ID.AM-07.137

Does your organization maintain a tracking system that records the provenance, data owner, and geolocation for all designated sensitive data types?

Explanation

Sensitive-data tracking is what's being assessed: whether you maintain visibility into the provenance, owner, and geolocation of every designated sensitive data type. Such tracking is essential for data governance, regulatory compliance (like GDPR or CCPA), and enables proper incident response when data breaches occur.

Evidence of fulfillment could include a data inventory or catalog system that shows metadata fields for each data asset including origin/source information, assigned data owner/steward, and current storage location details. Screenshots of this system, a sample data tracking report, or documentation of your data classification and tracking procedures would serve as appropriate evidence.

Implementation Example

Track the provenance, data owner, and geolocation of each instance of designated data types

ID: ID.AM-07.137

Context

Function
ID: IDENTIFY
Category
ID.AM: Asset Management
Sub-Category
Inventories of data and corresponding metadata for designated data types are maintained

Related questions

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron