Digital Security Program (DSP)
| Control | Status | |
|---|---|---|
| Data Protection | Mechanisms exist to facilitate the implementation of data protection controls. | |
| Data Stewardship | Mechanisms exist to ensure data stewardship is assigned, documented and communicated. | |
| Sensitive / Regulated Data Protection | Mechanisms exist to protect sensitive/regulated data wherever it is stored. | |
| Sensitive / Regulated Media Records | Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident. | |
| Defining Access Authorizations for Sensitive/Regulated Data | Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data. | |
| Data & Asset Classification | Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements. | |
| Highest Classification Level | Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed. | |
| Media Access | Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals. | |
| Disclosure of Information | Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know. | |
| Masking Displayed Data | Mechanisms exist to apply data masking to sensitive/regulated information that is displayed or printed. | |
| Media Marking | Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements. | |
| Media Storage | Mechanisms exist to: (1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and (2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures. | |
| Sensitive Data Inventories | Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually. | |
| Periodic Scans for Sensitive / Regulated Data | Mechanisms exist to periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations. | |
| Media Transportation | Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures. | |
| Custodians | Mechanisms exist to identify custodians throughout the transport of digital or non-digital media. | |
| Encrypting Data In Storage Media | Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. | |
| Physical Media Disposal | Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures. | |
| System Media Sanitization | Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse. | |
| System Media Sanitization Documentation | Mechanisms exist to supervise, track, document and verify system media sanitization and disposal actions. | |
| Sanitization of Personal Data (PD) | Mechanisms exist to facilitate the sanitization of Personal Data (PD). | |
| Media Use | Mechanisms exist to restrict the use of types of digital media on systems or system components. | |
| Limitations on Use | Mechanisms exist to restrict the use and distribution of sensitive / regulated data. | |
| Data Reclassification | Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information. | |
| Removable Media Security | Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters. | |
| Use of External Information Systems | Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data. | |
| Limits of Authorized Use | Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: (1) Verifying the implementation of required security controls; or (2) Retaining a processing agreement with the entity hosting the external systems or service. | |
| Portable Storage Devices | Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems. | |
| Information Sharing | Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected. | |
| Transfer Authorizations | Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data. | |
| Data Access Mapping | Mechanisms exist to leverage data-specific Access Control Lists (ACL) or Interconnection Security Agreements (ISAs) to generate a logical map of the parties with whom sensitive/regulated data is shared. | |
| Ad-Hoc Transfers | Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties. | |
| Media & Data Retention | Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations. | |
| Geographic Location of Data | Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties. | |
| Information Disposal | Mechanisms exist to securely dispose of, destroy or erase information. | |
| Data Quality Operations | Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle. | |
| Updating & Correcting Personal Data (PD) | Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified. | |
| De-Identification (Anonymization) | Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets. | |
| Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers | Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset. | |
| Information Location | Mechanisms exist to identify and document the location of information and the specific system components on which the information resides. | |
| Transfer of Sensitive and/or Regulated Data | Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations. |