Skip to main content
DCH

Data Classification & Handling

85 controls

Enforce a standardized data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can be followed.

SCF # Control Name Weight NIST CSF Frameworks
DCH-01 Data Protection 10 — Critical Govern 168
DCH-01.1 Data Stewardship 10 — Critical Protect 41
DCH-01.2 Sensitive / Regulated Data Protection 9 — Critical Protect 49
DCH-01.3 Sensitive / Regulated Media Records 6 — Medium Protect 9
DCH-01.4 Defining Access Authorizations for Sensitive / Regulated Data 9 — Critical Protect 19
DCH-02 Data & Asset Classification 10 — Critical Identify 76
DCH-02.1 Highest Classification Level 8 — High Protect 13
DCH-03 Media Access 8 — High Protect 61
DCH-03.1 Disclosure of Information 10 — Critical Protect 27
DCH-03.2 Masking Displayed Data 7 — High Protect 13
DCH-03.3 Controlled Release 4 — Medium Protect 7
DCH-04 Media Marking 7 — High Protect 48
DCH-04.1 Automated Marking 2 — Low Protect 16
DCH-05 Cybersecurity & Data Protection Attributes 2 — Low Protect 12
DCH-05.1 Dynamic Attribute Association 2 — Low Protect 7
DCH-05.2 Attribute Value Changes By Authorized Individuals 8 — High Protect 4
DCH-05.3 Maintenance of Attribute Associations By System 2 — Low Protect 4
DCH-05.4 Association of Attributes By Authorized Individuals 2 — Low Protect 4
DCH-05.5 Attribute Displays for Output Devices 8 — High Protect 5
DCH-05.6 Data Subject Attribute Associations 2 — Low Protect 5
DCH-05.7 Consistent Attribute Interpretation 2 — Low Protect 4
DCH-05.8 Identity Association Techniques & Technologies 2 — Low Protect 5
DCH-05.9 Attribute Reassignment 7 — High Protect 6
DCH-05.10 Attribute Configuration By Authorized Individuals 8 — High Protect 4
DCH-05.11 Audit Changes 7 — High Detect 2
DCH-06 Media Storage 8 — High Protect 59
DCH-06.1 Physically Secure All Media 9 — Critical Protect 17
DCH-06.2 Sensitive Data Inventories 9 — Critical Detect 29
DCH-06.3 Periodic Scans for Sensitive / Regulated Data 7 — High Detect 10
DCH-06.4 Making Sensitive Data Unreadable In Storage 9 — Critical Protect 7
DCH-06.5 Storing Authentication Data 5 — Medium Protect 9
DCH-07 Media Transportation 9 — Critical Protect 60
DCH-07.1 Custodians 9 — Critical Protect 29
DCH-07.2 Encrypting Data In Storage Media 5 — Medium Protect 26
DCH-08 Physical Media Disposal 10 — Critical Protect 95
DCH-09 System Media Sanitization 10 — Critical Protect 85
DCH-09.1 System Media Sanitization Documentation 7 — High Protect 24
DCH-09.2 Equipment Testing 5 — Medium Detect 16
DCH-09.3 Sanitization of Personal Data (PD) 9 — Critical Protect 40
DCH-09.4 First Time Use Sanitization 5 — Medium Protect 13
DCH-09.5 Dual Authorization for Sensitive Data Destruction 5 — Medium Protect 3
DCH-10 Media Use 8 — High Protect 50
DCH-10.1 Limitations on Use 10 — Critical Protect 5
DCH-10.2 Prohibit Use Without Owner 5 — Medium Protect 23
DCH-11 Data Reclassification 8 — High Protect 8
DCH-12 Removable Media Security 10 — Critical Protect 22
DCH-13 Use of External Technology Assets, Applications and/or Services (TAAS) 9 — Critical Protect 59
DCH-13.1 Limits of Authorized Use 8 — High Protect 43
DCH-13.2 Portable Storage Devices 9 — Critical Protect 37
DCH-13.3 Protecting Sensitive / Regulated Data on External Technology Assets, Applications and/or Services (TAAS) 10 — Critical Protect 13
DCH-13.4 Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS) 5 — Medium Protect 12
DCH-14 Information Sharing 9 — Critical Protect 50
DCH-14.1 Information Search & Retrieval 5 — Medium Protect 3
DCH-14.2 Transfer Authorizations 8 — High Protect 21
DCH-14.3 Data Access Mapping 9 — Critical Identify 11
DCH-15 Publicly Accessible Content 10 — Critical Protect 54
DCH-16 Data Mining Protection 7 — High Protect 12
DCH-17 Ad-Hoc Transfers 8 — High Protect 25
DCH-18 Media & Data Retention 8 — High Protect 95
DCH-18.1 Minimize Sensitive / Regulated Data 8 — High Protect 13
DCH-18.2 Limit Sensitive / Regulated Data In Testing, Training & Research 8 — High Protect 15
DCH-18.3 Temporary Files Containing Personal Data (PD) 5 — Medium Protect 0
DCH-19 Geographic Location of Data 9 — Critical Identify 34
DCH-20 Archived Data Sets 8 — High Protect 1
DCH-21 Information Disposal 10 — Critical Protect 37
DCH-22 Data Quality Operations 5 — Medium Protect 24
DCH-22.1 Updating & Correcting Personal Data (PD) 6 — Medium Protect 54
DCH-22.2 Data Tags 3 — Low Protect 6
DCH-22.3 Primary Source Personal Data (PD) Collection 8 — High Identify 5
DCH-23 De-Identification (Anonymization) 8 — High Protect 20
DCH-23.1 De-Identify Dataset Upon Collection 8 — High Protect 2
DCH-23.2 Archiving 8 — High Protect 2
DCH-23.3 Release 8 — High Protect 2
DCH-23.4 Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers 8 — High Protect 4
DCH-23.5 Statistical Disclosure Control 1 — Low Protect 2
DCH-23.6 Differential Data Privacy 1 — Low Protect 2
DCH-23.7 Automated De-Identification of Sensitive Data 1 — Low Protect 2
DCH-23.8 Motivated Intruder 3 — Low Protect 2
DCH-23.9 Code Names 1 — Low Protect 1
DCH-24 Information Location 10 — Critical Identify 40
DCH-24.1 Automated Tools to Support Information Location 6 — Medium Identify 33
DCH-25 Transfer of Sensitive and/or Regulated Data 10 — Critical Protect 21
DCH-25.1 Transfer Activity Limits 7 — High Protect 3
DCH-26 Data Localization 10 — Critical Protect 6
DCH-27 Data Rights Management (DRM) 6 — Medium Protect 3

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free