SAMMY works best on screens 1024px wide or larger.
Cloud Controls Matrix
Browse Cloud Controls...
DSP-01: Security and Privacy Policy and Procedures
Security and Privacy Policy and Procedures
DSP-01: Are policies and procedures established, documented, approved, communicated, enforced, evaluated, and maintained for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk level?

Policies and procedures should include provisions for the following:
a. Data classifications with clear definitions and examples.
b. Acceptable use, handling, and storage of data by classifications.
c. How long the classified data should be retained.
d. How/when the classified data should be destroyed.
e. Responsibilities of data stewards.


Maintain a data inventory and document data flow diagrams and associated technical measures.


Document data protection controls and third-party data sharing practices. This documentation and associated risks should be shared with customers and data owners as needed.


Examples include but are not limited to:
• Access controls and data loss prevention (DLP) solutions with data tagging capabilities.
• Define testing intervals based on data classification types or levels.
• Executive leadership should approve policies (cf. GRC-01).
• Note: Data life cycles include all stages (processing, storage, and transmission).


Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.

Security and Privacy Policy and Procedures
DSP-01: Are data security and privacy policies and procedures reviewed and updated at least annually?

Policies and procedures should include provisions for the following:
a. Data classifications with clear definitions and examples.
b. Acceptable use, handling, and storage of data by classifications.
c. How long the classified data should be retained.
d. How/when the classified data should be destroyed.
e. Responsibilities of data stewards.


Maintain a data inventory and document data flow diagrams and associated technical measures.


Document data protection controls and third-party data sharing practices. This documentation and associated risks should be shared with customers and data owners as needed.


Examples include but are not limited to:
• Access controls and data loss prevention (DLP) solutions with data tagging capabilities.
• Define testing intervals based on data classification types or levels.
• Executive leadership should approve policies (cf. GRC-01).
• Note: Data life cycles include all stages (processing, storage, and transmission).


Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.