Call Us

612-656-4162

Contact Us

Data Protection Policy

POLICY SUMMARY

Disciplined data protection is a core operational and legal obligation. ITAL shall implement processes and technical controls to classify IT Audit Labs’ (ITAL) data by sensitivity, restrict access based on need-to-know, and ensure that sensitive data is encrypted both in transit and at rest across all ITAL systems and devices. Data shall be retained according to documented schedules and disposed of securely in a manner appropriate to its classification, with data flows documented and processing segmented to prevent sensitive data from commingling with lower-sensitivity environments. The loss of control over ITAL data — whether through exfiltration, unauthorized access, or improper disposal — carries significant legal, reputational, and regulatory consequences that these controls are designed to prevent. 

APPLICABILITY

This policy applies to all ITAL data throughout its entire lifecycle — from creation or collection through active use, storage, transmission, and final disposition. Scope is defined by the data itself and follows it wherever it resides or travels, not by the system or location that holds it. In scope data and environments include: 

  • Sensitive and confidential data — personally identifiable information (PII), protected health information (PHI), criminal justice information, financial records, legal records, and any other data subject to federal, state, or ITAL regulatory requirements, as well as data whose unauthorized disclosure or loss would cause material harm to the company or the customers it serves. 
  • Data at rest — stored on ITAL’s servers, workstations, laptops, mobile devices, removable media, databases, and cloud storage environments 
  • Data in transit — traversing ITAL’s networks, external networks, the internet, or any communication channel between systems, users, or service providers 
  • Data processed by applications — including data handled by ITAL-hosted applications, SaaS platforms, and third-party services that access, store, or transmit ITAL data 
  • Physical data — printed documents, physical records, and data stored on physical removable media containing sensitive ITAL information 

 

Service providers that store, process, or transmit ITAL data are subject to the data protection requirements of this policy through contractual obligations governed in conjunction with Policy 15: Service Provider Management. 

Policy Statements

The policy statements below align with the Center for Internet Security (CIS) version 8 framework, safeguards 3.1 through 3.14. Policy statements after 3.14 may not be referenced in CIS version 8 but are supplementary.

 

3.1 Establish and Maintain a Data Management Process 

Asset Type: Data | Security Function: Govern | IG1, IG2, IG3

  1. ITAL shall establish and maintain a documented data management process that defines how ITAL data is classified by sensitivity, assigned to a data owner, handled throughout its lifecycle, retained for defined minimum and maximum periods, and disposed of in a manner appropriate to its classification. The process shall serve as the governing framework that downstream technical controls — including access control lists, encryption, and secure disposal procedures — are built upon and referenced against.
  2. ITAL shall review and update the data management process at least annually, or whenever significant changes to ITAL systems, infrastructure, or regulatory obligations occur that could affect how data is classified or handled.

 

3.2 Establish and Maintain a Data Inventory 

Asset Type: Data | Security Function: Identify | IG1, IG2, IG3

  1. ITAL shall establish and maintain a data inventory consistent with the ITAL’s data management process established under Safeguard 3.1. The inventory shall include all sensitive data at a minimum, identifying where that data resides across ITAL systems, applications, databases, and storage environments — including cloud-hosted and third-party platforms.
  2. ITAL shall review and update the inventory at least annually, prioritizing sensitive data, and shall trigger an out-of-cycle review whenever significant changes to ITAL systems or data processing environments occur that could affect the accuracy or completeness of the inventory.

 

3.3 Configure Data Access Control Lists 

Asset Type: Data | Security Function: Protect | IG1, IG2, IG3

  1. ITAL shall configure access control lists (ACLs) on all ITAL data stores (i.e., local and remote file systems, databases, and applications), restricting access based on each user’s documented need-to-know. ACLs shall grant the minimum permissions required for a user or process to perform its authorized function and shall be applied consistently across on-premises and cloud-hosted environments.
  2. ITAL shall review access control configurations whenever significant changes occur to ITAL systems, user roles, or data classification designations to ensure that permissions remain accurate and appropriately scoped.

 

3.4 Enforce Data Retention 

Asset Type: Data | Security Function: Protect | IG1, IG2, IG3

  1. ITAL shall retain ITAL data in accordance with the data management process established under Safeguard 3.1, enforcing both minimum and maximum retention timelines based on data classification and applicable legal, regulatory, and operational requirements. Retention schedules shall be applied consistently across all storage environments, including on-premises systems, databases, and cloud platforms, and shall account for data in backup and archival systems as well as primary storage.
  2. ITAL shall implement technical controls, where supported, to enforce retention boundaries automatically, and shall document exceptions where manual processes are required to meet retention obligations.

