Data Protection Principles

Financial companies need to collect and share sensitive information to run their everyday business. Members of SIFMA’s Data Protection Working Group have developed a set of principles for the protection of sensitive data that aligns to the Cyber Risk Institute’s Financial Services Cybersecurity Profile and the NIST Cybersecurity Framework.

  • Data collection: Limit the collection of sensitive data to that which is directly relevant and
    necessary to accomplish a specified purpose
  • Data usage: Implement preventative and detective controls limiting access to sensitive
    data to authorized users only
  • Data sharing: Develop policies to protect information when it needs to be shared with
    external entities
  • Data Disposal: Securely eradicate, dispose, or destroy sensitive data when appropriate
  • Overarching Best Practices: Implement controls and policies to maintain a robust
    information security environment