CIS Controls v8 Overview- Control 03

This week let’s look at Control 03 control of the CIS Controls Version 8.

Control 03: Data Protection — Develops processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Why is this Control important?

Data is the lifeblood of an organization- customer data, financials, intellectual property, personal data, and more. It is no longer just on systems within organizational walls — it’s also in the cloud, remote workstations, and mobile devices. Data is also often shared with third parties. No matter its location, data must be available and protected.

Data privacy, which includes the appropriate use and management throughout its life cycle, has become increasingly important. Loss of control over any protected or sensitive data often results in a negative impact on an organization. While data can be lost due to cybersecurity attacks, the vast majority of data loss comes from poor data management and user errors. Data encryption is used to reduce the risk of unauthorized data access and is typically a regulatory requirement.

And its Safeguards?

The control has fourteen (14) Safeguards that cover Data Management, Data Classification, Access Control, Retention, Disposal, Encryption, and Data Loss among other relevant specifics. It also includes Inventory (of Data) and Logging of Access which is a common thread in most of the CIS Controls.

How is this Control implemented?

A Data Management program is established which covers the management framework, classification guidelines, and requirements for data protection, handling, retention, and disposal. Data classification is also used to help detail data sensitivity levels such as “Confidential” and “Public”. A data breach process should also be defined and included in the Incident Response plan (Control 17).

Key Reminder(s)

A Data Inventory is a key Safeguard of this control and lists software (Control 02) accessing data at various sensitivity levels and the enterprise assets (Control 01) that host the applications. As with Controls 01 and 02, organizations must remember this inventory is NOT a one-time occurrence, it is an ONGOING process that is a key input to the other controls.

In the next post, we will look at Control 04: Secure Configuration of Enterprise Assets and Software.

Need to protect your data?

Contact Temples Consulting Group to schedule a no-cost consultation for Data Protection as well as Risk Assessment / Risk Remediation services using the CIS Controls.

If you enjoyed this post, please heart and follow!

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity