DSP-17: Sensitive Data Protection

CSF v1.1 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle.

Implementation Guidance

Information rights management technology should be used and applied (when applicable) to all sensitive data. This technology can add a security layer that will help protect files from unauthorized copying, viewing, printing, forwarding, deleting, and editing.

Auditing Guidance

  1. Examine whether the organization's policy and procedures related to data privacy address the requirement to manage and protect sensitive data throughout its lifecycle.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Select a sample of sensitive data types to establish the systems, processes, and controls operating to manage sensitive data throughout its lifecycle. Select a sample to establish the examples following the organization's processes.
  4. Review the organization's data breaches for examples for which this requirement was not followed correctly. Further, confirm that any relevant action plans were identified and carried out. Confirm that all relevant evidence was formally documented.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.