Data Classification & Handling Controls

Purpose

Bramble ensures that technology assets are properly classified, by publishing and enforcing a data classification methodology to objectively determine the sensitivity and criticality of all data, dictating the minimum safeguards that must be in place to protect the confidentiality, integrity and availability of data so that proper handling and disposal requirements can be followed.

Scope

This control applies to all systems that handle, manage, store or transmit Bramble data including any end user devices that store such data. This may include third-party systems that support the business of Brmbl.io.

Ownership

This control is owned by IT Ops.

Controls

Control Number Control Title Control Statement Goal TOD TOE
DCH-01 Data Protection Bramble Group Corp. has implemented mechanisms to facilitate logical and physical data protection controls and ensure data stewardship is assigned, documented and communicated and the quality of information remains complete and verifiable. Does the organization facilitate the implementation of data protection controls? 1. Inspect data protection collateral for evidence of mechanisms that exist to support the facilitation of data protection controls.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of data protection controls.

3. Examine data protection policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine data protection records, configurations, or other relevant documentation that support the facilitation of data protection controls.

2. Examine data protection procedures for evidence that the procedures facilitate implementation and adherence of data protection controls.

3. Interview key organizational personnel conducting discussions for evidence that mechanisms exist to support the facilitation of data protection.
DCH-02 Data & Asset Classification Bramble Group Corp. has implemented mechanisms to ensure a complete and accurate data and asset list are categorized and prioritized based on their classification, criticality and business value, in accordance with applicable statutory, regulatory and contractual requirements. Does the organization ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements? 1. Inspect data and asset classification collateral for evidence the support the facilitation of data asset and categorization in accordance with applicable statutory, regulatory and contractual requirements.

2. Interview key organizational personnel with Bramble to discuss high level workflows that support the facilitation of data and asset classification and management.
1. Identify applicable statutory, regulatory and contractual requirements necessary to support the function of data and asset classification and management.

2. Examine data and asset classifications and relevant evidence to support the identified applicable statutory, regulatory and contractual requirements.
DCH-03 Media Access Bramble Group Corp. has implemented mechanisms to control and restrict access to digital and non-digital media to authorized individuals. Does the organization restrict access to digital and non-digital media to authorized individuals? 1. Inspect data and asset classification collateral for evidence the support access is restricted to digital and non-digital media based on appropriate authorization.

2. Interview key organizational personnel with Bramble to discuss high level workflows that support the facilitation of data and asset classification and management.
1. Identify access restriction requirements and enforcement based on appropriate authorization.

2. Examine data and asset classifications and relevant evidence to support media access restriction based on appropriate authorization.
DCH-08 Physical Media Disposal Bramble Group Corp. has implemented mechanisms to securely retain and dispose of physical media when it is no longer required, using formal procedures. Does the organization securely dispose of media when it is no longer required, using formal procedures? 1. Inspect formal procedures, policies or other relevant documentation that support the physical media retention and disposal processes.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the physical media retention and disposal processes.

3. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements.
1. Examine physical media retention and disposal records for a sample set of physical media to ensure media was disposed of according to formal procedures and policies.
DCH-09 Digital Media Sanitization Bramble Group Corp. has implemented mechanisms to sanitize media, both digital and non-digital, with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse. Does the organization sanitize media, both digital and non-digital, with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse? 1. Inspect formal procedures, policies or other relevant documentation that support the media (both digital and non digital) sanitation and disposal process.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the media (both digital and non digital) disposal processes.

3. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements.
1. Examine sanitization and disposal records for a sample set of both digital and non digital media to ensure media was sanitized and disposed of according to formal procedures and policies.
DCH-10 Media Use Bramble Group Corp. has implemented mechanisms to restrict the use of some types of digital media on systems or system components. Does the organization restrict the use of types of digital media on systems or system components? 1. Inspect formal procedures, policies or other relevant documentation that support the logical and physical restricted use of some types of digital media on systems or system components.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the logical and physical restricted use of some types of digital media on systems or system components.

3. Examine data protection policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine relevant documentation and configurations that support the facilitation of logical and physical restricted use of digital media on systems or system components.

2. Examine data protection procedures for evidence that the procedures facilitate implementation and adherence of logical and physical restricted use of digital media on systems or system components.
DCH-12 Removable Media Security Bramble Group Corp. has implemented mechanisms to restrict removable media in accordance with data handling and acceptable usage parameters. Does the organization restrict removable media in accordance with data handling and acceptable usage parameters? 1. Inspect formal procedures, policies or other relevant documentation that support the restriction and protection of removable media.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the restriction and protection of removable media.
1. Examine relevant documentation and configurations that support the restriction and protection of removable media.

2. Examine configurations and documentation against a population of removable media to confirm media is restricted in accordance with data handling and acceptable use parameters.
DCH-13 Use of External Information Systems Bramble Group Corp. has implemented mechanisms to restrict the use of portable storage devices by external parties, systems and services used to securely store, process and transmit data. Does the organization govern how external parties, systems and services are used to securely store, process and transmit data? 1. Inspect formal procedures, policies or other relevant documentation that support the restricted use of portable storage devices by external parties, systems or services. 1. Pull a list of external parties, systems and services that use portable storage devices.

2. Examine relevant records, documentation or configurations that outline the restriction parameters for in-scope external parties, systems and services that use portable storage devices.
DCH-14 Information Sharing Bramble Group Corp. has implemented mechanisms to utilize a process assisting users in making information sharing decisions to ensure data is appropriately protected. Does the organization utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected? 1. Inspect formal policies, procedures or other relevant documentation that outline information sharing based on data classification and logical and physical access controls. 1. Examine relevant formal policies, procedures or other relevant documentation for a process outlining an information sharing process based on logical and physical access and data classification.
DCH-17 Ad-Hoc Transfers Bramble Group Corp. has implemented mechanisms to secure ad-hoc exchanges of large digital files with internal or external parties. Does the organization secure ad-hoc exchanges of large digital files with internal or external parties? 1. Inspect formal policies, procedures or other relevant documentation that outline required steps to secure ad-hoc exchanges of large digital files with internal or external parties.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the ad-hoc exchange of large digital files with internal or external parties.
1. Obtain a population of ad-hoc digital file exchanges between both internal and external parties.

2. Examine configurations and documentation against the population of digital file exchanges to confirm digital file exchanges between both internal and external parties were conducted according to ToD.
DCH-21 Information Disposal Bramble Group Corp. has implemented mechanisms to securely dispose of, destroy or erase information. Does the organization securely dispose of, destroy or erase information? 1. Inspect formal policies, procedures or other relevant documentation that outline required steps to securely dispose of, destroy or erase information. Including but not limited to confidentiality and privacy policies, procedures and other relevant documentation. 1. Obtain a population of disposed of, destroyed or erased information

2. Examine configurations and documentation against the population of disposed of, destroyed or erased information to confirm information was disposed of, destroyed or erased according to ToD.
DCH-22 Data Quality Operations Bramble Group Corp. has implemented mechanisms to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle. Does the organization check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle? 1. Inspect formal policies, procedures or other relevant documentation that outline required steps to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle. 1. Examine documentation and configurations to confirm steps outlined in the TOD are supported and communicated to relevant personnel.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference