IG1 IG2 IG3

Establish and Maintain a Data Inventory

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Identify

Description

Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

8

Draft policy/procedure document

9

Obtain stakeholder review and approval

10

Communicate to affected personnel

11

Schedule periodic review and updates

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Unknown Data Exposure During Breach

Confidentiality

Without a data inventory, the organization cannot determine what sensitive data was exposed in a breach, leading to delayed notifications and underestimated impact assessments.

Orphaned Sensitive Data in Decommissioned Systems

Confidentiality

Sensitive data on systems being decommissioned or migrated is not properly handled because no inventory tracks where sensitive data resides.

Vulnerabilities (When Safeguard Absent)

No Inventory of Sensitive Data Locations

Without a data inventory, the organization does not know where sensitive data is stored, processed, or transmitted, making it impossible to apply appropriate protections.

Inability to Scope Data Protection Controls

Security controls like encryption, access restrictions, and monitoring cannot be properly targeted without knowing which assets contain sensitive data.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Classification and Handling Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End>User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access