Back

Establish, implement, and maintain a sensitive information inventory.


CONTROL ID
13736
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Maintain up-to-date data flow diagrams., CC ID: 10059

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Locate and catalogue sensitive information stored throughout the enterprise (Critical components of information security 15) xi. ΒΆ 2 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Conduct periodic checks for personal data stored in ICT systems. For personal data that is not required in any form anymore, securely dispose the data (refer to section 8). If there is a need to retain the data but not in identifiable form, e.g. for performing data analytics, consider anonymising th… (Annex A1: Classification and tracking 10, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • The entity has a process for identifying, locating and classifying its PI. This process is clearly described as an essential aspect of its data governance program which is aligned with its information security controls. Relevant control activity policies and procedures have been designed and placed … (M1.4, Privacy Management Framework, Updated March 1, 2020)
  • Create and maintain a data inventory, at least for any sensitive data and personal data. (DSP-03, Cloud Controls Matrix, v4.0)
  • Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. (CIS Control 14: Sub-Control 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data, CIS Controls, 7.1)
  • Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. (CIS Control 14: Sub-Control 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data, CIS Controls, V7)
  • Establish and maintain a data inventory, based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. (CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory, CIS Controls, V8)