Today, I will be going over Control 10 from version 7 of the CIS top 20 Critical Security Controls – Data Recovery Capabilities. I will go through the five requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 10

  • Backups can save your company. After getting hit with ransomware, some companies have had to pay millions in ransom. While a Fortune 500 company may be able to take that type of hit, the vast majority of us cannot.
  • Don’t forget to test. The importance of testing data backups is just as critical as actually creating the backups. This doesn’t have to be a complex procedure; a simple test file on a non-critical server can be quickly tested in a matter of minutes. However, it’s not a bad idea to run through a full restore of a system every now and again, either.
  • How often is a regular basis? This is a great question when it comes to how often you need to run a full, incremental, or differential backup. There is no official guidance on what this number would be from regulatory frameworks, so balance performance and storage costs to a level of risk that is acceptable for the business.

Requirement Listing for Control 10

1. Ensure Regular Automated Back Ups

Description: Ensure that all system data is automatically backed up on regular basis.

Notes: There are a lot of reasons why you want to perform backups. Availability is the key component that was the driver of this control historically. Now that ransomware is prevalent across any industry, this can be a driver to show additional ROI for backup solutions.

2. Perform Complete System Backups

Description: Ensure that each of the organization’s key systems are backed up as a complete system through (Read more...)