Data Management

Data Management

Data
Classification

Data Classification
Criteria

[The organization's] data classification criteria are reviewed, approved by management, and communicated to authorized personnel [in accordance with the organization-defined frequency]; the data security management determines the treatment of data according to its designated data classification level.

Data Management

Choice and Consent

Terms of Service

Consent is obtained for [the organization's] Terms of Service (ToS) prior to collecting personal information and when the ToS is updated.

Data Management

Choice and Consent

Notice of Personal Information Disclosure

In accordance with [the organization] policy, [the organization] provides notice to individuals regarding legally-required disclosures of personal information.

Data Management

Data Handling

External Privacy Inquiries

In compliance with [the organization] policy, [the organization] reviews privacy- related inquiries, complaints, and disputes.

Data Management

Data Handling

Test Data Sanitization

[Restricted (as defined by the organization's data classification criteria)] data is redacted prior to use in a non-production environment.

Data Management

Data Encryption

Encryption of Data in Transit

[Restricted (as defined by the organization's data classification criteria)] data that is transmitted over public networks is encrypted.

Data Management

Data Encryption

Encryption of Data at Rest

[Restricted (as defined by the organization's data classification criteria)] data at rest is encrypted.

Data Management

Data Encryption

Approved Cryptographic Technology

Where applicable, strong industry standard cryptographic ciphers and keys with an effective strength greater than 112 bits are required for cryptographic security operations.

Data Management

Data Storage

Credit Card Data Restrictions

[The organization] does not store full track credit card data, credit card authentication information, credit card verification code, or credit personal identification number (PIN) which [the organization] processes for payment.

Data Management

Data Storage

Personal
Account
Number Data
Restrictions

[The organization] restricts personal account number (PAN) data such that only the first six and last four digits are displayed; authorized users with a legitimate business need may be provided the full PAN.

Data Management

Data Integrity

Changes to Data at Rest

[The organization]  uses mechanisms to detect direct changes to the integrity of customer data and personal information; [the organization] takes action to resolve confirmed unauthorized
changes to data.

Data Management

Data Removal

Secure Disposal of Media

[The organization] securely erases media containing  decommissioned [Restricted organization's data classification criteria)] data and obtains a certificate or log of erasure; media pending erasure are stored within a secured facility.

Data Management

Data Removal

Customer Data Retention and Deletion

[The organization] purges or archives data according to customer requests or legal and regulatory mandates.

Data Management

Data Removal

Removal of PHI from Media

[The organization] removes electronic protected health information from electronic media if the media is made available for re-use.

Data Management

Social Media

Social Media

Sharing [the organization] [restricted (as defined by the organization's data classification criteria)] data via messaging technologies, social media, and public websites is prohibited.

Data Management

Social Media

Publicly Accessible Content

Adobe protects its public information system presence with the following processes: only authorized and trained individuals may post public information, content is reviewed prior to publishing, information on public systems is reviewed periodically, and non-public information is removed from public systems upon discovery.