CIS Control 3 Explained: Data Protection

CIS Control 3 involves data protection. This means to develop processes and technical Controls to identify, classify, securely handle, retain and dispose of data.

The Importance of Control 3

Data now exists outside of an enterprise’s boundaries in context such as the cloud, remote devices and shared with global partners. Sensitive information such as financial, intellectual and customer data must be protected. Enterprises must also adhere to international privacy regulations. Data privacy involves encryption and lifecycle management.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.

For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.

The Safeguards of Control 3

There are fourteen safeguards in CIS Control 3. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStarting Implementation Group
Safeguard 3.1Establish and Maintain a Data Management ProcessGovernIG1
Safeguard 3.2Establish and Maintain a Data InventoryIdentifyIG1
Safeguard 3.3Configure Data Access Control ListsProtectIG1
Safeguard 3.4Enforce Data RetentionProtectIG1
Safeguard 3.5Securely Dispose of DataProtectIG1
Safeguard 3.6Encrypt Data on End-User DevicesProtectIG1
Safeguard 3.7Establish and Maintain a Data Classification SchemeIdentifyIG2
Safeguard 3.8Document Data FlowsIdentifyIG2
Safeguard 3.9Encrypt Data on Removable MediaProtectIG2
Safeguard 3.10Encrypt Sensitive Data in TransitProtectIG2
Safeguard 3.11Encrypt Sensitive Data at RestProtectIG2
Safeguard 3.12Segment Data Processing and Storage Based on SensitivityProtectIG2
Safeguard 3.13Deploy a Data Loss Prevention SolutionProtectIG3
Safeguard 3.14Log Sensitive Data AccessDetectIG3