Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.
Review and update the data flow documentation periodically.
- Examine the organization's procedures and technical requirements for recording data flows and that a review is carried out at least annually. Establish that this process and key controls comply with the organization's data privacy and security policy. Establish whether the organization has documented the roles and responsibilities for this process.
- Select a sample of documents to check that they have been completed to the correct specifications and reviewed.
- Review if data flow documentation includes assessment for accuracy, completeness, timeliness, and sustainability of data (flow).
- Examine measure(s) that evaluate(s) this process and determine if the measure(s) address(es) implementation of the process/control requirement(s) as stipulated. Reviews, tests, or audits should be completed periodically by the organization to measure the effectiveness of the implemented controls and to verify that non-compliance and opportunities for improvement are identified, evaluated for risk, reported, and corrected in a timely manner.
- Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the office or individual responsible reviews the information and if identified issues were investigated and corrected. Determine if the individual or office is able to correct issues without the need to routinely escalate the issues to the next level of management. Examine related records to determine if the individual or office conducted any follow-ups on the deviations to verify they were corrected as intended.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.