{ "scf_control_id": "GOV-01", "total": 22, "assessment_objectives": [ { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A01", "objective": "an organization-wide cybersecurity / data privacy governance program is developed.", "pptdf": "Process", "origin": "53A_R5_PM-01a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A02", "objective": "the cybersecurity / data privacy governance program addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A03", "objective": "the cybersecurity / data privacy governance program addresses statutory, regulatory and/or contractual compliance obligations.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A04", "objective": "the cybersecurity / data privacy governance program is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_PM-01c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A05", "objective": "the cybersecurity / data privacy governance program is protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_PM-01c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A06", "objective": "the cybersecurity / data privacy governance program is disseminated.", "pptdf": "Process", "origin": "53A_R5_PM-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A07", "objective": "the cybersecurity / data privacy governance program provides an overview of the requirements for the security program.", "pptdf": "Process", "origin": "53A_R5_PM-01a.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A08", "objective": "the cybersecurity / data privacy governance program provides a description of the security program management controls in place or planned for meeting those requirements.", "pptdf": "Process", "origin": "53A_R5_PM-01a.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A09", "objective": "the cybersecurity / data privacy governance program provides a description of the common controls in place or planned for meeting those requirements.", "pptdf": "Process", "origin": "53A_R5_PM-01a.01[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A10", "objective": "the cybersecurity / data privacy governance program includes the identification and assignment of roles.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A11", "objective": "the cybersecurity / data privacy governance program includes the identification and assignment of responsibilities.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A12", "objective": "the cybersecurity / data privacy governance program addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A13", "objective": "the cybersecurity / data privacy governance program reflects the coordination among the organizational entities responsible for cybersecurity / data privacy.", "pptdf": "Process", "origin": "53A_R5_PM-01a.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A14", "objective": "the cybersecurity / data privacy governance program is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations.", "pptdf": "Process", "origin": "53A_R5_PM-01a.04", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A15", "objective": "the frequency at which to review / update the organization-wide cybersecurity / data privacy governance program is defined.", "pptdf": "Process", "origin": "53A_R5_PM-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A16", "objective": "events that trigger the review / update of the organization-wide cybersecurity / data privacy governance program are defined.", "pptdf": "Process", "origin": "53A_R5_PM-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A17", "objective": "the cybersecurity / data privacy governance program is reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-01b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A18", "objective": "the cybersecurity / data privacy governance program is reviewed / updated following events.", "pptdf": "Process", "origin": "53A_R5_PM-01b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A19", "objective": "cybersecurity & data protection governance operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A20", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support cybersecurity & data protection governance operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A21", "objective": "responsibility and authority for the performance of cybersecurity & data protection governance-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A22", "objective": "personnel performing cybersecurity & data protection governance-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" } ] }