Skip to main content

DCH-22: Data Quality Operations

DCH 5 — Medium Protect

Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.

Control Question: Does the organization check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.

General (16)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.1 CC2.1-POF4 CC2.1-POF8
COBIT 2019 APO11.01 APO11.02 APO11.03 APO11.04 APO11.05
COSO 2017 Principle 13
Generally Accepted Privacy Principles (GAPP) 9.2.1
ISO/SAE 21434 2021 RQ-05-11
ISO 27018 2014 A.6
ISO 42001 2023 A.7 A.7.2 A.7.3 A.7.4 A.7.5 A.7.6
NIST 800-53 R4 DI-1
NIST 800-53 R5 (source) PM-22 SI-18 SI-18(1)
NIST 800-53B R5 (privacy) (source) PM-22 SI-18
NIST 800-53 R5 (NOC) (source) SI-18(1)
NIST 800-161 R1 PM-22
NIST 800-161 R1 Level 1 PM-22
NIST 800-161 R1 Level 2 PM-22
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) DCH-22
SCF CORE AI Model Deployment DCH-22
US (4)
Framework Mapping Values
US CERT RMM 1.2 KIM:SG5.SP2 KIM:SG5.SP3
US CMS MARS-E 2.0 DI-1
US DHS ZTCF DIN-03
US - CA CCPA 2025 7023(c)
EMEA (2)
Framework Mapping Values
EMEA EU AI Act 10.3 17.1(f)
EMEA UK DPA Chapter29-Schedule1-Part1-Principle 1
APAC (2)
Framework Mapping Values
APAC China Privacy Law 8
APAC Singapore MAS TRM 2021 5.8.1 5.8.2

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.

Level 3 — Well Defined

Data Classification & Handling (DCH) efforts are standardized throughout the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data. o Maintain decentralized inventory logs of all sensitive/regulated media and update sensitive/regulated media inventories at least annually. o Create and maintain Data Flow Diagrams (DFDs) and network diagrams. o Document where sensitive/regulated data is stored, transmitted and processed in order to document data repositories and data flows. o Identify data classification types to ensure adequate cybersecurity and data protection controls are in place to protect organizational information and individual data privacy. o Identify and document the location of information on which the information resides. o Restrict and govern the transfer of data to third-countries or international organizations. o Limit the disclosure of data to authorized parties. o Mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements. o Prohibit “rogue instances” where unapproved third parties are engaged to store, process or transmit data, including budget reviews and firewall connection authorizations. o Protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures. o Govern the use of personal devices (e.g., Bring Your Own Device (BYOD)) as part of acceptable and unacceptable behaviors. o Dictate requirements for minimizing data collection to what is necessary for business purposes. o Dictate requirements for limiting the use of sensitive/regulated data in testing, training and research.

  • A Governance, Risk & Compliance (GRC) function, or similar function, assists users in making information sharing decisions to ensure data is appropriately protected, regardless of where or how it is stored, processed and/ or transmitted.
  • A data classification process exists to identify categories of data and specific protection requirements.
  • A data retention process exists to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.
  • Data/process owners:
  • A Data Protection Impact Assessment (DPIA) is used to help ensure the protection of sensitive/regulated data processed, stored or transmitted on internal or external systems, in order to implement cybersecurity and data protection controls in accordance with applicable statutory, regulatory and contractual obligations.
  • Human Resources (HR), documents formal “rules of behavior” as an employment requirement that stipulates acceptable and unacceptable practices pertaining to sensitive/regulated data handling.
  • Data Loss Prevention (DLP), or similar content filtering capabilities, blocks users from performing ad hoc file transfers through unapproved file transfer services (e.g., Box, Dropbox, Google Drive, etc.).
  • Mobile Device Management (MDM) software is used to restrict and protect the data that resides on mobile devices.
  • Administrative processes and technologies:
Level 4 — Quantitatively Controlled

Data Classification & Handling (DCH) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Data Classification & Handling (DCH) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. DCH-22_A01 organization-wide policies for Personal Data (PD) quality management are developed and documented.
  2. DCH-22_A02 organization-wide procedures for Personal Data (PD) quality management are developed and documented.
  3. DCH-22_A03 the policies address reviewing the accuracy of Personal Data (PD) across the information life cycle.
  4. DCH-22_A04 the policies address reviewing the relevance of Personal Data (PD) across the information life cycle.
  5. DCH-22_A05 the policies address reviewing the timeliness of Personal Data (PD) across the information life cycle.
  6. DCH-22_A06 the policies address reviewing the completeness of Personal Data (PD) across the information life cycle.
  7. DCH-22_A07 the procedures address reviewing the accuracy of Personal Data (PD) across the information life cycle.
  8. DCH-22_A08 the procedures address reviewing the relevance of Personal Data (PD) across the information life cycle.
  9. DCH-22_A09 the procedures address reviewing the timeliness of Personal Data (PD) across the information life cycle.
  10. DCH-22_A10 the procedures address reviewing the completeness of Personal Data (PD) across the information life cycle.
  11. DCH-22_A11 the policies address correcting or deleting inaccurate or outdated Personal Data (PD).
  12. DCH-22_A12 the procedures address correcting or deleting inaccurate or outdated Personal Data (PD).
  13. DCH-22_A13 the policies address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.
  14. DCH-22_A14 the procedures address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.
  15. DCH-22_A15 the policies address appeals of adverse decisions on correction or deletion requests.
  16. DCH-22_A16 the procedures address appeals of adverse decisions on correction or deletion requests.
  17. DCH-22_A17 the frequency at which to check the accuracy of Personal Data (PD) across the information life cycle is defined.
  18. DCH-22_A18 the frequency at which to check the relevance of Personal Data (PD) across the information life cycle is defined.
  19. DCH-22_A19 the frequency at which to check the timeliness of Personal Data (PD) across the information life cycle is defined.
  20. DCH-22_A20 the frequency at which to check the completeness of Personal Data (PD) across the information life cycle is defined.
  21. DCH-22_A21 the accuracy of Personal Data (PD) across the information life cycle is checked frequency.
  22. DCH-22_A22 the relevance of Personal Data (PD) across the information life cycle is checked frequency.
  23. DCH-22_A23 the timeliness of Personal Data (PD) across the information life cycle is checked frequency.
  24. DCH-22_A24 the completeness of Personal Data (PD) across the information life cycle is checked frequency.
  25. DCH-22_A25 inaccurate or outdated Personal Data (PD) is corrected or deleted.
  26. DCH-22_A26 automated mechanisms used to correct or delete Personal Data (PD) that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified are defined.
  27. DCH-22_A27 automated mechanisms are used to correct or delete Personal Data (PD) that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified.

Technology Recommendations

Micro/Small

  • Product / project management

Small

  • Product / project management

Medium

  • Product / project management

Large

  • Product / project management
  • Data governance program

Enterprise

  • Product / project management
  • Data governance program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free