DSP-01: Security and Privacy Policy and Procedures

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: DSI-04: Handling / Labeling / Security Policy, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.

Implementation Guidance

Policies and procedures should include provisions for the following:

  1. Data classifications with clear definitions and examples.
  2. Acceptable use, handling, and storage of data by classifications.
  3. How long the classified data should be retained.
  4. How/when the classified data should be destroyed.
  5. Responsibilities of data stewards.

Maintain a data inventory and document data flow diagrams and associated technical measures. Document data protection controls and third-party data sharing practices. This documentation and associated risks should be shared with customers and data owners as needed. Examples include but are not limited to:

  • Access controls and data loss prevention (DLP) solutions with data tagging capabilities.
  • Define testing intervals based on data classification types or levels.
  • Executive leadership should approve policies (cf. GRC-01).
  • Note: Data life cycles include all stages (processing, storage, and transmission).

Auditing Guidance

  1. Examine the organization's policy and procedures related to data privacy. Determine if a framework exists to ensure that the organization monitors the regulatory and legislative environment for changes applicable to the organization. Confirm whether the organization has documented the roles and responsibilities that support the management of its policy.
  2. Determine whether policy and procedure content is sufficient to direct the compliant and lawful management of personal data and to address non-compliance.
  3. Confirm whether policy addresses the requirement that the organization's data is used only for authorized purposes and in compliance with legislation and regulation.
  4. Examine if the policy and procedures are reviewed on an appropriate basis.
  5. Examine the measure(s) that evaluate(s) compliance with the organization's data privacy and security policy and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated.
  6. Examine documentation to determine if the function responsible for data privacy compliance reviews the information to determine whether the organization is compliant with current legislation and regulation.
  7. Confirm that the procedure exists for follow-up on deviation to current legislation and regulations and is up to date.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.