CIS Control 13

CIS Control 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

13.1: Maintain an Inventory of Sensitive Information

  • Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.

13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization

  • Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.

13.3: Monitor and Block Unauthorized Network Traffic

  • Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

13.4: Only Allow Access to Authorized Cloud Storage or Email Providers

  • Only allow access to authorized cloud storage or email providers.

13.5: Monitor and Detect Any Unauthorized Use of Encryption

  • Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

13.6: Encrypt Mobile Device Data

  • Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

13.7: Manage USB Devices

  • If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.

13.8: Manage System’s External Removable Media’s Read/Write Configurations

  • Configure systems not to write data to external removable media, if there is no business need for supporting such devices.

13.9: Encrypt Data on USB Storage Devices

  • If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

Figure: System Entity Relationship Diagram

CIS Control 13

Contact Us

USA Offices

New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]

 

UK Office

New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
 [email protected]

SC Magazine Cybersecurity 500 Infosec Security Winners 2018 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.