DAT: Data Protection

The Data Protection domain addresses classification and prevents unauthorized disclosure. Six controls ensure data sensitivity informs access decisions.

DAT-01 Data Classification

Requirement: Data accessible to agents shall be classified according to sensitivity levels with corresponding handling requirements.

Rationale: Risk-appropriate controls require understanding data value.

Evidence: Classification schema and application to data sources.

Profile: Essential

DAT-02 Access Restrictions by Classification

Requirement: Agent access to data shall be restricted based on data classification and agent authorization level.

Rationale: Ensures sensitive data is only accessible to appropriately authorized agents.

Evidence: Access control configuration mapped to classification levels.

Profile: Essential

DAT-03 Encryption in Transit

Requirement: All data transmitted between agents and tool servers shall be encrypted using TLS 1.2 or higher.

Rationale: Protects data from interception during transmission.

Evidence: TLS configuration and cipher suite settings.

Profile: Standard

DAT-04 Encryption at Rest

Requirement: Sensitive data persisted by agents shall be encrypted using AES-256 or equivalent.

Rationale: Protects data from unauthorized access to storage systems.

Evidence: Encryption configuration and key management documentation.

Profile: Elevated

DAT-05 Output Sanitization

Requirement: Agent outputs shall be inspected for sensitive data before transmission to external recipients.

Rationale: Prevents inadvertent disclosure of confidential information.

Evidence: Sanitization rules and inspection logs.

Profile: Elevated

DAT-06 Retention Limits

Requirement: Data retained by agents shall be subject to defined retention periods after which automatic deletion occurs.

Rationale: Minimizes data exposure by limiting retention duration.

Evidence: Retention policy and deletion verification records.

Profile: Critical