Home/BoK/Templates/Sensitive Data Inventory Checklist
Back to Hub
Last Reviewed: 2026-06-25
Reviewer Role: Insider Risk / Legal / Privacy review
Advanced Asset
Assets ModuleInteractive Sheet

Sensitive Data Inventory Checklist

A sensitive data inventory helps teams understand where high-value and regulated data resides, who can access it, and how it may move.

Primary Audience & Scope

Data owners, Privacy, Security, DLP, Compliance

When to Use

  • Starting or updating a related process.
  • Preparing a downloadable template or checklist.
  • Documenting a repeatable review.

Interactive Work Area

Fill or track items interactively and copy out to your Clipboard

Template Table Structure

FieldReader input / completion prompt
Data type
System/location
Data owner
Legal/regulatory driver
Sensitivity level
User populations
Third-party access
Retention expectation
Approved transfer paths
DLP/classification coverage
Known exceptions
Review cadence

Checklist Audit List

0% Done(0/5)
Check
Checklist item

Include structured and unstructured locations.

Evidence: Owner / date / evidence

Include collaboration and personal workspace risk.

Evidence: Owner / date / evidence

Flag regulated and employee data.

Evidence: Owner / date / evidence

Document data owners.

Evidence: Owner / date / evidence

Review transfer paths and AI tools.

Evidence: Owner / date / evidence

What Completion Looks Like

  • 1Required fields completed.
  • 2Owner and review date captured.
  • 3Legal/privacy review performed where relevant.
  • 4Output linked to related procedure or risk register.

Insider Risk Capability Framework™ (IRCF™) Alignment

Programmatic RelevanceProvides a reusable artifact for accountable insider risk work.
Non-legal-advice Compliance NoteThis resource is a planning aid and does not provide legal advice. Organizations should adapt it to their policies, jurisdictions, labor obligations, privacy requirements, contracts, and risk appetite. Sensitive monitoring, investigation, employment, evidence, legal hold, and employee-data activities should be reviewed by appropriate Legal, Privacy, HR, Compliance, and labor stakeholders before use.

Operationalize This Template in RiskTKO®

Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. Data Owner Intake Form