What is the Data Segregation control?
Strike Graph's default control language is: "Data that is subject to specific laws and regulation is segregated to geographic cloud systems."
This language should be customized to reflect the specific process that your organization has defined. It's important that your stated control description accurately reflects how your organization implements this control.
Which framework are these for?
SOC 2 - Privacy, GDPR, and ISO 27701:2019
May be relevant to HIPAA depending on the data being held.
Why is this control important?
Segregating data on a network, also known as data segmentation, is the practice of separating different types of data and placing them in different areas of a network. This can be done for a variety of reasons, including security, performance, and compliance. Data segregation allows you to better control and manage the flow of data within a network, and can help to reduce the risk of unauthorized access or tampering.
One major benefit of data segmentation is improved security. By separating sensitive data from less sensitive data, you can reduce the risk of unauthorized access or tampering. For example, you might place financial data on a separate network segment from general employee data, to reduce the risk of someone accessing or modifying the financial data without proper authorization.
Another benefit of data segmentation is improved network performance. By dividing a network into smaller segments, you can reduce the amount of traffic on each segment, which can help to improve the overall performance of the network. This is especially important in large networks, where the volume of traffic can be very high.
Finally, data segmentation can also help to ensure compliance with regulations and industry standards. For example, in the healthcare industry, patient data is subject to strict privacy regulations, such as HIPAA. By segmenting patient data from other types of data, you can ensure that it is handled and protected in accordance with these regulations.
Who’s involved with these controls?
Typical control owner: Data Privacy Officer
Typical parties involved: Database admins, IT managers
How often should I perform this control?
Continuously, however it doesn't hurt to set up a process to periodically reassess contracts and laws to make sure that your organization is compliant
How do I demonstrate these controls?
Show how data that is required to be segregated is separated from other data, via a screenshot or other means.
Understand which contracts require customer data to be housed in separate environments.
Understand which laws your organization is subject to and which require that data be segregated.