This Control has the following implementation support Control(s):
Establish, implement, and maintain legal hold procedures for data and records., CC ID: 06810
Establish, implement, and maintain e-discovery record and log preparation procedures., CC ID: 00907
Document the evidential weight of the information and the information processing assets., CC ID: 00624
Provide parameters for discovery sampling., CC ID: 00977
Establish, implement, and maintain a document retrieval system to use during e-discovery., CC ID: 00985
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Implement a data-discovery methodology to confirm PCI DSS scope and to locate all sources and locations of clear-text PAN at least quarterly and upon significant changes to the cardholder environment or processes. (A3.2.5 ¶ 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
The effectiveness of data-discovery methods must be confirmed at least annually. (A3.2.5.1 ¶ 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure effectiveness of methods used for data discoveryââe.g., methods must be able to discover clear-text PAN on all types of system components (for example, on each operating system or platform) and file formats in use. (A3.2.5.1 ¶ 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
A data-discovery methodology is implemented that: (A3.2.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Confirms PCI DSS scope. (A3.2.5 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Effectiveness of methods is tested. (A3.2.5.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
The effectiveness of data-discovery methods is confirmed at least once every 12 months. (A3.2.5.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine the results of effectiveness tests to verify that the effectiveness of data-discovery methods is confirmed at least once every 12 months. (A3.2.5.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine the documented data-discovery methodology to verify it includes all elements specified in this requirement. (A3.2.5.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review and update the policies and procedures at least annually. (SEF-01, Cloud Controls Matrix, v4.0)
The document and Information Management program should focus on business needs and the budgetary constraints on using its technology. (Comment 1.c ¶ 1, The Sedona Principles Addressing Electronic Document Production)
All parties should be prepared to talk about their records management policies and procedures, including the litigation hold process, during the initial meet and confer sessions. (Comment 1.d ¶ 1, The Sedona Principles Addressing Electronic Document Production)
The organization should ensure that affidavits and testimonies are accurate and that they are comprehensible to lay individuals who have little or no technical knowledge. (Comment 2.e ¶ 2, The Sedona Principles Addressing Electronic Document Production)
A variety of records need to be maintained to ensure transactions can be reconstructed in accordance with Bank Secrecy Act (BSA) requirements. (Pg 8, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
