Today, I will be going over Control 13 from version 7 of the CIS top 20 Critical Security Controls – Data Protection. I will go through the nine requirements and offer my thoughts on what I’ve found.


Key Takeaways for Control 13

  • A wide array of difficulty. Some of these recommendations can be considered quick wins, such as blocking access to cloud storage providers. Others such as creating an inventory of sensitive information can be a never-ending process. This is one of the more difficult controls to fully implement and for good reason. Protecting data is the primary goal of everyone in information security.
  • Rely on hardening standards. Both CIS and DISA have hardening guidelines for mobile devices. These guidelines have recommendations on encrypting the drive as well as locking down USB access.
  • Look to control 6. DLP can be expensive to roll out. By collecting audit logs across devices, you can achieve some level of insight into data exfiltration of sensitive data with existing tools. Tag the assets with sensitive data and monitor those more carefully. Leverage baselines for both network and file data so anything suspicious can quickly be flagged.

Requirement Listing for Control 13

1. Maintain an Inventory of Sensitive Information

Description: Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems including those located onsite or at a remote service provider.

FinConDX 2021

Notes: Creating an initial list of where sensitive information is stored can be simple enough. The difficult task comes with maintaining the list and continually hunting for that data. This requirement is important since it will feed many requirements both for this Control as well as control 14.

2. Remove Sensitive Data or Systems Not Regularly Accessed by Organization

Description: Remove sensitive data or systems not (Read more...)