Establish and Maintain a Data Inventory
Description
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
Implementation Checklist
Tool Recommendations
Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management
Microsoft · Per-user subscription (E5/standalone)
Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection
Broadcom · Enterprise license
Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint
Netskope · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Unknown Data Exposure During Breach
ConfidentialityWithout a data inventory, the organization cannot determine what sensitive data was exposed in a breach, leading to delayed notifications and underestimated impact assessments.
Orphaned Sensitive Data in Decommissioned Systems
ConfidentialitySensitive data on systems being decommissioned or migrated is not properly handled because no inventory tracks where sensitive data resides.
Vulnerabilities (When Safeguard Absent)
No Inventory of Sensitive Data Locations
Without a data inventory, the organization does not know where sensitive data is stored, processed, or transmitted, making it impossible to apply appropriate protections.
Inability to Scope Data Protection Controls
Security controls like encryption, access restrictions, and monitoring cannot be properly targeted without knowing which assets contain sensitive data.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |