Back

Establish, implement, and maintain data governance and management practices.


CONTROL ID
14998
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Address shortcomings of the data sets in the data governance and management practices., CC ID: 15087
  • Include any shortcomings of the data sets in the data governance and management practices., CC ID: 15086
  • Include bias for data sets in the data governance and management practices., CC ID: 15085
  • Include a data strategy in the data governance and management practices., CC ID: 15304
  • Include data monitoring in the data governance and management practices., CC ID: 15303
  • Include an assessment of the data sets in the data governance and management practices., CC ID: 15084
  • Include assumptions for the formulation of data sets in the data governance and management practices., CC ID: 15083
  • Include data collection for data sets in the data governance and management practices., CC ID: 15082
  • Include data preparations for data sets in the data governance and management practices., CC ID: 15081
  • Include design choices for data sets in the data governance and management practices., CC ID: 15080


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to specify the methods for transmission/receipt, storing and managing data files according to their importance. (P28.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Training, validation and testing data sets shall be subject to appropriate data governance and management practices. Those practices shall concern in particular, (Article 10 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data; (Art. 5.2. ¶ 2(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error. (Art. 9.3.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Firstly, each intelligence agency must ensure appropriate data security and prevent access by unauthorised persons to personal data collected through signals intelligence. In this respect, different instruments, including statute, guidelines and standards further specify the minimum information secu… (3.2.1.3 (155), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. (§ 6.8.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). (§ 6.8.3.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; (§ 6.8.3.3 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); (§ 6.8.3.3 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: (§ 6.8.3.4 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. (Table 1 Column 4 Row 9, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. (§ 6.8.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); (§ 6.4.3.2 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); (§ 6.8.3.3 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Existing governance of the use of data and data management practices should be reviewed where data are used in AI systems. In addition, for shared AI systems such as for industry analysis, additional governance policy and management controls can be required. (§ 6.4 ¶ 6, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Some AI systems rely on data to build and train a model and therefore governance of data use is critical to the responsible use of AI. The governing body should ensure at an early stage that existing governance and management are adequate for the purpose for which that data are being used and that s… (§ 6.4 ¶ 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Data and their use by organizations is an increasingly important issue for all organizations and their stakeholders. In accordance with the principles, models and data-specific aspects of governance outlined in ISO/IEC 38505-1, governing bodies should take actions that ensure the effective governanc… (§ 6.4 ¶ 10, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Risk management is integral to all organizational activities. Although AI systems can deliver benefit to the organization, the organization's objectives related to good governance of decision-making, to use of data, and to the organization's desired culture and values should be revised to take accou… (§ 6.7.2 ¶ 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • ensuring that the use of data for model building or training complies with policy; (§ 6.6.2 ¶ 2 Bullet 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 4.D ¶ 1(2)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Governance. The Predictive Decision Support Intervention(s) must be subject to policies and implemented controls for governance, including how data are acquired, managed, and used. (§ 170.315 (b) (11) (vi) (C), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Focuses on identifying, managing, and securing the data; identifying business uses; and providing appropriate access regardless of how the data are stored. (App A Objective 3:6g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. (App A Objective 3:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Governance and use of information or data, protection of that data, and derivation of maximum value from it. (App A Objective 2:9b Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ownership of the entity's strategic use of data and communication of information and data analytics. (App A Objective 2:9b Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management governs and manages data based on the entity-assigned data classification. (App A Objective 3:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management understands the common risks and mitigating controls related to data governance and data management. (III.A, "Data Governance and Data Management") (App A Objective 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes. (III.A Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Data management controls for safeguarding data in physical and digital form. (III.A Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy; (§ 314.4 ¶ 1(c)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Systems, hardware, software, services, and data are managed throughout their life cycles (ID.AM-08, The NIST Cybersecurity Framework, v2.0)
  • The confidentiality, integrity, and availability of data-in-use are protected (PR.DS-10, The NIST Cybersecurity Framework, v2.0)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the risk strategy of the licensee. (Section 27-62-4(d)(2) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Identification and management of the data, personnel, devices, systems and facilities that enable such licensee to achieve such licensee's business purposes in accordance with their relative importance to such licensee's business objectives and risk strategy; (Part VI(c)(4)(B)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 8604.(d)(2) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and the licensee's risk strategy; (§431:3B-203(2)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Identifying and managing the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. (Sec. 18.(2)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes in accordance with the data, personnel, devices, systems, and facilities relative importance to the licensee’s business objectives and risk strategy. (507F.4 4.b.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§2504.D.(2)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems and facilities that enable the licensee to achieve its business purposes in accordance with their relative importance to business objectives and the licensee's risk management strategy; (§2264 4.B.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (Sec. 555.(4)(b)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (§ 60A.9851 Subdivision 4(2)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Identify and manage the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization’s risk strategy; (§ 83-5-807 (4)(b)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 420-P:4 IV.(b)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • data governance, classification and retention; (§ 500.3 Cybersecurity Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with the business' relative importance to business objectives and the organization's risk strategy; (26.1-02.2-03. 4.b.(2), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 3965.02 (D)(2)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (SECTION 38-99-20. (D)(2)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve the licensee's business objectives in accordance with the relative importance of the data, personnel, devices, systems, and facilities to the licensee's business objectives and risk strategy… (§ 56-2-1004 (4)(B)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes, taking into consideration the relative importance of the data, personnel, devices, systems, and facilities to the business objectives and risk strategy of the licensee… (§ 601.952(3)(b)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)