ID.AM-07.137

Does your organization maintain a tracking system that records the provenance, data owner, and geolocation for all designated sensitive data types?

Explanation

This question assesses whether your organization has implemented data tracking mechanisms that maintain visibility of where sensitive data originated from, who is responsible for it, and where it is physically or virtually stored. Such tracking is essential for data governance, regulatory compliance (like GDPR or CCPA), and enables proper incident response when data breaches occur. Evidence of fulfillment could include a data inventory or catalog system that shows metadata fields for each data asset including origin/source information, assigned data owner/steward, and current storage location details. Screenshots of this system, a sample data tracking report, or documentation of your data classification and tracking procedures would serve as appropriate evidence.

Implementation Example

Track the provenance, data owner, and geolocation of each instance of designated data types

ID: ID.AM-07.137

Context

Function: ID: IDENTIFY
Category: ID.AM: Asset Management
Sub-Category: Inventories of data and corresponding metadata for designated data types are maintained

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub