Data Protection

Model | Operations | Operational Management | Data Protection

Benefit

Understanding of sensitivity of processed data with derived quick-win measures

Activity

Understand the types and sensitivity of data stored and processed by your applications, and maintain awareness of the fate of processed data (e.g., backups, sharing with external partners). At this level of maturity, the information gathered may be captured in varying forms and different places; no organization-wide data catalog is assumed to exist. Protect and handle all data associated with a given application according to protection requirements applying to the most sensitive data stored and processed.

Implement basic controls, to prevent propagation of unsanitized sensitive data from production environments to lower environments. By ensuring unsanitized production data are never propagated to lower (non-production) environments, you can focus data protection policies and activities on production.

Question

Do you protect and handle information according to protection requirements for data stored and processed on each application?

Quality criteria

You know the data elements processed and stored by each application
You know the type and sensitivity level of each identified data element
You have controls to prevent propagation of unsanitized sensitive data from production to lower environments

Answers

No
Yes, for some applications
Yes, for at least half of the applications
Yes, for most or all of the applications

Benefit

Standardized handling of different classes of sensitive data

Activity

At this maturity level, Data Protection activities focus on actively managing your stewardship of data. Establish technical and administrative controls to protect the confidentiality of sensitive data, and the integrity and availability of all data in your care, from its initial creation/receipt through the destruction of backups at the end of their retention period.

Identify the data stored, processed, and transmitted by applications, and capture information regarding their types, sensitivity (classification) levels, and storage location(s) in your data catalog. Clearly identify records or data elements subject to specific regulation. Establishing a single source of truth regarding the data you work with supports finer-grained selection of controls for their protection. Collecting this information enhances the accuracy, timeliness, and efficiency of your responses to data-related queries (e.g., from auditors, incident response teams, or customers), and supports threat modeling and compliance activities.

Based on your Data Protection Policy, establish processes and procedures for protecting and preserving data throughout their lifetime, whether at rest, while being processed, or in transit. Pay particular attention to the handling and protection of sensitive data outside the active processing system, including, but not limited to: storage, retention, and destruction of backups; and the labeling, encryption, and physical protection of offline storage media. Your processes and procedures cover the implementation of all controls adopted to comply with regulatory, contractual, or other restrictions on storage locations, personnel access, and other factors.

Question

Do you maintain a data catalog, including types, sensitivity levels, and processing and storage locations?

Quality criteria

The data catalog is stored in an accessible location
You know which data elements are subject to specific regulation
You have controls for protecting and preserving data throughout its lifetime
You have retention requirements for data, and you destroy backups in a timely manner after the relevant retention period ends

Answers

No
Yes, for some of our data
Yes, for at least half of our data
Yes, for most or all of our data

Benefit

Technically enforced compliance with your data protection policy

Activity

Activities at this maturity level are focused on automating data protection, reducing your reliance on human effort to assess and manage compliance with policies. There is a focus on feedback mechanisms and proactive reviews, to identify and act on opportunities for process improvement.

Implement technical controls to enforce compliance with your Data Protection Policy, and put monitoring in place to detect attempted or actual violations. You may use a variety of available tools for data loss prevention, access control and tracking, or anomalous behavior detection.

Regularly audit compliance with established administrative controls, and closely monitor performance and operation of automated mechanisms, including backups and record deletions. Monitoring tools quickly detect and report failures in automation, permitting you to take timely corrective action.

Reviews and update the data catalog regularly, to maintain its accurate reflection of your data landscape. Regular reviews and updates of processes and procedures maintain their alignment with your policies and priorities.

Question

Do you regularly review and update the data catalog and your data protection policies and procedures?

Quality criteria

You have automated monitoring to detect attempted or actual violations of the Data Protection Policy
You have tools for data loss prevention, access control and tracking, or anomalous behavior detection
You periodically audit the operation of automated mechanisms, including backups and record deletions

Answers

No
Yes, we do it when requested
Yes, we do it every few years
Yes, we do it at least annually

Stream Guidance

  • SAMM team guidance Google Doc

  • Be the first to add to the Community guidance for this Stream!

Want to contribute?

Complete this Google Form with guidance for this Stream.



To learn more about Stream guidance for the SAMM model, see the Stream guidance page.