Framework Category

Data Security

Data Security ensures the protection of data across its lifecycle—at rest, in transit, and in use—by enforcing confidentiality, integrity, and availability.

It includes secure handling, backup, and disposal of assets, integrity verification of hardware and software, and separation of development and production environments to reduce risk.

Implementation Questions

PR.DS-01

The confidentiality, integrity, and availability of data-at-rest are protected

Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?

Cryptographic controls are essential for protecting data at rest from unauthorized access or tampering. Encryption converts data into an unreadable format that requires a key to decrypt, digital signatures verify the authenticity of data, and cryptographic hashes confirm data integrity by detecting changes. These controls should be applied to files, databases, virtual machine images, containers, and other data storage systems based on sensitivity classification.

Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?

Full disk encryption protects all data stored on endpoint devices in case of loss or theft by making the data unreadable without proper authentication. This includes operating system files, temporary files, and user data that might contain sensitive information. Without encryption, lost or stolen devices can lead to data breaches even if the device is password protected.

Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?

Digital signature validation ensures that software has not been tampered with and comes from a legitimate source. This process typically involves checking cryptographic signatures against trusted certificates or keys to confirm that code hasn't been modified since it was signed by the developer or publisher.

Does your organization have a policy and technical controls to restrict the use of removable media devices?

Removable media devices (USB drives, external hard drives, SD cards, etc.) can be used to exfiltrate sensitive data from your systems or introduce malware. Restricting their use through both policy and technical means helps prevent data breaches and malware infections.

Does your organization physically secure all removable media containing unencrypted sensitive information?

Removable media (USB drives, external hard drives, SD cards, etc.) containing unencrypted sensitive data presents a significant security risk if lost or stolen. Physical security measures such as locked drawers, safes, or secure rooms help prevent unauthorized access to these devices when not in use. Evidence of compliance could include documented physical security policies specific to removable media, photographs of secure storage locations with identifying information redacted, logs of media check-in/check-out procedures, or results from internal audits verifying proper storage of removable media containing sensitive information.

PR.DS-02

The confidentiality, integrity, and availability of data-in-transit are protected

Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?

Cryptographic controls such as encryption, digital signatures, and cryptographic hashes are essential for protecting sensitive data during transmission across networks. Encryption ensures that data cannot be read if intercepted, digital signatures verify the authenticity of the sender, and cryptographic hashes confirm that data hasn't been altered during transmission. These controls are particularly important for communications containing sensitive information, remote access connections, and public-facing web applications.

Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?

This control ensures that sensitive information is protected when transmitted outside the organization by either encrypting it to maintain confidentiality or blocking its transmission entirely when appropriate. The system should be able to identify sensitive content based on established data classification policies and automatically apply the appropriate protection mechanism without requiring manual intervention.

Does your organization block access to personal email, file sharing, storage services, and other personal communication applications from corporate systems and networks?

Allowing access to personal communication services from corporate networks creates potential data exfiltration paths and increases the risk of malware infections. These services bypass corporate security controls like DLP, email filtering, and malware scanning that protect organizational data. Examples include Gmail, Dropbox, OneDrive personal accounts, and messaging apps like WhatsApp web client.

Does your organization have controls in place to prevent the use of sensitive production data in non-production environments?

Using real production data (like customer records, financial information, or personal data) in development, testing, or staging environments creates significant security and privacy risks if these environments lack the same security controls as production. Organizations should implement data masking, anonymization, or synthetic data generation to provide realistic test data without exposing sensitive information.

PR.DS-03

Assets are formally managed throughout removal, transfers, and disposition

Does your organization have a formal process for managing data security throughout the lifecycle of assets, including their removal, transfer, and disposition?

This question assesses whether your organization has established procedures to maintain data security when assets change hands or reach end-of-life. Proper asset management during these transition phases prevents unauthorized access to sensitive information and ensures compliance with data protection regulations.

PR.DS-04

Adequate capacity to ensure availability is maintained

Does your organization maintain sufficient capacity to ensure data availability during peak loads and unexpected surges?

This question assesses whether your organization has implemented adequate infrastructure capacity planning to prevent service disruptions due to resource constraints. This includes having sufficient storage, processing power, bandwidth, and other resources to handle normal operations, peak loads, and unexpected surges in demand.

PR.DS-05

Protections against data leaks are implemented

Has your organization implemented controls to prevent and detect data leaks across systems, networks, and endpoints?

Data leak prevention (DLP) controls are essential for protecting sensitive information from unauthorized access or exfiltration. These controls typically include monitoring data in motion (network traffic), data at rest (stored data), and data in use (endpoint activities), with capabilities to block suspicious transfers or alert security teams.

PR.DS-06

Integrity checking mechanisms are used to verify software, firmware, and information integrity

Does your organization implement integrity checking mechanisms to verify the authenticity and integrity of software, firmware, and information?

Integrity checking mechanisms help ensure that software, firmware, and information have not been tampered with or corrupted, either accidentally or maliciously. These mechanisms typically use cryptographic hashes, digital signatures, or checksums to verify that data remains unchanged from its original state. Without proper integrity verification, unauthorized modifications could introduce vulnerabilities, backdoors, or other security issues into your systems.

PR.DS-07

The development and testing environment(s) are separate from the production environment

Are your development and testing environments physically and logically separated from your production environment?

Separation of environments is a critical security control that prevents development activities from impacting production systems and reduces the risk of unauthorized access to production data. Without proper separation, testing changes could accidentally affect live systems, developers might have unnecessary access to sensitive production data, and security vulnerabilities in development tools could expose production environments.

PR.DS-08

Integrity checking mechanisms are used to verify hardware integrity

Does your organization implement hardware integrity verification mechanisms to detect unauthorized modifications or tampering of physical devices?

Hardware integrity verification ensures that physical components have not been tampered with or compromised, which could lead to unauthorized access, data breaches, or system failures. This includes mechanisms like secure boot processes, Trusted Platform Modules (TPM), hardware fingerprinting, tamper-evident seals, or cryptographic verification of firmware and hardware components.

PR.DS-10

The confidentiality, integrity, and availability of data-in-use are protected

Does your organization have procedures to securely remove confidential data from processors and memory when it is no longer needed?

This question assesses whether your organization implements proper data lifecycle management for sensitive information in active memory. Confidential data that remains in memory after it's no longer needed creates unnecessary security risks, as it could be exposed through memory scraping attacks, system crashes that generate memory dumps, or other memory-based vulnerabilities. Examples include clearing encryption keys after use, wiping authentication tokens after sessions end, or nullifying sensitive customer data after a transaction completes.

Does your organization implement controls to protect data in use from unauthorized access by other users and processes on the same platform?

Data in use (actively being processed in memory) can be vulnerable to unauthorized access from other users or processes running on the same system. This question assesses whether you have implemented memory protection mechanisms, process isolation, access controls, and other safeguards to prevent data leakage while it's being processed.

PR.DS-11

Backups of data are created, protected, maintained, and tested

Does your organization implement a tiered backup strategy with near-real-time backups for critical data and scheduled backups for other data?

A tiered backup strategy ensures different types of data are backed up according to their importance and recovery requirements. Critical data should be backed up continuously or in near-real-time to minimize potential data loss in case of an incident, while less critical data can follow regular backup schedules (daily, weekly, etc.) based on business needs and recovery objectives.

Does your organization conduct annual testing of backups and restores for all types of data sources?

Regular testing of backup and restore procedures ensures that data can be recovered in the event of data loss, corruption, or a security incident such as ransomware. Testing should cover all data sources including databases, file systems, configuration files, and application data to verify the integrity and recoverability of backed-up information.

Does your organization maintain offline and offsite backups that would remain unaffected by incidents or disasters impacting your primary systems?

Offline backups (disconnected from networks) and offsite backups (stored in a different physical location) provide critical protection against ransomware, malware, physical disasters, and other threats that could compromise your primary systems and connected backup solutions. These backups serve as your last line of defense when all other recovery options fail.

Does your organization enforce geographic separation and geolocation restrictions for data backup storage?

Geographic separation of data backups helps ensure that a disaster affecting one location doesn't compromise all copies of critical data. This practice involves storing backup data in physically distant locations from the primary data, with restrictions on where backup data can be stored based on compliance requirements, data sovereignty laws, or risk management policies.