| Control | Control Description | Status |
|---|---|---|
| Cybersecurity & Data Protection Governance Program | Mechanisms exist to facilitate the implementation of cybersecurity & data protection governance controls. | |
| Steering Committee & Program Oversight | Mechanisms exist to coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data privacy and business executives, which meets formally and on a regular basis. | |
| Status Reporting To Governing Body | Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's cybersecurity & data protection program. | |
| Publishing Cybersecurity & Data Protection Documentation | Mechanisms exist to establish, maintain and disseminate cybersecurity & data protection policies, standards and procedures. | |
| Exception Management | Mechanisms exist to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded. | |
| Periodic Review & Update of Cybersecurity & Data Protection Program | Mechanisms exist to review the cybersecurity & data protection program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. | |
| Assigned Cybersecurity & Data Protection Responsibilities | Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data protection program. | |
| Stakeholder Accountability Structure | Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. | |
| Authoritative Chain of Command | Mechanisms exist to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. | |
| Measures of Performance | Mechanisms exist to develop, report and monitor cybersecurity & data privacy program measures of performance. | |
| Key Performance Indicators (KPIs) | Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program. | |
| Key Risk Indicators (KRIs) | Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program. | |
| Contacts With Authorities | Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies. | |
| Contacts With Groups & Associations | Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & data privacy communities to: (1) Facilitate ongoing cybersecurity & data privacy education and training for organizational personnel; (2) Maintain currency with recommended cybersecurity & data privacy practices, techniques and technologies; and (3) Share current cybersecurity and/or data privacy-related information including threats, vulnerabilities and incidents. | |
| Defining Business Context & Mission | Mechanisms exist to define the context of its business model and document the organization's mission. | |
| Define Control Objectives | Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization's internal control system. | |
| Data Governance | Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations. | |
| Business As Usual (BAU) Secure Practices | Mechanisms exist to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. | |
| Operationalizing Cybersecurity & Data Protection Practices | Mechanisms exist to compel data and/or process owners to operationalize cybersecurity & data privacy practices for each system, application and/or service under their control. | |
| Select Controls | Mechanisms exist to compel data and/or process owners to select required cybersecurity & data privacy controls for each system, application and/or service under their control. | |
| Implement Controls | Mechanisms exist to compel data and/or process owners to implement required cybersecurity & data privacy controls for each system, application and/or service under their control. | |
| Assess Controls | Mechanisms exist to compel data and/or process owners to assess if required cybersecurity & data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended. | |
| Monitor Controls | Mechanisms exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. | |
| Materiality Determination | Mechanisms exist to define materiality threshold criteria capable of designating an incident as material. | |
| Material Risks | Mechanisms exist to define criteria necessary to designate a risk as a material risk. | |
| Material Threats | Mechanisms exist to define criteria necessary to designate a threat as a material threat. | |
| Cybersecurity & Data Privacy Status Reporting | Mechanisms exist to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. |