Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Why Is This Control Critical?
Data is no longer only contained within an enterprise's border; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multinational enterprises of any size; however, there are fundamentals that can apply to all.
Related Policy Templates
Safeguards (14)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 3.1 | Establish and Maintain a Data Management Process | Identify |
IG1
IG2
IG3
|
5 | 3 |
| 3.2 | Establish and Maintain a Data Inventory | Identify |
IG1
IG2
IG3
|
7 | 5 |
| 3.3 | Configure Data Access Control Lists | Protect |
IG1
IG2
IG3
|
8 | 5 |
| 3.4 | Enforce Data Retention | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 3.5 | Securely Dispose of Data | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 3.6 | Encrypt Data on End>User Devices | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 3.7 | Establish and Maintain a Data Classification Scheme | Identify |
IG2
IG3
|
5 | 3 |
| 3.8 | Document Data Flows | Identify |
IG2
IG3
|
7 | 5 |
| 3.9 | Encrypt Data on Removable Media | Protect |
IG2
IG3
|
7 | 5 |
| 3.10 | Encrypt Sensitive Data in Transit | Protect |
IG2
IG3
|
7 | 5 |
| 3.11 | Encrypt Sensitive Data at Rest | Protect |
IG2
IG3
|
7 | 5 |
| 3.12 | Segment Data Processing and Storage Based on Sensitivity | Protect |
IG2
IG3
|
5 | 3 |
| 3.13 | Deploy a Data Loss Prevention Solution | Protect |
IG3
|
9 | 7 |
| 3.14 | Log Sensitive Data Access | Detect |
IG3
|
8 | 5 |
Audit Verification Details
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
Changes to protection controls follow the change management process.
Change tickets, approval records
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Encryption is applied to all in-scope data at rest and in transit using approved algorithms.
Encryption status reports, TLS scan results, disk encryption audit
Changes to protection controls follow the change management process.
Change tickets, approval records
Encryption keys are managed per the key management procedure (rotation, storage, access).
Key rotation logs, key management system audit
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Encryption configuration evidence (disk encryption status, TLS settings) | Scanned monthly |
| Document | Key management procedures and key rotation records | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Encrypt data on removable media.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Encryption is applied to all in-scope data at rest and in transit using approved algorithms.
Encryption status reports, TLS scan results, disk encryption audit
Changes to protection controls follow the change management process.
Change tickets, approval records
Encryption keys are managed per the key management procedure (rotation, storage, access).
Key rotation logs, key management system audit
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Encryption configuration evidence (disk encryption status, TLS settings) | Scanned monthly |
| Document | Key management procedures and key rotation records | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Encryption is applied to all in-scope data at rest and in transit using approved algorithms.
Encryption status reports, TLS scan results, disk encryption audit
Changes to protection controls follow the change management process.
Change tickets, approval records
Encryption keys are managed per the key management procedure (rotation, storage, access).
Key rotation logs, key management system audit
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Encryption configuration evidence (disk encryption status, TLS settings) | Scanned monthly |
| Document | Key management procedures and key rotation records | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Encryption is applied to all in-scope data at rest and in transit using approved algorithms.
Encryption status reports, TLS scan results, disk encryption audit
Changes to protection controls follow the change management process.
Change tickets, approval records
Encryption keys are managed per the key management procedure (rotation, storage, access).
Key rotation logs, key management system audit
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Encryption configuration evidence (disk encryption status, TLS settings) | Scanned monthly |
| Document | Key management procedures and key rotation records | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
Changes to protection controls follow the change management process.
Change tickets, approval records
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Log sensitive data access, including modification and disposal.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |