Policy & SOP Detail - CNMI

> Previous Page > Policies List

P20W Data Transfer Policy

Policy Number: SLDS-25-001
Title: P20W Data Transfer Policy
Category: Data Governance
Effective Date/Time (ChST - CNMI): 10/15/2024 12:00 AM
View Full Policy :
1740439642_P20W Data Transfer Policy-APPROVED.pdf
Link(s) :
CNMI P20W Data Governance

POLICY STATEMENTS

Authorization and Approval
1. All data transfers must be authorized and approved by the respective CNMI P20W Executive Leadership member and SLDS Director.
Data Classification
1. Data must be classified according to its sensitivity and security. Classification levels include: Restricted, Confidential, Internal & Public.
2. Level of security measures for data transfer should correspond to its classification.
3. A data classification policy shall be developed and maintained by the DGC.
Data Transfer Methods
1. Electronic Transfer: Secure methods such as encrypted email, secure file transfer protocols (SFTP), or virtual private networks (VPN) via application programming interface (API) or extract, transform and load (ETL) processes.
2. Data transfer must be direct from partner agency source to the P20W data warehouse.
Encryption
1. All restricted, confidential and internal data must be encrypted during transfer using industry-standard encryption protocols.
2. Encryption keys must be managed and stored securely.
Access Control
1. Only authorized personnel should have access to data being transferred.
2. Access controls, such as password and multi-factor authentication, must be implemented.
Monitoring and Logging
1. All data transfers will be monitored and logged by the SLDS Program and contributing partner agency to ensure compliance with this policy.
2. Logs must include details such as the date and time of transfer, data transferred, parties involved, and method used.
Incident Management
1. Any data transfer incidents, such as data breaches or unauthorized access, must be reported immediately to the Data Governance Manager (DGM) and SLDS Director. DGM will then liaise to the P20W Executive Leadership.
2. An incident response plan will be created (and updated) by the DGC to address and mitigate potential risks. Until such time, the National Institute for Standards and Technology (NIST) cybersecurity framework will be applied.
Authorization and Approval
1. All data transfers must be authorized and approved by the respective CNMI P20W Executive Leadership member and SLDS Director.
Data Classification
1. Data must be classified according to its sensitivity and security. Classification levels include: Restricted, Confidential, Internal & Public.
2. Level of security measures for data transfer should correspond to its classification.