Does your organization have a process to continuously discover and analyze ad hoc data to identify new instances of sensitive data types?
Explanation
Continuous data discovery is the subject: assessors want a process that keeps analyzing ad hoc data to surface new instances of sensitive data types. Continuous discovery helps prevent data sprawl and ensures that all sensitive information receives appropriate protection controls regardless of where it resides or when it was created.
Evidence could include documentation of your data discovery tool configuration, scheduled scan reports, data classification policies, or screenshots of your data discovery dashboard showing regular scanning activities and results. Ideally, you should be able to demonstrate how newly discovered sensitive data is subsequently classified and protected.
Implementation Example
Continuously discover and analyze ad hoc data to identify new instances of designated data types
ID: ID.AM-07.135
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Inventories of data and corresponding metadata for designated data types are maintained
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

