Back

Establish, implement, and maintain an information management program.


CONTROL ID
14315
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Records management, CC ID: 00902

This Control has the following implementation support Control(s):
  • Ensure data sets have the appropriate characteristics., CC ID: 15000
  • Ensure data sets are complete, are accurate, and are relevant., CC ID: 14999


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Points of access to the entity's information assets from internal and external users and outside entities and the types of data that flow through the points of access are identified, inventoried and managed. The types of users and the systems authorized to connect to each point of access are identif… (S7.1 Manages points of access, Privacy Management Framework, Updated March 1, 2020)
  • The purpose of the knowledge management practice is to maintain and improve the effective, efficient, and convenient use of information and knowledge across the organization. (5.1.4 ¶ 1, ITIL Foundation, 4 Edition)
  • Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant e… (CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process, CIS Controls, V8)
  • the organization shall specify, implement and maintain processes for managing its information; (Section 7.5 ¶ 1(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Understands where data reside and maintains the effectiveness of controls over that data. (App A Objective 3:5c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. (App A Objective 3:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not … (App A Objective 4:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Oversight of data management and data analysis and management of data-related projects. (App A Objective 2:9b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Development of data-related policies, management of the data life cycle and the entity's data assets, oversight of compliance with applicable laws and regulations, and conformance with industry practices. (App A Objective 2:9b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Design, build, implement, and maintain a knowledge management framework that provides end-users access to the organization's intellectual capital. (T0452, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Data are managed consistent with the organization's risk strategy to protect individuals' privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). (Data Processing Management (CT.DM-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Design, build, implement, and maintain a knowledge management framework that provides end-users access to the organization's intellectual capital. (T0452, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)