Do you know where your sensitive data lives across cloud services (DSPM / data discovery)?
Demonstrate that the organization maintains a current, automated inventory of sensitive data locations across all cloud services with accurate classification and documented ownership.
Description
What this control does
Data Security Posture Management (DSPM) and data discovery controls enable organizations to automatically identify, classify, and track sensitive data across cloud services, SaaS applications, databases, and storage repositories. These tools scan cloud environments to detect personally identifiable information (PII), protected health information (PHI), payment card data, intellectual property, and other regulated or business-critical data assets. By maintaining a real-time inventory of sensitive data locations, organizations can enforce appropriate access controls, encryption policies, and data loss prevention measures aligned with the data's classification and regulatory requirements.
Control objective
What auditing this proves
Demonstrate that the organization maintains a current, automated inventory of sensitive data locations across all cloud services with accurate classification and documented ownership.
Associated risks
Risks this control addresses
- Sensitive data stored in unauthorized or unmonitored cloud services (shadow IT) remains unprotected and vulnerable to exposure
- Regulated data (PII, PHI, PCI) stored without proper encryption, access controls, or geographic restrictions violates compliance requirements
- Data exfiltration or insider threats succeed because security teams lack visibility into where high-value data resides
- Overprivileged accounts access sensitive data without detection due to incomplete data location mapping
- Orphaned or abandoned cloud resources containing sensitive data persist without oversight, creating persistent attack surface
- Cross-region data transfers violate data residency requirements because data location is unknown
- Incident response fails to contain breaches effectively due to inability to identify all affected data repositories
Testing procedure
How an auditor verifies this control
- Obtain the current data discovery and classification inventory report from the DSPM solution, including scope of cloud services covered, last scan date, and number of sensitive data assets identified
- Review the DSPM tool configuration to verify scanning frequency, cloud service integrations (AWS, Azure, GCP, SaaS applications), and classification rules aligned to organizational data taxonomy
- Select a sample of five cloud repositories identified as containing sensitive data and verify the classification accuracy by examining actual data samples or data dictionary documentation
- Test the completeness of coverage by comparing the DSPM inventory against the cloud asset inventory from cloud security posture management (CSPM) tools or cloud service provider console exports to identify any unscanned resources
- Interview data owners for three business units to confirm they receive regular reports of sensitive data locations within their domain and take action on findings
- Review access logs for one high-sensitivity data repository identified by DSPM to verify that access controls, encryption, and monitoring are appropriately configured based on data classification
- Examine incident response procedures to confirm they reference DSPM inventory for containment and impact assessment activities
- Validate the discovery of recently created cloud resources by comparing DSPM scan results against cloud provisioning records from the past 30 days to assess detection latency