This article provides additional information on how you can meet the requirement for the CAF control – B3.a Understanding Data.
Maintaining a Data Inventory
- Organisations should maintain an inventory of all data important to delivering managed services. The inventory should record:
-
what the data is
-
where it is stored
-
how it moves
-
who has access to it
-
- The data inventory should be kept up to date and reviewed whenever systems or processes change.
What to Track
The data inventory should include:
-
key data types used to deliver services
-
authorised users and data owners
-
storage locations (e.g. Microsoft 365, Azure, PSA/RMM platforms)
-
devices or media that may hold important data
-
key data links and integrations involved in service delivery
Data Minimisation
-
Unnecessary or historic copies of data should be minimised.
-
Centrally managed, secure storage should be used wherever possible.
Business Impact Analysis (BIA)
- A Business Impact Analysis (BIA) should be conducted as part of wider business continuity planning to assess the potential impact of severe disruptions.
- The BIA should consider:
-
the criticality of key business functions
-
support processes
-
third-party dependencies
-
information assets and their interdependencies
-
- Quantitative and qualitative criteria should be used to evaluate potential impacts.
- Insights from the BIA help prioritise data protection measures by showing how disruption to key data or systems could affect service delivery.
Using Data Understanding to Enhance Protection
- Maintaining an accurate understanding of critical data, where it resides and how it is used helps ensure it can be protected effectively.