FRAMEWORKS AND STANDARDS

Control 03: Data Protection

A summary about data protection and management

Published Date: October 7th, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators, Data Management Personnel

Get your copy of the CIS Controls V8.1 here.

Overview

Why is this control critical?

The theft of protected data is one of the largest cybersecurity threats that organizations face on a regular basis. Cybercriminal groups frequently target sensitive data including financial information, proprietary technology, and customer data for their financial gain, and to extort money from affected organizations. The theft of your data can be devastating for your operation and should be avoided at all costs. Protecting data in every stage of its life is a critical component of effective cybersecurity and can be implemented effectively with little effort.

Data Management Techniques

Implementing secure data procedures is crucial to protecting your data and preventing a breach of sensitive information. Common safeguards are dedicated to protecting data in the stages of its life including creation, storage, usage, archiving, and destruction. Your data management plan should cover all stages to effectively protect your data.

Some simple steps that you could implement today to protect your data are:

1. Adoption of End-to-End Encryption. Sending and receiving important documents should only be sent through encrypted channels. Most email services have the capability to encrypt emails free of charge. (Click HERE for a tutorial on Gmail encryption, and HERE for a tutorial on outlook encryption) Additionally, communicating through encrypted chat features can also further secure your operation.

2. Creating and Implementing a Data Labeling System: Identifying what data is crucial to the operation is the first step in protecting important data. By providing a sensitivity level (Public, Sensitive, Critical, etc.) you can begin to develop policy surrounding the storage of important data. If possible, critical data should be stored separately from other forms of data in order to prevent hackers from retrieving sensitive information, even if other systems are compromised.

3. Develop a List of all the Software and Individuals with Access to your Data and Update it Regularly: Tracking who and what has access to your data can help plug holes in your security before they are exploited. Additionally, an active list of users may help you identify when to remove access to a specific endpoint once it no longer serves a purpose. This strategy may also help you respond to an attack much more effectively than companies who do not track the users with access to their data.

Enhanced Protection Against Common Threats

In addition to these simple strategies, there are more advanced and time-intensive protocols that should be adopted over time. These include:

1. Establish and Maintain a Data Management Process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise.
    
2. Establish and Maintain a Data Inventory. Establish a system to invent sensitive data and perform an annual audit to identify how sensitive data is managed.
    
3. Create a System to Log Sensitive Data Access. Identifying the users who have accessed sensitive data is the first line of detection and prevention against cyberattacks. There are a variety of platforms available to integrate data logs into your service. You can view a list HERE.
    
4. Enforce Data Retention. Identify how long data will be retained with both minimum and maximum timelines.
    
5. Create a Data Disposal Plan. Identifying your organization’s data disposal plan is crucial to ensuring the security of deprecated data. Adopting and enforcing this plan can help an organization keep track and destroy sensitive data when it no longer has a use. You can view an example of an effective data destruction policy HERE.
    
6. Encrypt Sensitive Data at Rest. Encrypting your data during storage is a fantastic way to ensure that it remains secure and inaccessible to malicious actors. There are many database tools that encrypt data by default. You can see a comprehensive explanation of this concept HERE.
    
7. Document Data Flows. Document where data moves throughout your organization and through your 3rd party services. Review and update these dataflows annually.
    
8. Encrypt Data on Removable Media.
    
9. Data Storage Based on Sensitivity. Segment data based on the sensitivity of the data. Ensure that sensitive data is not processed on assets intended for low sensitivity information.
    
10. Deploy a Data Loss Prevention Solution. Implement a tool, such as a host-based Data Loss Prevention (DLP) system to identify all sensitive data stored, processed, or transmitted through an organization.