CIS Control 3 for Data Protection
The CIS (Center for Internet Security) — which consists of multiple industry experts and leaders in government agencies — has a set of 18 universal, industry-agnostic guidelines, or “critical security controls” that organizations should implement, maintain, and enforce for cyber defense.
This article concerns CIS Control 3 — one of the top six controls that the CIS deems a “basic control.”
Data Protection Vs. Data Encryption
Enterprise data is no longer limited to physical environments, but exists on-prem, in the cloud, and in hybrid environments — and is often shared with third-party online partners or services. Personal and sensitive information like customer data, financial data, health data, IP, and more is highly regulated by privacy and protection laws and standards.
Data protection does not just mean data encryption. To meet protection and privacy compliance, organizations must look beyond traditional cybersecurity methods and focus on proper data collection, use, management, retention, and more. They must properly manage data throughout its entire lifecycle.
CIS Control 3 Safeguards
- Establish and maintain a data management process
— Security function: Identify
These processes need to address the sensitivity levels of data, who owns data, data retention limits, and data disposal for an organization based on sensitivity. - Establish and maintain a data inventory
— Security function: Identify
The inventory’s priority must be sensitive data. - Configure data access control lists
— Security function: Protect
Ensure that every user has access permissions for the systems, databases, and applications they need to do their jobs — and no more. - Enforce data retention
— Security function: Protect
Define and enforce retention for both minimum and maximum timeframes. - Securely dispose of data
— Security function: Protect
Define and enforce data disposal in accordance with sensitivity level. - Encrypt data on end-user devices
— Security function: Protect
Mitigate risk involving data loss on stolen or compromised devices by encrypting data. - Establish and maintain a data classification scheme
— Security function: Identify
Define and maintain a sensitivity-based classification framework, classifying data according to labels that are relevant to the business. CIS recommends “confidential,” “sensitive,” and “public,” for example. - Document data flows
— Security function: Identify
Map how data flows throughout an organization to further safeguard it. - Encrypt data on removable media
— Security function: Protect
Removable media poses a higher risk of data loss to theft or compromise. - Encrypt sensitive data in transit
— Security function: Protect
Encrypt data in transit and ensure that the encryption is properly authenticated. - Encrypt sensitive data at rest
— Security function: Protect
At a minimum, employ server-side encryption, and additionally add client-side encryption. - Segment data processing and storage based on sensitivity
— Security function: Protect
Ensure that data is only processed and stored according to its sensitivity level - Deploy a data loss prevention solution
— Security function: Protect
Protect against data loss by using automated tools such as a host-based DLP (data loss prevention) tool. - Log sensitive data access
— Security function: Detect
Maintain records of sensitive data access to simplify incident response in the event of a breach.
Components of CIS Controls — and Compliance
CIS Control 3 has components that directly impact regulatory compliance with a number of protection and privacy regulations, including, but not limited to:
Organizations that implement CIS controls are in a better position to meet compliance with these regulations. The NIST Cybersecurity Framework, which also provides guidelines for companies trying to strengthen their security posture, also aligns with many of the CIS CSC components.
BigID, Data Security, and CIS Control 3
To meet CIS Control 3 safeguards, companies must understand their data according to its sensitivity — and that capability only comes with knowing your data — enabling complete visibility into personal, sensitive, and critical data anywhere it exists, in the cloud or on-prem.
With BigID’s advanced classification techniques and coverage, organizations can create an accurate, comprehensive, and up-to-date inventory of all data assets, anywhere they exist — in the cloud or on-prem.
BigID automatically identifies unused, duplicate, similar, or redundant data to reduce unwanted exposure and minimize data. With additional apps for access intelligence, data retention, data remediation, and records of processing activities (RoPA), organizations can:
- Detect vulnerable, high-risk, and overexposed data
- Enable retention policies and business rules — and apply them consistently across data types and sources
- Prioritize remediation efforts to identify which data needs to be marked for removal
- Automate the generation of data flows encompassing data transfers
Additionally, BigID enables teams to orchestrate workflows so that the right people can take the right action on the right data. Take control and mark data for encryption, remediation, removal, and more through BigID and its ecosystem of integrations with tools across your tech stack.
Discover more about how BigID helps organizations with data protection according to the CIS Controls. Schedule a demo today.