 

3.5 Securely Dispose of Data 

Asset Type: Data | Security Function: Protect | IG1, IG2, IG3

  1. ITAL and ITAL shall securely dispose of ITAL data in accordance with the data management process established under Safeguard 3.1, applying disposal methods commensurate with the sensitivity of the data being destroyed. Disposal shall apply to all media types and storage environments where ITAL data resides, including physical media, end-user devices, servers, databases, removable storage, and cloud-hosted platforms, and shall render the data unrecoverable through methods appropriate to the medium — such as cryptographic erasure for encrypted storage, secure overwriting for magnetic media, or physical destruction for hardware that cannot be sanitized through software means.
  2. ITAL shall document completed disposal actions, including the method used, the data or media involved, and the date of disposal, to support audit and compliance requirements.

 

3.6 Encrypt Data on End-User Devices 

Asset Type: Data | Security Function: Protect | IG1, IG2, IG3

Standard: Data Encryption

  1. ITAL shall enable full-disk or volume-level encryption on all ITAL-owned end-user devices that store or have the potential to store sensitive data, including laptops, tablets, and smartphones.
  2. Encryption shall be configured prior to deployment or as part of the standard device build process.
  3. Encryption keys will meet standards for length and complexity.

 

3.7 Establish and Maintain a Data Classification Scheme 

Asset Type: Data | Security Function: Identify | IG1, IG2, IG3

  1. ITAL shall establish and maintain a formal data classification scheme that assigns sensitivity labels to all categories of ITAL data based on the potential impact of unauthorized disclosure, modification, or destruction. The classification scheme shall define distinct sensitivity tiers — such as Public, Internal, Confidential, and Restricted — and shall specify the handling, access, transmission, storage, and disposal requirements associated with each tier, providing a consistent framework that downstream technical controls and operational procedures can reference.
  2. ITAL shall apply the classification scheme to the ITAL’s data inventory maintained under Safeguard 3.2 and ensure that data owners understand their classification responsibilities.
  3. ITAL will review and update the scheme at least annually or whenever significant changes to ITAL operations, regulatory obligations, or data processing environments occur that could affect how data is categorized.

 

3.8 Document Data Flows 

Asset Type: Data | Security Function: Identify | IG2, IG3

  1. ITAL shall document data flows for all ITAL systems and applications that process, transmit, or store sensitive data, including flows between internal systems, flows to and from cloud-hosted platforms, and flows involving third-party service providers. Data flow documentation shall identify the source and destination of data, the transmission method and protocol, the sensitivity classification of the data in transit, and any boundary crossings between network segments or external entities.
  2. ITAL shall maintain data flow documentation as a living record, reviewing and updating it at least annually or whenever significant changes to ITAL systems, integrations, or service provider relationships occur that could alter how sensitive data moves through the environment.

 

3.9 Encrypt Data on Removable Media

Asset Type: Data | Security Function: Protect | IG2, IG3

Standard: Data Encryption

  1. ITAL shall ensure that all ITAL data written to removable media — including USB drives, external hard drives, optical media, and tape — is encrypted prior to or at the time of transfer, using encryption standards consistent with the sensitivity of the data being stored. ITAL shall implement technical controls, where supported, to enforce encryption on removable media at the endpoint level, preventing unencrypted sensitive data from being written to removable storage devices.
  2. Removable media containing ITAL data shall be treated as a high-risk asset given its susceptibility to loss or theft, and any unencrypted removable media found to contain sensitive data shall be treated as a security incident requiring immediate response under the ITAL’s incident management process.

 

3.10 Encrypt Sensitive Data in Transit 

Asset Type: Data | Security Function: Protect | IG2, IG3

Standard: Data Encryption

  1. ITAL shall configure all ITAL systems and applications that transmit sensitive data to use approved encryption protocols — such as Transport Layer Security (TLS) or OpenSSH — ensuring that sensitive data is protected against interception or tampering while in transit across internal networks, external connections, Bluetooth, and cloud-hosted environments. Unencrypted protocols for transmitting sensitive data shall be disabled or blocked at the network level, and any legacy systems requiring unencrypted transmission shall be documented as exceptions with compensating controls identified and residual risk accepted through the appropriate approval process.
  2. ITAL will accept only trusted keys and certificates and will use encryption keys that meet standards.
  3. ITAL shall review encryption configurations at least annually and whenever significant changes to network architecture, system integrations, or applicable standards occur that could affect the adequacy of in-transit protections.

