Encryption & Access
"Sensitive data within insider risk scope is encrypted in transit and at rest, with access restricted by business function and role."
This capability evaluates whether the organization has the ownership, process, evidence, and oversight needed to manage this area of insider-risk data protection.
What This Capability Means
Encryption & Access assesses whether the organization has a defined, repeatable, and evidence-supported approach to sensitive data within insider risk scope is encrypted in transit and at rest, with access restricted by business function and role. This includes the policies, roles, workflows, systems, data sources, technical controls, ownership practices, and oversight needed to make the capability operational.
Key Capability Factors
Encryption enforced by technical controls (KMS, EBS encryption, database TDE) and validated by configuration scans.
Key custody and rotation follow NIST SP 800-57 recommendations.
Least-privilege IAM policies segment keys and ciphertext across business units.
Access and decryption attempts logged and reviewed; anomalies escalate automatically.
Why This Capability Matters
This capability matters because insider-risk exposure often concentrates around sensitive data: where it is stored, who owns it, who can access it, how it moves, and whether controls actually protect it. Weaknesses in Data Protection & Privacy, Access & Authorization, Governance & Oversight can create blind spots, excessive access, unmanaged transfer paths, delayed response, and weak executive reporting. A mature capability helps the organization move from informal data handling to repeatable, defensible, and risk-informed protection.
Weakness vs. Maturity Indicators
- Sensitive data policies exist but are not clearly connected to classification, ownership, access, encryption, DLP, retention, disposal, monitoring, or evidence.
- Sensitive data discovery and inventory are incomplete across endpoints, cloud, SaaS, collaboration tools, repositories, and unmanaged locations.
- Asset owners, backup owners, review dates, classification decisions, and access approvals are missing, stale, or not enforced.
- Access rights, encryption requirements, DLP policies, transfer controls, and monitoring depth are not mapped to classification or business criticality.
- Data ingress, egress, and movement paths are not fully documented, logged, analyzed, or reviewed against expected behavior.
- Data at rest, in transit, or in use is not consistently protected, and exceptions or key-management practices are weakly governed.
- AI tools or AI-assisted workflows may process sensitive data without approved use cases, logging, minimization, human review, or audit trails.
- Data protection policy, SOPs, classification schemes, ownership rules, access controls, encryption requirements, retention rules, disposal expectations, and monitoring practices are aligned.
- Sensitive data is continuously discovered, tagged, inventoried, reconciled, and visible across endpoints, cloud, SaaS, collaboration platforms, and repositories.
- Every sensitive asset has an accountable owner, backup owner, classification review cadence, access approval process, and orphaned-asset escalation path.
- Access controls, DLP policies, encryption standards, transfer restrictions, and monitoring depth are mapped to data classification, criticality, and insider-risk exposure.
- Data movement is logged, analyzed, baselined, enriched with user and asset context, and escalated when activity deviates from expected paths or behavior.
- Data at rest, in transit, and in use is protected through defined controls, validated configurations, exception tracking, key management, and periodic control testing.
- AI-assisted classification, analytics, summaries, or dashboard narratives are validated, source-traceable, auditable, and governed by accountable human oversight.
Questions Leaders Should Ask
Question 1
Who owns DP.19 (Encryption & Access), and do they have authority to define expectations, approve exceptions, and drive remediation?
Question 2
What data, systems, users, transfer paths, and business processes are in scope for this capability?
Question 3
What evidence shows that sensitive data is classified, owned, protected, reviewed, and monitored over time?
Question 4
How are access, encryption, DLP, movement analytics, retention, and disposal mapped to data sensitivity and business criticality?
Question 5
How do gaps in this capability influence the roadmap, risk register, executive reporting, and residual-risk acceptance?
Question 6
How are AI-enabled tools, prompts, retrieval systems, summaries, analytics, or dashboards prevented from creating new sensitive-data exposure?
Evidence Examples
Evidence Type
Data protection policy, data handling standard, classification schema, retention/disposal policy, encryption standard, DLP policy, and approved transfer procedures
Evidence Type
Data inventory, CMDB/data catalog records, classification labels, asset criticality tiers, crown-jewel list, owner fields, backup owner fields, and review dates
Evidence Type
RACI matrix, data owner attestations, access approval records, recertification records, orphaned-asset reports, and remediation tickets
Evidence Type
Data-flow diagrams, ingress/egress inventories, SFTP/API/cloud/email/removable-media pathway records, and change-review approvals
Evidence Type
Access-control matrices, RBAC/ABAC rules, IAM entitlement catalog, privileged access records, and least-privilege review evidence
Evidence Type
Encryption configuration scans, key management records, exception approvals, backup encryption evidence, restore-test evidence, and data-at-rest/in-transit/in-use control validation
Evidence Type
DLP policy configurations, alert logs, tuning records, false-positive reviews, SOAR playbook outputs, escalation records, and movement analytics reports
Evidence Type
Training records for sensitive-data users, completion reports, quiz/simulation results, and role-based handling guidance
Evidence Type
Dashboard screenshots or reports showing classification, ownership, exposure, encryption state, access trends, data movement, and open findings
Evidence Type
AI-use register, approved AI workflow records, prompt/data-handling guidance, model-access records, output review notes, source-data references, and audit trails where AI-assisted workflows are used
Mapped Standards and Framework References
| Standard / Framework Reference | How It Relates to This Capability |
|---|---|
| NIST 800-53 (MP-5, SC-12, AC-4), ISO 27002 (8.2, 12.3, 13.2) | Relevant to Encryption & Access because it supports data protection, access control, asset ownership, classification, encryption, monitoring, risk management, evidence, or control expectations. |
| AI governance and responsible AI guidance | Relevant where AI-assisted discovery, classification, movement analytics, dashboard summaries, DLP tuning, or reporting influence this capability or process sensitive information. |
Use This Mapping to Ask:
Which control expectations are most relevant to this capability based on data type, system, workforce, geography, and legal environment?
What evidence would show that sensitive data is classified, owned, protected, monitored, and reviewed over time?
Where do data protection weaknesses create insider-risk exposure that should be reflected in the risk register?
How should AI-assisted data protection outputs be validated, documented, and overseen?
Which gaps should become roadmap actions with owners, dates, and measurable progress?
How RiskTKO® Operationalizes This Capability
Assessment evidence
Policies, data inventories, classification records, owner attestations, access matrices, encryption scans, DLP policies, movement logs, dashboard outputs, and other records used to evaluate current capability.
Risk evidence
Risk register items or exposure narratives connected to sensitive data location, classification gaps, orphaned assets, excessive access, weak encryption, uncontrolled transfers, DLP gaps, or AI-enabled data exposure.
Roadmap evidence
Recommended actions, owners, milestones, classification reviews, data-owner updates, access clean-up, DLP tuning, encryption improvements, AI-use controls, and completion status.
Executive evidence
Summaries showing current state, protection coverage, progress, remaining gaps, sensitive-data exposure, and risk reduction over time.
Assess, Prioritize, and Report with RiskTKO®
Protecting proprietary logic (scoring, weightings, and roadmap generation formulas) remains inside the software layer. RiskTKO® provides your team with the complete operational dashboard to evaluate this capability, document evidence, track actions, and deliver clean, executive-ready maturity metrics.