Back

Establish, implement, and maintain a data handling program.


CONTROL ID
13427
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain data handling policies., CC ID: 00353
  • Establish, implement, and maintain data handling procedures., CC ID: 11756


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measur… (4.12.2 68(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • The entity has defined policies and procedures for collecting and creating a data subject's PI. Refer to Component C3.0. (M1.0 Collection and creation, Privacy Management Framework, Updated March 1, 2020)
  • The entity has policies and procedures for handling PI to achieve the stated purposes and needs for which the PI was initially collected. Refer to Component U4.0. (M1.0 Use, retention and disposal, Privacy Management Framework, Updated March 1, 2020)
  • Secondly, intelligence agencies must comply with Intelligence Community standards for accuracy and objectivity, in particular with respect to ensuring data quality and reliability, the consideration of alternative sources of information and objectivity in performing analyses. (3.2.1.3 (156), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle. (DSP-17, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and proced… (DSP-01, Cloud Controls Matrix, v4.0)
  • Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. (CIS Control 3: Data Protection, CIS Controls, V8)
  • Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant e… (CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process, CIS Controls, V8)
  • Ensure specimen collection, management, and referral network and procedures are functional (Pillar 5 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (II.5.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization must subject to the Principles all personal data received from the EU in reliance on the EU-U.S. DPF. The undertaking to adhere to the Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the EU-U.S. DP… (III.6.f., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (ii.5.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization must subject to the Principles all personal data received from Switzerland in reliance on the Swiss-U.S. DPF. The undertaking to adhere to the Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Sw… (iii.6.f., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (II.5.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization must subject to the Principles all personal data received from the EU in reliance on the EU-U.S. DPF. The undertaking to adhere to the Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the EU-U.S. DP… (III.6.f., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Develop data standards, policies, and procedures. (T0068, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Assess efficiency of existing information exchange and management systems. (T0577, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review and validate data mining and data warehousing programs, processes, and requirements. (T0064, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate across internal and/or external organizational lines to enhance collection, analysis and dissemination. (T0840, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place. (CT.PO-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Develop data standards, policies, and procedures. (T0068, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review and validate data mining and data warehousing programs, processes, and requirements. (T0064, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop data management capabilities (e.g., cloud-based, centralized cryptographic key management) to include support to the mobile workforce. (T0413, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and implement data mining and data warehousing programs. (T0460, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Assess efficiency of existing information exchange and management systems. (T0577, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The requirements imposed on controllers and processors under this part may not restrict a controller's or processor's ability to collect, use, or retain data to do any of the following: (§ 501.717(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The requirements imposed on controllers and processors under this part may not restrict a controller's or processor's ability to collect, use, or retain data to do any of the following: (§ 501.717(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The obligations imposed on controllers or processors under this chapter shall not restrict a controller's or processor's ability to collect, use, or retain data to: (§ 59.1-582.B., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)