 

3.11 Encrypt Sensitive Data at Rest 

Asset Type: Data | Security Function: Protect | IG2, IG3

Standard: Data Encryption

  1. ITAL shall configure encryption for all ITAL servers, applications, and databases that store sensitive data, applying storage-layer encryption at minimum and additional application-layer encryption where the sensitivity of the data or regulatory requirements warrant a higher level of protection. Encryption shall be implemented such that access to the underlying storage device or media does not grant access to plaintext data.
  1. Encryption key management shall be handled separately from the encrypted data to prevent a single point of compromise.
  2. ITAL shall maintain documentation of encryption coverage across all sensitive data repositories and treat any unencrypted sensitive data store as a security exception requiring immediate remediation.
  3. ITAL will review encryption configurations at least annually or whenever significant changes to ITAL infrastructure or data classification designations occur.

 

3.12 Segment Data Processing and Storage Based on Sensitivity 

Asset Type: Data | Security Function: Protect | IG2, IG3

  1. ITAL shall segment ITAL network infrastructure and system architecture so that sensitive data is processed and stored only on enterprise assets designated and configured for that sensitivity level, preventing sensitive data from commingling with systems intended for lower-sensitivity workloads. Segmentation shall be enforced through technical controls such as VLANs, firewall rules, and access control policies that restrict lateral movement between segments, ensuring that a compromise of a lower-sensitivity environment cannot be leveraged to access sensitive data stores.
  2. ITAL shall document the segmentation architecture as part of the data flow documentation maintained under Safeguard 3.8.
  3. ITAL will review segment boundaries at least annually and evaluate segmentation controls whenever significant changes to ITAL infrastructure, application deployments, or data classification designations occur that could affect the integrity of the segmentation design.

 

3.13 Deploy a Data Loss Prevention Solution 

Asset Type: Data | Security Function: Protect | IG3

  1. ITAL shall deploy and maintain an automated Data Loss Prevention (DLP) solution capable of identifying, monitoring, and controlling sensitive data stored, processed, or transmitted across ITAL enterprise assets, including endpoints, servers, and cloud-hosted platforms managed by third-party service providers.
  2. The DLP solution shall be configured to detect sensitive data based on the ITAL’s data classification scheme established under Safeguard 3.7, generate alerts on policy violations, and enforce controls that prevent unauthorized transmission or exfiltration of sensitive data across network boundaries, removable media, email, and cloud storage channels.
  3. ITAL shall use findings from DLP monitoring to update the ITAL’s data inventory maintained under Safeguard 3.2 and tune detection policies to reduce false positives while maintaining effective coverage.
  4. ITAL will review DLP configurations at least annually or whenever significant changes to ITAL data processing environments or classification requirements occur.

 

3.14 Log Sensitive Data Access

Asset Type: Data | Security Function: Detect | IG3

  1. ITAL shall enable and maintain audit logging on all ITAL systems, applications, and databases that store or process sensitive data, capturing access events including reads, writes, modifications, transfers, and disposal actions performed against sensitive data assets. Log configurations shall record sufficient detail to support forensic investigation and compliance reporting, including at minimum the user or process initiating the action, the timestamp, the data or object accessed, and the type of operation performed.
  2. ITAL shall ensure that sensitive data access logs are forwarded to a centralized log management platform consistent with the ITAL’s audit log management process under CIS Control 8, retained for a period sufficient to meet legal and regulatory obligations, and reviewed on a regular basis to detect unauthorized or anomalous access patterns that could indicate a breach or policy violation.

 

3.15 Protect Cryptographic Keys 

Asset Type: Data | Security Function: Protect 

Standard: Data Encryption 

Encryption keys will be stored in one or more key management systems that meet the following security requirements: 

  1. ITAL shall safeguard the security of encryption keys to ensure that they remain confidential and available. 
  2. Key management should be fully automated so that systems administrators do not have the opportunity to expose a key or influence the key creation. 
  3. Keys in storage and transit must be encrypted. 
  4. Decryption keys shall not be associated with user accounts. 
  5. Documentation and procedures are required to protect keys. 
  6. Access to cryptographic keys will be restricted to the fewest number of custodians necessary. 
  7. Cryptographic keys will be stored in the fewest possible locations. 
  8. Keys will be retired, replaced, or archived when the integrity of the key has been weakened or keys are suspected of being compromised. 
  9. Cryptographic key custodians shall formally acknowledge that they understand and accept their key-custodian responsibilities. 
  10. Evidence of compliance will be available to ITAL or an authorized auditor upon request. 
Effective Date:

March 19, 2026