For many years, there was a wide misunderstanding that encrypting some data is equivalent to protecting that data. If it’s encrypted, so the thinking goes, nobody else could access it, and it is therefore safe. While it is critical to encrypt data at rest as well as in transit, the job of protecting data goes much deeper. Encryption can mitigate risk from certain attack scenarios such as physically compromised hardware or a tapped network link, but users and systems which handle the unencrypted data can still be readily targeted. CIS Control 3 provides a playbook for establishing a comprehensive data management plan with security at the forefront.

Key Takeaways for Control 3

At the heart of a strong data management plan is awareness surrounding the ‘Five Ws’ of the enterprise’s data:

  1. What data does the enterprise store or handle?
  2. Who should have access to it?
  3. Where is it stored or accessed?
  4. When should it be deleted?
  5. Why does it need protection?

A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan.

Classifications suggested by CIS are “Sensitive,” “Confidential,” and “Public,” but enterprises may find the need for more custom data labels. The goal of a data inventory and classification is to segment systems based on the types of data they handle and develop fine-grained user permissions to limit data exposure. Data should not only be stored separately based on its classification, but systems which handle the data should also be segmented with users restricted to access only what they need. Classifications should also be tied to compliance obligations, where appropriate, and include (Read more...)