST 800-161 R1 Level 2 | CA-2 |
| NIST 800-161 R1 Level 3 | CA-2 |
| PCI DSS 4.0.1 (source) | 1.1 |
| TISAX ISA 6 | 1.2.3 5.3.1 |
| UL 2900-1 2017 | 11.1 |
| UN R155 | 7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 7.3.4 |
| UN ECE WP.29 | 7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 7.3.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PRM-04 |
| SCF CORE ESP Level 1 Foundational | PRM-04 |
| SCF CORE ESP Level 2 Critical Infrastructure | PRM-04 |
| SCF CORE ESP Level 3 Advanced Threats | PRM-04 |
US (12)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-5.B.MIL2 THREAT-3.A.MIL2 RISK-5.B.MIL2 ACCESS-4.B.MIL2 SITUATION-4.B.MIL2 RESPONSE-5.B.MIL2 THIRD-PARTIES-3.B.MIL2 WORKFORCE-4.B.MIL2 ARCHITECTURE-5.B.MIL2 PROGRAM-3.B.MIL2 |
| US CERT RMM 1.2 | EC:SG4.SP5 FRM:SG1.SP2 RISK:SG3.SP1 |
| US CMS MARS-E 2.0 | CA-2 |
| US HIPAA HICP Small Practice | 5.S.B |
| US HIPAA HICP Medium Practice | 5.M.B |
| US HIPAA HICP Large Practice | 5.M.B |
| US IRS 1075 | CA-2 |
| US NISPOM 2020 | 8-610 |
| US NNPI (unclass) | 12.1 |
| US - MA 201 CMR 17.00 | 17.03(2)(h) |
| US - OR 646A | 622(2)(B)(i) 622(2)(B)(ii) 622(2)(B)(iii) 622(2)(B)(iv) |
| US - TX DIR Control Standards 2.0 | CA-2 |
EMEA (10)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.3.1(10) 3.3.1(13)(f) 3.6.1(62) 3.6.1(61) 3.6.1(63)(a) 3.6.1(63)(b) 3.6.1(63)(c) 3.6.1(63)(d) 3.6.1(63)(e) 3.6.1(63)(f) 3.6.1(64) 3.6.1(65) 3.6.1(66) |
| EMEA EU DORA | 7(a) 7(b) 7(c) 7(d) |
| EMEA EU NIS2 | 21.3 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 7.1 7.2 7.3 |
| EMEA Israel CDMO 1.0 | 17.5 17.8 17.9 |
| EMEA Saudi Arabia CSCC-1 2019 | 1-3 2-13-1 2-13-2 2-13-3-1 2-13-3-2 2-13-3-3 2-13-3-4 |
| EMEA Saudi Arabia ECC-1 2018 | 1-6-1 1-6-4 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-4-1-2 |
| EMEA Saudi Arabia SACS-002 | TPC-74 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.1.5 |
APAC (5)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1739 |
| APAC Japan ISMAP | 4.4.1 4.4.5 4.5.1 4.5.1.1 4.5.1.2 4.5.2 4.5.3 4.6 4.6.1 4.8.1 4.8.2 6.1.5 |
| APAC New Zealand HISF 2022 | HHSP11 HHSP28 HHSP31 HML11 HML28 HML31 HSUP24 |
| APAC New Zealand HISF Suppliers 2023 | HSUP24 |
| APAC Singapore MAS TRM 2021 | 5.1.1 5.1.2 5.1.3 5.1.4 5.2.1 5.2.2 5.4.1 5.4.2 5.4.3 5.4.4 5.8.1 5.8.2 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Brazil LGPD | 6.8 |
| Americas Canada CSAG | 6.7 |
| Americas Canada OSFI B-13 | 1.2.1 2.3 2.3.1 2.4.1 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to assess cybersecurity and data protection controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.
Level 1 — Performed Informally
Project & Resource Management (PRM) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Program/project management is decentralized.
- IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
Level 2 — Planned & Tracked
Project & Resource Management (PRM) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Program/project management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for Project Management (PM).
- The PM function facilitates the implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
- The responsibility for enforcing cybersecurity and data protection control implementation is assigned to business / process owners and asset custodians.
- The PM function enables project involvement for Information Assurance Program (IAP) as part of the organization's established project management processes to ensure both cybersecurity and data protection principles are identified and implemented.
Level 3 — Well Defined
Project & Resource Management (PRM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for program/project management practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise with regards to program/project management.
- The CISO, or similar function, leverages a capability maturity model to define and identify targeted capability maturity levels for each of the functions that make up the cybersecurity and data protection program.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for program/project management.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including program/project management.
- A Project Management Office (PMO), or project management function, enables the centralized-implementation of cybersecurity and data protection-related resource planning controls across the System Development Lifecycle (SDLC) for all projects.
- The PMO determines the identification and allocation of resources for cybersecurity and data protection requirements within business process planning for projects and other initiatives.
- Project Management (PM) is centrally-managed across the enterprise to implement cybersecurity and data protection controls as part of the project management lifecycle, with the responsibility for enforcing cybersecurity and data protection control implementation assigned to business / process owners and asset custodians.
- Subordinate staff and stakeholders are educated on the capability maturity expectations and those targets are used to task individual contributor work activities in an effort to achieve the targeted maturity levels.
Level 4 — Quantitatively Controlled
Project & Resource Management (PRM) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to assess cybersecurity and data protection controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.
Assessment Objectives
- PRM-04_A01 controls are assessed in the system and its environment of operation per an organization-defined assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established cybersecurity / data privacy requirements.
- PRM-04_A02 an appropriate assessor or assessment team is selected for the type of assessment to be conducted.
- PRM-04_A03 a control assessment report is produced that documents the results of the assessment.
- PRM-04_A04 the results of the control assessment are provided to individuals or roles.
- PRM-04_A05 the frequency at which to assess controls in the system and its environment of operation is defined.
- PRM-04_A06 individuals or roles to whom control assessment results are to be provided are defined.
- PRM-04_A07 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.
- PRM-04_A08 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.
- PRM-04_A09 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.
- PRM-04_A10 a control assessment plan is developed that describes the scope of the assessment, including the assessment team.
- PRM-04_A11 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.
- PRM-04_A12 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.
Evidence Requirements
- E-PRM-03 Secure Development Lifecycle (SDLC)
-
Documented evidence of a secure development lifecycle that the organization utilizes for new initiatives or significant changes to existing initiatives to ensure cybersecurity & data privacy principles are identified and implemented by default.
Resource Management
Technology Recommendations
Micro/Small
- Product / project management
Small
- Product / project management
Medium
- Product / project management
Large
- Product / project management
- Program Management Office (PMO)
Enterprise
- Product / project management
- Program Management Office (PMO)