Does your organization maintain a tracking system that records the provenance, data owner, and geolocation for all designated sensitive data types?
Explanation
Sensitive-data tracking is what's being assessed: whether you maintain visibility into the provenance, owner, and geolocation of every designated sensitive data type. Such tracking is essential for data governance, regulatory compliance (like GDPR or CCPA), and enables proper incident response when data breaches occur.
Evidence of fulfillment could include a data inventory or catalog system that shows metadata fields for each data asset including origin/source information, assigned data owner/steward, and current storage location details. Screenshots of this system, a sample data tracking report, or documentation of your data classification and tracking procedures would serve as appropriate evidence.
Implementation Example
Track the provenance, data owner, and geolocation of each instance of designated data types
ID: ID.AM-07.137
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Inventories of data and corresponding metadata for designated data types are maintained
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

