Skip to main content

DCH-01.4: Defining Access Authorizations for Sensitive / Regulated Data

DCH 9 — Critical Protect

Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data.

Control Question: Does the organization explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data?

General (12)
Framework Mapping Values
CIS CSC 8.1 3.1 3.3
ISO 42001 2023 7.5.3 7.5.3(a) 7.5.3(b)
NIST 800-171 R3 (source) 03.01.02 03.01.03 03.01.04.b 03.08.01 03.08.02 03.10.01.a 03.15.02.c 03.17.01.c
NIST 800-171A R3 (source) A.03.15.02.c A.03.17.01.c
NIST 800-207 NIST Tenet 3 NIST Tenet 4
NIST CSF 2.0 (source) PR.DS
TISAX ISA 6 1.3.2
SCF CORE Fundamentals DCH-01.4
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) DCH-01.4
SCF CORE ESP Level 1 Foundational DCH-01.4
SCF CORE ESP Level 2 Critical Infrastructure DCH-01.4
SCF CORE ESP Level 3 Advanced Threats DCH-01.4
US (4)
Framework Mapping Values
US CISA CPG 2022 2.L
US DoD Zero Trust Reference Architecture 2.0 5.0
US DHS ZTCF DIN-02
US HHS 45 CFR 155.260 155.260(a)(4)(ii)
EMEA (2)
Framework Mapping Values
EMEA EU Cyber Resiliency Act Annexes Annex 1.1(3)(e)
EMEA UK DEFSTAN 05-138 2301
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.01.02 03.01.03 03.01.04.B 03.08.01 03.08.02 03.10.01.A 03.15.02.C 03.17.01.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to explicitly define authorizations for specific individuals and/or roles for logical and/or physical access to sensitive/regulated data.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to explicitly define authorizations for specific individuals and/or roles for logical and/or physical access to sensitive/regulated data.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to explicitly define authorizations for specific individuals and/or roles for logical and/or physical access to sensitive/regulated data.

Level 3 — Well Defined

Data Classification & Handling (DCH) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data. o Maintain decentralized inventory logs of all sensitive/regulated media and update sensitive/regulated media inventories at least annually. o Create and maintain Data Flow Diagrams (DFDs) and network diagrams. o Document where sensitive/regulated data is stored, transmitted and processed in order to document data repositories and data flows. o Identify data classification types to ensure adequate cybersecurity and data protection controls are in place to protect organizational information and individual data privacy. o Identify and document the location of information on which the information resides. o Restrict and govern the transfer of data to third-countries or international organizations. o Limit the disclosure of data to authorized parties. o Mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements. o Prohibit “rogue instances” where unapproved third parties are engaged to store, process or transmit data, including budget reviews and firewall connection authorizations. o Protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures. o Govern the use of personal devices (e.g., Bring Your Own Device (BYOD)) as part of acceptable and unacceptable behaviors. o Dictate requirements for minimizing data collection to what is necessary for business purposes. o Dictate requirements for limiting the use of sensitive/regulated data in testing, training and research.

  • A Governance, Risk & Compliance (GRC) function, or similar function, assists users in making information sharing decisions to ensure data is appropriately protected, regardless of where or how it is stored, processed and/ or transmitted.
  • A data classification process exists to identify categories of data and specific protection requirements.
  • A data retention process exists to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.
  • Data/process owners:
  • A Data Protection Impact Assessment (DPIA) is used to help ensure the protection of sensitive/regulated data processed, stored or transmitted on internal or external systems, in order to implement cybersecurity and data protection controls in accordance with applicable statutory, regulatory and contractual obligations.
  • Human Resources (HR), documents formal “rules of behavior” as an employment requirement that stipulates acceptable and unacceptable practices pertaining to sensitive/regulated data handling.
  • Data Loss Prevention (DLP), or similar content filtering capabilities, blocks users from performing ad hoc file transfers through unapproved file transfer services (e.g., Box, Dropbox, Google Drive, etc.).
  • Mobile Device Management (MDM) software is used to restrict and protect the data that resides on mobile devices.
  • Administrative processes and technologies:
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to explicitly define authorizations for specific individuals and/or roles for logical and/or physical access to sensitive/regulated data.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to explicitly define authorizations for specific individuals and/or roles for logical and/or physical access to sensitive/regulated data.

Assessment Objectives

  1. DCH-01.4_A01 specific individuals and/or roles for logical and /or physical access to sensitive / regulated data are defined.
  2. DCH-01.4_A02 only authorized individuals are provided logical and /or physical access to sensitive / regulated data.
  3. DCH-01.4_A03 the system security plan is protected from unauthorized disclosure.
  4. DCH-01.4_A04 the SCRM plan is protected from unauthorized disclosure.

Evidence Requirements

E-DCH-02 Data Handling Practices

Documented evidence of an organization-specific data handling practices (e.g., guidance specific the data classification scheme).

Data Protection
E-DCH-08 Authorization Documentation

Documented evidence of that identifies authorized users and processes acting on behalf of authorized users.

Data Protection

Technology Recommendations

Micro/Small

  • Logical Access Control (LAC)
  • Physical Access Control (PAC)

Small

  • Logical Access Control (LAC)
  • Physical Access Control (PAC)

Medium

  • Logical Access Control (LAC)
  • Physical Access Control (PAC)
  • Data governance program

Large

  • Logical Access Control (LAC)
  • Physical Access Control (PAC)
  • Data governance program

Enterprise

  • Logical Access Control (LAC)
  • Physical Access Control (PAC)
  • Data governance program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free