The Center for Internet Security (CIS) provides a set of Critical Security Controls to help organizations improve cybersecurity and regulatory compliance. CIS Control 3 concerns ensuring data protection through data management for computers and mobile devices. Specifically, it details processes and technical controls to identify, classify, securely handle, retain and dispose of data. (Prior to version 8, this topic was covered by CIS Control 13.)
CIS Control 3 offers a comprehensive list of safeguards and benchmarks that organizations can adopt to protect data, which are detailed in the following sections:
3.1 Establish and Maintain a Data Management Process
Organizations should have a data management process that addresses data sensitivity, retention, storage, backup and disposal. Your data management process should follow a well-documented enterprise-level standard that aligns with the regulations your organization is subject to.
3.2 Establish and Maintain a Data Inventory
It’s important to identify what data your organization produces, retains and consumes, as well as how sensitive it is. This inventory should include both unstructured data (like documents and photos) and structured data (such as data stored in databases) and be updated annually. An accurate data inventory is vital to a variety of security processes, including risk assessment.
3.3 Configure Data Access Control Lists
Next, ensure that each user has access to only the data, applications and systems on your network that they need to do their job. In particular, be sure to implement access controls to protect your sensitive data from being exposed to people who shouldn’t have access to it.
Applying access controls will help your enterprise reduce the risk from internal and external threats. Users will be less likely to cause a data breach by accidentally or deliberately viewing files they aren’t supposed to see, and attackers who compromise an account will have access to less data.
Access control lists should be reviewed regularly to remove permissions a user does not need in a timely manner, such as when an employee moves to a different role or department.
3.4 Enforce Data Retention
Your organization may be subject to compliance regulations that control how long different types of data should be retained. Automating the data retention process as much as possible can help ensure compliance.
3.5 Securely Dispose of Data
There are many scenarios in which your organization may need to dispose of electronic or physical data. It may be old enough to not be useful anymore, or regulations may require it to be deleted after a certain period of time.
Your data disposal process and tools should be aligned with the sensitivity and format of each type of data. Data disposal services can help ensure that your company’s data doesn’t end up in the wrong hands.
3.6 Encrypt Data on End-User Devices
Encrypting data on end-user devices is a security best practice because it helps protect data from being misused if the device is compromised. Encryption tools can vary by operating system; they include Windows BitLocker, Linux dm-crypt and Apple FileVault.
3.7 Establish and Maintain a Data Classification Scheme
Classifying data using well-defined and stringent criteria helps you distinguish sensitive and critical data from the rest, facilitating the implementation of other CIS Control 3 safeguards. One basic scheme is to label data as sensitive, private or public.
Data classifications should be reviewed every year and whenever major changes are made to your company’s data protection policy.
3.8 Document Data Flows
Mapping the movement of data through your organization, as well and in and out of the enterprise, helps you identify any vulnerabilities that could weaken your cybersecurity.
3.9 Encrypt Data on Removable Media
Data residing on external hard drives, flash drives and other removable media should be encrypted to reduce the risk of it being exploited if the device is stolen.
3.10 Encrypt Sensitive Data in Transit
Critical data should be encrypted not only when stored but also while in transit. There are several options for this type of encryption, including Open Secure Shell (OpenSSH) and Transport Layer Security (TLS). The encryption must include authentication. For example, TLS uses valid DNS identifiers with authentication certificates signed by a trusted and valid certification authority.
3.11 Encrypt Sensitive Data at Rest
Organizations should encrypt all sensitive data at rest on servers, databases and applications. (End-user device encryption covered in CIS Control 3.6.) Encrypting stored data helps ensure that only authorized parties can view and use it, even if others gain access to the storage device.
3.12 Segment Data Processing and Storage Based on Sensitivity
It’s also important to segment data processing and storage based on data classification, ensuring that sensitive data is treated with more care than other classes of data. Assets that typically manage less sensitive data should not manage sensitive data at the same time, since they might not have the appropriate security configuration to block attackers from gaining access.
3.13 Deploy a Data Loss Prevention Solution
Use an automated data loss prevention (DLP) solution to protect both on-site and remote data, particularly sensitive content, against data exfiltration. However, you still need a data backup strategy, as detailed in CIS Control 11.
3.14 Log Sensitive Data Access
Logging all actions involving sensitive data, including access, modification and disposal, is vital to prompt detection and response to malicious activity. Data access logs can also be helpful for post-attack investigations and analyses, and for holding culprits accountable.
Summary
All of the components of CIS Control 3 flow from the first control, which emphasizes the need for a comprehensive data protection and management plan. This plan serves as a solid foundation for identifying critical data and protecting it by controlling who should have access to it and when.
By discovering and classifying your company’s data, you can protect it based on its value and sensitivity. Controlled access includes preventive measures to limit each user’s permissions; encryption of data both at rest and in motion to prevent attackers from exploiting any data they gain access to; network and account monitoring to spot suspicious activity in its early stages; and an incident response plan for dealing with data breaches. Putting these controls in place will help your organization improve its cybersecurity posture and comply with data protection regulations.
