Control 3 CIS v8 – Data Protection

Currently, there is a need for companies to place cybersecurity at the centre of their strategy, if they do not want to have to face economic and legal consequences and high-impact reputations.

Those of us in this environment know that critical security controls are not a mere list, but are the backbone of a cybersecurity ecosystem.

These CIS critical security controls constitute a starting point for companies to implement a security strategy, thus, the controls allow companies and cybersecurity experts to prioritize different areas, depending on the business model and resources economic, human and technological available.

Returning to the ideology to follow with the CIS v8 controls, let's see how critical security controls operate, remember these controls are, above all, categories that systematize the specific actions that organizations must implement to build an effective security strategy.

With the study and practice of the CIS guide that establishes for each of the critical security controls, various safeguards, stipulating to which assets they are directed, what is the security function they fulfil?, and what type of companies should carry them out cape.

In this way I tell you that we have seen 4 controls before, 1,2,4 and 8, this time we will see control number 3, "Data Protection"

Data Protection

"Establish and maintain an inventory of the data that must be protected, classify it according to its level of confidentiality and ensure that it is duly protected, for this you must develop processes and technical controls to identify, classify, manage, retain and dispose of safely the data"

Type of data

There are many types of data that a business can host and manage, including but not limited to:

• Financial Data, such as payroll, tax, bank, credit card data, etc.
• Personally Identifiable Information (PII) and Human Resources Data to include Social Security Numbers (SSNs), health information, addresses, dates of birth, etc.
• Trade secrets, research, proprietary technologies, other forms of intellectual property, etc.
• Data used to support customer-facing applications.
• Personal information.
• Metadata (eg, file size, file type, data, source).
• Information relating to the management of information systems (for example, network diagrams).
• Information in an ERP, CRM, Microservices, Apps for government.

Does this CIS control critical?

We know that currently the data is very dispersed, we no longer have it on-site, now the data is no longer only contained within the limits of a company, much of it is in the cloud, on end-user portable devices where users work from home and are often shared with partners or online services that may have them anywhere in the world.

We are going to be aware, we know how critical the confidential data that a company has related to finances, intellectual property and customer data is, there may also be numerous international regulations for the protection of personal data, in our countries and abroad. International, in regional agreements or zones, which we must follow, however, I think that they do not have the proper diffusion throughout the world, in the regions and of course in each country.

While it is true that data privacy has become increasingly important and companies are learning that privacy is about the proper use and management of data, not just encryption, it has been shown that responsible we must be clear that the data must be managed properly throughout its life cycle, I am sure that these privacy rules can be complicated for companies, however, there are fundamentals that can be applied to everyone.

Once attackers have penetrated a company's infrastructure, one of their first tasks is to find and exfiltrate data, this is true, companies may not realize sensitive data is leaving their environment because they don't they are monitoring the data outputs.

While many attacks occur on the network, others involve the physical theft of end-user handheld devices, attacks on service providers or other partners holding sensitive data, other sensitive business assets may also include non-computing devices that provide management and control of physical systems, such as supervisory control and data acquisition (SCADA) systems.

Sub controls (Safeguards)

• ?????3.1: Establish and maintain a data management process.
• ?????3.2: Establish and maintain a data inventory.
• ?????3.3: Configure data access control lists.
• ?????3.4: Enforce data retention.
• ?????3.5: Secure data deletion.
• ?????3.6: Encrypt data on end-user devices.
• ?????3.7: Establish and maintain a data classification scheme.
• ?????3.8: Document data flows.
• ?????3.9: Encrypt data on removable media.
• ?????3.10: Encrypt sensitive data in transit.
• ?????3.11: Encrypt sensitive data at rest.
• ?????3.12: Processing and storage of segment data as a function of sensitivity.
• ?????3.13: Implement a data loss prevention solution.
• ?????3.14: Confidential Data Access Log.

For data protection, there are many things to do, methodologies, frameworks, frameworks and laws that require us to comprehensively protect the data, in that sense I will not address it, however, I would like to do an exercise where I go more in detail, it can be a very large article, so I will try to section it, but not before finishing with the CIS v8 controls.

Remember what the business requires in terms of data protection, they are part of the policies that we must follow in addition to the aforementioned data protection regulations and standards in any environment.

His friend,

I suggest the following resources for data protection:

NIST? SP 800-88r1 Guides for Media Sanitization:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

NIST? FIPS 140-2: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

NIST? FIPS 140-3: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf

For specific guidance on the cloud environment guidance, see the CIS Controls cloud companion guidance: ? ? ? ? https://www.cisecurity.org/controls/v8/

For guidance for tablets and smartphones, see the CIS Controls Companion Guide: https://www.cisecurity.org/controls/v8/