Control 13.1: Maintain an Inventory of Sensitive Information

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.

Category

Procedural

Purpose

Sensitive data can be stored on smartphones, point of sale (POS) terminals, and backend systems. Enterprises should have a listing of their sensitive information, and which computer systems retain that data. Those that do not carefully identify and separate their most sensitive and critical assets from less sensitive, publicly accessible information on internal networks can have a hard time preventing unauthorized access. If sensitive enterprise information is stored on an unknown or unprotected system, the information is more likely to be accessed in an unauthorized manner. Any listing of sensitive information in formation should also be properly labeled. If sensitive enterprise information is not labeled correctly, then it may be accidentally distributed to unauthorized outside parties.

Automation

This Sub-Control is generally not automatable. It is most often necessary to manually identify and list sensitive files and other applicable information through usage of lists and labels within files or documents.

Guidance and Tools

Sensitive information can be tracked in a spreadsheet in a similar manner to hardware and software assets. CIS offers a free spreadsheet to track sensitive information within the enterprise contained within the Appendix of this document. The definitions of, and policies surrounding the usage of labels for data classification should be understood by all employees handling sensitive information. This in turn means that all sensitive, confidential, or proprietary information should be clearly labeled for internal use. Ultimately, what constitutes sensitive information is defined by local laws and the needs of an enterprise. Examples of sensitive information include:

  • Personally Identifiable Information (PII);
  • Trade secrets or proprietary information;
  • Financial information (e.g., taxes, debit card numbers);
  • Cryptographic keys;
  • Passwords; and
  • Biometric data.