Does your organization maintain a documented inventory of designated data types of interest that require protection?
Explanation
Knowing what data needs protecting is at issue here: whether you maintain a documented inventory of the designated data types that warrant safeguarding. Examples include personally identifiable information (PII), protected health information (PHI), financial account data, intellectual property, and operational technology data.
An acceptable evidence would be a data classification document or inventory that lists all data types of interest, their sensitivity levels, and protection requirements. This document should be regularly reviewed and updated as new data types are introduced or regulatory requirements change.
Implementation Example
Maintain a list of the designated data types of interest (e.g., personally identifiable information, protected health information, financial account numbers, organization intellectual property, operational technology data)
ID: ID.AM-07.134
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Inventories of data and corresponding metadata for designated data types are maintained
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

