CIS Control 11 Explained: Data Recovery

CIS Control 11 involves data recovery. This means to establish and maintain data recovery plans and processes for enterprise assets in case incidents occur, so that they can be restored to a pre-incident trusted state.

The Importance of Control 11

Cybersecurity and Information Technology (IT) incidents are inevitable since no system is perfect and failures can occur due to accidents or human error. Having data recovery procedures in place enables organizations to quickly recover from cyberattacks that disrupt systems. Recent backups are vital for restoring business operations to a trusted state.

Ransomware attacks have surged recently, becoming more organized and profitable. While not new, their frequency has increased significantly. When attackers encrypt data and demand a ransom, a recent backup can help restore operations. However, ransomware has evolved into an extortion tactic, with attackers exfiltrating data before encryption and demanding payment to prevent its sale or public exposure. In these cases, while restoring from a backup aids recovery, it may not resolve the entire issue. Though it still remains a critical step in minimizing damage.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.

For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.

The Safeguards of Control 11

There are five safeguards in CIS Control 11. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStartingImplementation Group
Safeguard 11.1Establish and Maintain a Data Recovery ProcessGovernIG1
Safeguard 11.2Perform Automated BackupsRecoverIG1
Safeguard 11.3Protect Recovery DataProtectIG1
Safeguard 11.4Establish and Maintain an Isolated Instance of Recovery DataRecoverIG1
Safeguard 11.5Test Data RecoveryRecoverIG2