13.1: Maintain an Inventory of Sensitive Information
Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Data |
Identify |
1, 2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Inputs
Classification Scheme: The organizationally-defined classification scheme
The data set of sensitive information for which the organization is responsible, mapped to the classification scheme defined by Input 1
A mapping of an organization’s endpoints/systems containing sensitive information classified by Input 2 (ideally using the endpoint inventory; see sub-control 1.4)
Operations
Create the mappings of information deemed “sensitive” to the organization to the organization’s classification scheme.
Create the mappings of classified, sensitive information to the endpoints/systems on which that information is stored
Measures
M1 = 1 if the mappings of “sensitive” information to the organization’s classification scheme is provided; 0 otherwise
M2 = 1 if the mappings of classified, sensitive information to the endpoints/systems on which it resides is provided; 0 otherwise
Metrics
Existence
Metric |
Ensure the inventory of all sensitive information, cross-referenced with the systems
on which that information is kept, exists.
|
Calculation |
|