For many years, there was a wide misunderstanding that encrypting some data is equivalent to protecting that data. If it’s encrypted, so the thinking goes, nobody else could access it, and it is therefore safe. While it is critical to encrypt data at rest as well as in transit, the job of protecting data goes much deeper. Encryption can mitigate risk from certain attack scenarios such as physically compromised hardware or a tapped network link, but users and systems which handle the unencrypted data can still be readily targeted. CIS Control 3 provides a playbook for establishing a comprehensive data management plan with security at the forefront.
Key Takeaways for Control 3
At the heart of a strong data management plan is awareness surrounding the ‘Five Ws’ of the enterprise’s data:
- What data does the enterprise store or handle?
- Who should have access to it?
- Where is it stored or accessed?
- When should it be deleted?
- Why does it need protection?
A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan.
Classifications suggested by CIS are “Sensitive,” “Confidential,” and “Public,” but enterprises may find the need for more custom data labels. The goal of a data inventory and classification is to segment systems based on the types of data they handle and develop fine-grained user permissions to limit data exposure. Data should not only be stored separately based on its classification, but systems which handle the data should also be segmented with users restricted to access only what they need. Classifications should also be tied to compliance obligations, where appropriate, and include things like minimum and maximum data retention times as well as contextual incident response plans.
Safeguards for Control 3
3.1) Establish and Maintain a Data Management Process
Description: Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements based on sensitivity and retention standards for the enterprise. Review and update documentation annually or when significant enterprise changes occur that could impact this safeguard.
Notes: The security function associated with this safeguard is Identify, and it is a big one. This control encompasses most of the key takeaways discussed above for Control 3. The process of establishing and maintaining a data management process will be supported by some of the safeguards discussed next.
3.2) Establish and Maintain a Data Inventory
Description: Establish and maintain a data inventory based on the enterprise’s data management process. Inventory sensitive data at a minimum. Review and update inventory annually at a minimum with a priority on sensitive data.
Notes: The security function associated with this safeguard is Identify. The objective here is to have complete awareness over what data is produced, consumed, and retained on a network.
3.3) Configure Data Access Control Lists
Description: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
Notes: The security function associated with this safeguard is Protect. Success with this control means that every user and every system has access to exactly what they need and nothing more. This can be particularly tricky to implement with respect to network administrators who may typically have access to everything within a network.
3.4) Enforce Data Retention
Description: Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines.
Notes: The security function associated with this safeguard is Protect. The specific data retention policy to enforce should be informed by both regulatory compliance and common sense. The need to retain data for insight may need to be counter-balanced by the desire to avoid a headline-grabbing data breach.
3.5) Securely Dispose of Data
Description: Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
Notes: The security function associated with this safeguard is Protect. This safeguard applies to all forms of data in both digital and hard copy. Commercial services are readily available to assist with the secure disposal of data.
3.6) Encrypt Data on End-User Devices
Notes: The security function associated with this safeguard is Protect. Encrypting data on devices mitigates risk associated with stolen or otherwise physically compromised devices. Encrypting data on these devices impedes an adversary’s ability to collect useful information from a compromised system. Using disk encryption does not generally protect data against malware infections, but it is possible to apply additional encryption to further safeguard sensitive data when not being accessed.
3.7) Establish and Maintain a Data Classification Scheme
Description: Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels such as “Sensitive,” “Confidential,” and “Public” and then classify their data according to those labels. Review and update the classification scheme annually or when significant enterprise changes occur that could impact this safeguard.
Notes: The security function associated with this safeguard is Identify. This safeguard represents a very fundamental step toward data protection. Having strict criteria for classifying data can inform other safeguards related to restricting data access. Classification labels may also feed into other policies such as data retention and incident response.
3.8) Document Data Flows
Description: Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually or when significant enterprise changes occur that could impact this safeguard.
Notes: The security function associated with this safeguard is Identify. Taking steps to map out how data flows through an organization is instrumental toward safeguarding that data. This mapping when combined with data classifications can be used to vastly harden organizational data protection.
3.9) Encrypt Data on Removable Media
Description: Encrypt data on removable media.
Notes: The security function associated with this safeguard is Protect. Removable media can be more easily misplaced or stolen. Encrypting data on removable media can protect against inadvertent data loss in such an event.
3.10) Encrypt Sensitive Data in Transit
Description: Encrypt sensitive data in transit. Example implementations include Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).
Notes: The security function associated with this safeguard is Protect. Beyond simply encrypting data in transit, it is critical to make sure the encryption is properly authenticated. For TLS, this typically means that remote systems should have valid DNS identifiers with certificates signed by a trusted certification authority (CA). If the CA is local, additional protections must be made to ensure the integrity and confidentiality of the CA. For SSH, this means validating host keys and investigating any connection warnings. In both cases, it is also critical to configure services to use protocol versions and ciphers.
3.11) Encrypt Sensitive Data at Rest
Description: Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as "server-side encryption," meets the minimum requirement of this safeguard. Additional encryption methods may include application-layer encryption, also known as "client-side encryption," where access to the data storage device(s) does not permit access to the plain-text data.
Notes: The security function associated with this safeguard is Protect. As noted, storage-layer (disk) encryption is only a minimum requirement. While disk encryption can protect against some threats, many common threats facing enterprise networks are unimpeded by disk encryption. Additional application-layer encryption can limit what data may be accessible even when a system has become fully compromised.
3.12) Segment Data Processing and Storage Based on Sensitivity
Description: Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
Notes: The security function associated with this safeguard is Protect. At the extreme, an organization could implement this safeguard by having multiple networks where each is assigned a sensitivity level. The goal here is to prevent an attacker who has gained access to some data to have access to all the data.
3.13) Deploy a Data Loss Prevention Solution
Description: Implement an automated tool such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets including those located onsite or at a remote service provider as well as to update the enterprise’s sensitive data inventory.
Notes: The security function associated with this safeguard is Protect. DLP tools are a powerful tool against accidental data loss, but they may offer little protection against a determined attacker intentionally exfiltrating data.
3.14) Log Sensitive Data Access
Description: Log sensitive data access including modification and disposal.
Notes: The security function for this safeguard is Detect. Maintaining an audit trail of how sensitive data was accessed can subsequently provide evidence of how a data incident occurred.
Read more about the 18 CIS Controls here:
CIS Control 3: Data Protection