Security & compliance cross reference
A template for cataloging data types, security features, and compliance requirements as a cross-referenced resource for your security and governance planning.
Start by conducting your security and compliance review and feature definition (see 3.2 Security & compliance). This activity creates a cross-referenced catalogue data sources and types, security features and compliance requirements.
Other security references
- Why you need a zero trust architecture
- Planning ahead with an AI readiness plan
- Why you need a Zero Trust Architecture (and how to get one)
Data type cross reference
Data classification exercise. In this activity you will identify all of your data types and sources, and classify each one based on sensitivity, how the data flows, and how long you need to retain the data.
- Identify all data types in your system (customer PII, financial data, intellectual property, health records, commerce data, etc).
- Classify data based on sensitivity levels to indicate how each element must be controlled (e.g., public, internal, confidential, restricted).
- Document data flows between components to show how information moves through your system (this should already be part of your context map, but be sure to annotate and keep it up to date).
- Define retention periods for each data type, so you know how long you need to keep it, and when you need to destroy it.
Example
| Data type | Domain / X-ref | Sensitivity / Expiry | Description |
|---|---|---|---|
| Customer account | Accounts | Internal No expiry | Includes customer alias, account number, non-personalized information (such as preferences and display language), and account ID. |
| Customer info | IAM | Protected No expiry | Customer name, birthday, home address. |
| Customer credentials | IAM | Protected 5 days | Customer authentication identity (login name and password) and passkey certificate, cached authentication tokens. |
| … |
Security & compliance features
Itemize your security and compliance features. This document should correlate security or compliance needs with their respective requirements, designs, and use cases. Cross reference links to use cases, relevant designs, verification methods and tests, should be specified with each item. Where appropriate and as mandated by, e.g., legislation, deadlines should be identified.
Example
| ID | Function / Risk | Description / Compliance mapping / Verification |
|---|---|---|
| SEC-001 | Authentication High | In order to prevent unauthorized access through stolen credentials, the system must implement multi-factor authentication for all administrative access. → Feature SEC-001 (use case) |
| Compliance | NIST 800-53 (IA-2), ISO 27001 (A.9.4.2), PCI DSS (8.3) | |
| Verification | Automated test → SEC-TEST-001, SEC-TEST-002. Manual audit → Quarterly manual administrative audit (report). | |
| Deadline | Q2 2023 | |
| … |