CIS Critical Security Control 13: Data Protection Explained

Last updated at Wed, 27 Mar 2024 19:45:36 GMT

This is a continuation of our CIS critical security controls blog series.

Data protection is one of the cornerstones of a solid security program, and it is a critical function of the CIA Triad of Confidentiality, Integrity, and Availability. Data protection, as characterized by Critical Control 13, is essentially secure data management. What do we mean by that?

What is CIS Critical Security Control 13?

Secure data management encompasses controls that are managerial, procedural, and technical to prevent data from leaving the environment in an unstructured or unauthorized way. This control overlaps with several other controls, in that success depends on successful implementation of other Critical Security Controls to be effective.

Managerial controls are a vital aspect of data protection. The foundation of a successful implementation begins with executive support for policies that outline what kinds of data the organization has, how it is classified or categorized, and what can and cannot be done with the data. A data inventory is exceptionally useful for understanding your environment and how interconnected systems and subsystems really are. It can also be used to help define data retention requirements and policies. Policies by themselves can’t stop a breach or data leakage, but they can give employees the knowledge of how the organization uses data and what their roles are in protecting that information.

The second type of control utilized in data protection are procedural controls. These are controls that provide structure and consistency within the organization, to protect data. Common procedural controls are performing scans for sensitive information to ensure that it is stored where it is supposed to be stored, and developing processes, procedures, and configurations to ensure that data is routed and stored in the appropriate areas.

Technical controls are what is actually used to protect data, such as encryption, blocking access to known file transfer and email sites, and blocking USB ports Data Loss Prevention (DLP) tools and Privileged Account Management (PAM) tools can also be used to protect data. These controls are actually specifically called out in the sub-controls of Data Protection.

Why is CIS Critical Control 13 Important?

So why is data protection important? In many cases, it’s either a law that you protect certain kinds of data, or you might have regulatory obligations, such as PCI, to make good faith efforts to protect data. Good data management programs utilize all three types of controls—managerial, procedural, and technical—to make sure that you don’t have unnecessary exposure to the axiom, “you don’t know what you don’t know.” If you don’t know what kinds of data you have, you don’t know what you need to protect, where it lives, and what needs to be done to secure that data.

Implementing CIS Critical Control 13

The bad news Managerial controls can be the hardest to implement. They require executive sponsorship, leadership, and funding to set the tone for the organization, and to ensure that resources are available. Everyone, from the CEO down, including the security team, needs to eat the same dog food.

The good news: Procedural and technical controls are usually easier to put in place, and some can be done for little to no cost, such as blocking USB mass storage devices, blocking webmail and file transfer websites (get granular! If there is a business need to access these sites, only allow those with the need to access them). Explore utilizing whole-disk encryption; there’s a free one available on most commercial operating systems in use today. And don’t forget setting appropriate file and folder permissions, and ACLs to restrict access to data to those who have a valid need-to-know. All of these can be done for relatively low cost, and can provide a great foundational layer of data protection for your organization.

The bottom line: We all have to take appropriate steps to protecting our organization’s sensitive data. Rapid7 offers several solutions, such as InsightIDR, Metasploit, and IOTSeeker that can help determine what data is exposed, and if or when users are trying to circumvent controls, or steal data outright. (Never discount the insider threat!) The Rapid7 Advisory Services team is also your ally in evaluating your security program’s maturity, identifying gaps, and providing recommendations and solutions. Protecting you—and your data—is a common goal.