3

Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Why Is This Control Critical?

Data is no longer only contained within an enterprise's border; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multinational enterprises of any size; however, there are fundamentals that can apply to all.

Safeguards (14)

ID Title Asset Type Function Implementation Groups
3.1 Establish and Maintain a Data Management Process Data Identify
IG1 IG2 IG3
3.2 Establish and Maintain a Data Inventory Data Identify
IG1 IG2 IG3
3.3 Configure Data Access Control Lists Data Protect
IG1 IG2 IG3
3.4 Enforce Data Retention Data Protect
IG1 IG2 IG3
3.5 Securely Dispose of Data Data Protect
IG1 IG2 IG3
3.6 Encrypt Data on End>User Devices Devices Protect
IG1 IG2 IG3
3.7 Establish and Maintain a Data Classification Scheme Data Identify
IG2 IG3
3.8 Document Data Flows Data Identify
IG2 IG3
3.9 Encrypt Data on Removable Media Data Protect
IG2 IG3
3.10 Encrypt Sensitive Data in Transit Data Protect
IG2 IG3
3.11 Encrypt Sensitive Data at Rest Data Protect
IG2 IG3
3.12 Segment Data Processing and Storage Based on Sensitivity Network Protect
IG2 IG3
3.13 Deploy a Data Loss Prevention Solution Data Protect
IG3
3.14 Log Sensitive Data Access Data Detect
IG3