DSP-19: Data Location

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define and implement, processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up.

Implementation Guidance

The CSP should track where data is stored, processed, and backed up to ensure it is in line with the laws and regulations applicable to the CSP and ensure those locations are not prohibited. In addition, the physical locations’ registry should be kept up to date and shareable with CSC (if requested).

Auditing Guidance

  1. Examine the organization's procedures, technical requirements, and other documentation to direct, manage and review the records of the organization's data physical storage locations.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Confirm that the organization’s policy and procedures include details of guidelines for the storage and processing of data within the designated countries/regions/zones/jurisdictions.
  4. Establish that the organization maintains a source(s) of record of its physical data storage locations and is able to trace data lineage. Select a range of entries to establish that the information is recorded appropriately.
  5. Confirm that the data storage records are accurate and complete as detailed in policy and procedures.
  6. Establish that the organization has documented its understanding of the extent of its remit in terms of its role as a supplier and the extent of its own supplier's obligations to this requirement.
  7. Confirm that the data storage process meets the organization's requirements as detailed in policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.