CDMC 14 Key Controls

Manage and protect sensitive data in the cloud

Across every industry, one of the major hurdles of cloud adoption is having the necessary controls for protecting sensitive data. As part of the CDMC (Cloud Data Management Capabilities) framework, the CDMC Working Group published the CDMC 14 Key Controls and Automations, addressing this critical issue of managing sensitive data in the cloud.  

The CDMC model defines the comprehensive capabilities and best practices necessary to manage and control data in the cloud effectively. The CDMC Workgroup was formed by the EDM Council in May 2020 with over 300 participants from over 100 organizations, including major cross-industry consumers and providers of cloud services and technology in addition to leading advisory firms. 

The CDMC 14 Key Controls incorporate the many business and regulatory requirements of data management in the cloud. This supplementary document is intended primarily for cloud service and technology providers, delving into the key controls required by organizations, equivalent to their on-premise systems. It also highlights opportunities to support these controls with automation to further streamline the adoption of cloud services.

Download CDMC 14 Key Controls & Automations

The CDMC 14 Key Controls and Automations

Governance and accountability

1. Data Control Compliance must be monitored for all data assets containing sensitive data through metrics and automated notifications.

2. The Ownership field in a data catalog must be populated for all sensitive data or otherwise reported to a defined workflow.

3. A register of Authoritative Data Sources and Provisioning Points must be populated for all data assets containing sensitive data.

4. The Data Sovereignty and Cross-Border Movement of sensitive data must be recorded, auditable, and controlled according to defined policy.

Cataloging and classification

5. Cataloging must be automated for all data at the point of creation or ingestion, with consistency across all environments.

6. Classification must be automated for all data at the point of creation or ingestion and must always be on.

Accessibility and usage

7. Entitlements and Access for Sensitive Data must default to the creator and owner and access must be tracked for all sensitive data.

8. Data Consumption Purpose must be provided for all Data Sharing Agreements involving sensitive data.

Protection and privacy

9. Appropriate Security Controls must be enabled for sensitive data and evidence must be recorded.

10. Data Privacy Impact Assessments must be automatically triggered for all personal data according to its jurisdiction.

Data lifecycle

11. Data Quality Measurement must be enabled for sensitive data with metrics distributed when available.

12. Data Retention, Archiving, and Purging must be managed according to a defined retention schedule.

Data and technical architecture

13. Data Lineage information must be available for all sensitive data.

14. Cost Metrics directly associated with data use, storage, and movement must be available in the catalog.