CIS Control 3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Why is this CIS Control Critical?
Data is no longer only contained within an enterprise’s border, it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any size, however there are fundamentals that can apply to all.
Once attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows.
While many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems.
The enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and more importantly, is a regulatory requirement for most controlled data.
- 3.1: Establish and Maintain a Data Management Process
- 3.2: Establish and Maintain a Data Inventory
- 3.3: Configure Data Access Control Lists
- 3.4: Enforce Data Retention
- 3.5: Securely Dispose of Data
- 3.6: Encrypt Data on End-User Devices
- 3.7: Establish and Maintain a Data Classification Scheme
- 3.8: Document Data Flows
- 3.9: Encrypt Data on Removable Media
- 3.10: Encrypt Sensitive Data in Transit
- 3.11: Encrypt Sensitive Data At Rest
- 3.12: Segment Data Processing and Storage Based on Sensitivity
- 3.13: Deploy a Data Loss Prevention Solution
- 3.14: Log Sensitive Data Access