IG1 IG2 IG3

Establish and Maintain a Data Management Process

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Identify

Description

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Draft policy/procedure document

6

Obtain stakeholder review and approval

7

Communicate to affected personnel

8

Schedule periodic review and updates

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Uncontrolled Sensitive Data Sprawl

Confidentiality

Without a data management process, sensitive data proliferates across uncontrolled locations including personal drives, shadow IT services, and unsecured file shares.

Regulatory Violation from Undefined Data Handling

Confidentiality

Absence of defined data sensitivity levels and handling requirements leads to GDPR, HIPAA, or PCI DSS violations when regulated data is processed without appropriate safeguards.

Data Hoarding Leading to Increased Breach Impact

Confidentiality

Without data retention and disposal requirements, organizations retain data indefinitely, massively increasing the volume and sensitivity of data exposed during a breach.

Vulnerabilities (When Safeguard Absent)

No Formal Data Management Process

Without established data management procedures, there are no consistent rules for how data is classified, handled, retained, or disposed of across the enterprise.

Undefined Data Ownership and Accountability

The absence of designated data owners means no one is accountable for ensuring sensitive data receives appropriate protection throughout its lifecycle.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually