9.2 Sensitive data is identified and access policy exists and is enforced

Verify that the list of sensitive data processed by the application is identified, and that there is an explicit policy for how access to this data must be controlled, encrypted and enforced under relevant data protection directives.

Levels: 3