Data Security and Information Lifecycle Management Policies

A key component of the Information Security Program are data security and information lifecycle management policies.

DSI Control Domains

DSI-01: Classification - Data Security and Information Lifecycle Management Policy

  • DSI-01.1: Do you provide a capability to identify data and virtual machines via policy tags/metadata (e.g., tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • DSI-01.2: Do you provide a capability to identify data and hardware via policy tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)?


Policy to be referenced here is INSERT
*Action item: INSERT

DSI-02: Data Inventory / Flows -

  • DSI-02.1: Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems?


Policy to be referenced here is INSERT
*Action item: INSERT

  • DSI-02.2: Can you ensure that data does not migrate beyond a defined geographical residency?


Policy to be referenced here is INSERT
*Action item: INSERT

DSI-03: E-commerce Transactions -

  • DSI-03.1: Do you provide standardized (e.g. ISO/IEC) non-proprietary encryption algorithms (3DES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • DSI-03.2: Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?


Policy to be referenced here is INSERT
*Action item: INSERT

DSI-04: Handling / Labeling / Security Policy -

  • DSI-04.1: Are policies and procedures established for data labeling and handling in order to ensure the security of data and objects that contain data?


Policy to be referenced here is INSERT
*Action item: INSERT

  • DSI-04.2: Do you follow a structured data-labeling standard (e.g., ISO 15489, Oasis XML Catalog Specification, CSA data type guidance)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • DSI-04.3: Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?


Policy to be referenced here is INSERT
*Action item: INSERT

DSI-05: Nonproduction Data -

  • DSI-05.1: Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?


Policy to be referenced here is INSERT
*Action item: INSERT

DSI-06: Ownership / Stewardship -

  • DSI-06.1: Are the responsibilities regarding data stewardship defined, assigned, documented, and communicated?


Policy to be referenced here is INSERT
*Action item: INSERT

DSI-07: Secure Disposal -

  • DSI-07.1: Are the responsibilities regarding data stewardship defined, assigned, documented, and communicated?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None