| Control | Status | |
|---|---|---|
| Cybersecurity & Data Privacy Portfolio Management | Mechanisms exist to facilitate the implementation of cybersecurity & data privacy-related resource planning controls that define a viable plan for achieving cybersecurity & data privacy objectives. | |
| Strategic Plan & Objectives | Mechanisms exist to establish a strategic cybersecurity & data privacy-specific business plan and set of objectives to achieve that plan. | |
| Targeted Capability Maturity Levels | Mechanisms exist to define and identify targeted capability maturity levels. | |
| Cybersecurity & Data Privacy Resource Management | Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the cybersecurity & data privacy programs and document all exceptions to this requirement. | |
| Allocation of Resources | Mechanisms exist to identify and allocate resources for management, operational, technical and data privacy requirements within business process planning for projects / initiatives. | |
| Cybersecurity & Data Privacy In Project Management | Mechanisms exist to assess cybersecurity & data privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements. | |
| Cybersecurity & Data Privacy Requirements Definition | Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC). | |
| Business Process Definition | Mechanisms exist to define business processes with consideration for cybersecurity & data privacy that determines: (1) The resulting risk to organizational operations, assets, individuals and other organizations; and (2) Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. | |
| Secure Development Life Cycle (SDLC) Management | Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures. |