Document ownership and stewardship of all relevant documented personal and sensitive data. Perform review at least annually.
A data responsibility matrix can be defined, documented, and communicated. The matrix should include, but is not limited to:
- Data type.
- The associated obligations (regulatory, contractual, or otherwise).
- The persons or roles responsible for the data.
- The frequency at which the documented personal and sensitive data should be reviewed.
- Examine the organization's data owner process and roles and responsibilities documentation. Establish that this process and key controls comply with the organization's data privacy and security policy. Establish whether the organization has documented the roles and responsibilities for this process.
- Establish that the organization maintains a source(s) of record of data owners and the records for which they are responsible. Establish that this must include personal data and sensitive data.
- In the absence of a documented procedure, interview control owner(s) responsible for key staff involved in/with, and/or other relevant stakeholders impacted by the process/control requirement(s) and determine if the requirement(s) is/are understood. Evidence may be provided by observing individuals, systems and/or processes associated with data management to determine if the process requirements are generally understood and implemented consistently.
- Select a range of entries to establish the information recorded is correct.
- Assess whether oversight of the data ownership process meets the organization's expectations.
- Examine if the documentation is reviewed on an annual basis.
- Examine measure(s) that evaluate(s) this process and determine if the measure(s) address(es) implementation of the process/control requirement(s) as stipulated. Reviews, tests, or audits should be completed periodically by the organization to measure the effectiveness of the implemented controls and to verify that non-compliance and opportunities for improvement are identified, evaluated for risk, reported, and corrected in a timely manner.
- Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the office or individual responsible reviews the information and if identified issues were investigated and corrected. Determine if the individual or office is able to correct issues without the need to routinely escalate the issues to the next level of management. Examine related records to determine if the individual or office conducted any follow-ups on the deviations to verify they were corrected as intended.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.