AuditRubric
da-1 High priority Data Security / Data Security

Sensitive data is inventoried and classified by type

You cannot protect data you do not know you have. Without a data inventory, sensitive information ends up in unexpected places: S3 buckets with default permissions, developer laptops, unencrypted backups, shared drives. Classification is the foundation for every subsequent data security control because it answers the question of what deserves the most protection, where it lives, and who should be able to access it. A practical classification scheme does not need to be elaborate: PII, credentials, financial, and health data are the categories most organizations need to get right.

6h estimated effort
data-classification data-inventory dlp pii data-discovery

Implementation steps

  1. 1

    Define a data classification scheme

    Create a simple, documented classification policy with 3-4 tiers: public, internal, confidential, and restricted. Map specific data types to each tier. Confidential typically includes PII, credentials, and business-sensitive data. Restricted includes financial records, health data, and anything subject to regulatory requirements. Keep the taxonomy simple enough that employees can apply it without a lookup table.

    confluence notion google-docs
  2. 2

    Discover where sensitive data is stored

    Run data discovery scans across your cloud storage, databases, file shares, and endpoints. Look for patterns such as Social Security Numbers, credit card numbers, API keys, and health record identifiers. Cloud DLP tools can scan object storage, databases, and BigQuery at scale. Pay particular attention to development environments and backup storage, which often contain copies of production data without production-level controls.

    google-cloud-dlp aws-macie microsoft-purview varonis nightfall
  3. 3

    Document and maintain the data inventory

    Record each discovered sensitive data store: what type of data it holds, where it lives, who owns it, who has access, and what classification applies. Store this inventory in a location accessible to your security and compliance team. Schedule quarterly reviews to catch new data stores and handle changes in how existing data is used or stored.

    airtable confluence google-sheets drata vanta

Evidence required

Data classification policy

A documented policy defining classification tiers and what data types fall into each.

  • - Data classification policy document approved by management
  • - Classification tier definitions with examples of each data type

Sensitive data inventory

Evidence of where sensitive data exists across systems.

  • - AWS Macie findings report identifying S3 buckets containing PII
  • - Data inventory spreadsheet mapping data types to storage locations and owners
  • - DLP scan results showing discovered sensitive data fields

Related controls

da-2

Sensitive data at rest is encrypted using current standards

Data Security

da-3

Data in transit is encrypted using modern protocols

Data Security

da-4

Sensitive data is securely disposed of when no longer needed

Data Security

da-5

Backups of critical data are maintained and tested

Data Security