Control Objectives:
7.1 Sensitive production data is only collected and retained on software vendor systems where there is a legitimate business or technical need.
Test Requirements:
7.1 The assessor shall examine vendor evidence and interview personnel to confirm the following:
- A mature process exists to record and authorize the collection and retention of any sensitive production data.
- An inventory of sensitive production data captured or stored by the software vendor’s products and services is maintained.
- Decisions to use sensitive production data are approved by appropriate software vendor personnel.
- Decisions to use sensitive production data are recorded and reasonably justified.
Guidance:
To protect the confidentiality of any sensitive production data—that is, sensitive data that is owned by an entity other than the software vendor— and stored on software vendor systems, such data should never be used for purposes other than those for which the data was originally collected. If the software vendor provides services to its stakeholders that could result in the collection of sensitive production data⎯for example, for troubleshooting or debugging purposes⎯then the software vendor should record which specific data elements it collects and retains, and clearly communicate what data elements are collected and why they are collected to its customers and other relevant stakeholders.
The inventory of sensitive production data retained by the software vendor should include identification of the specific data elements captured, whether storage of each element is permitted, and the security controls required—for example, to protect confidentiality and/or integrity—for each data element during storage and transmission.
