CIS Control 13

CIS Control 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

13.1: Maintain an Inventory of Sensitive Information

  • Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.

13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization

  • Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.

13.3: Monitor and Block Unauthorized Network Traffic

  • Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

13.4: Only Allow Access to Authorized Cloud Storage or Email Providers

  • Only allow access to authorized cloud storage or email providers.

13.5: Monitor and Detect Any Unauthorized Use of Encryption

  • Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

13.6: Encrypt Mobile Device Data

  • Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

13.7: Manage USB Devices

  • If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.

13.8: Manage System’s External Removable Media’s Read/Write Configurations

  • Configure systems not to write data to external removable media, if there is no business need for supporting such devices.

13.9: Encrypt Data on USB Storage Devices

  • If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

Figure: System Entity Relationship Diagram

CIS Control 13

Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2022, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.