CIS Control 13: Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
13.1: Maintain an Inventory of Sensitive Information
- Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.
13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization
- Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.
13.3: Monitor and Block Unauthorized Network Traffic
- Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
13.4: Only Allow Access to Authorized Cloud Storage or Email Providers
- Only allow access to authorized cloud storage or email providers.
13.5: Monitor and Detect Any Unauthorized Use of Encryption
- Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
13.6: Encrypt Mobile Device Data
- Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
13.7: Manage USB Devices
- If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.
13.8: Manage System’s External Removable Media’s Read/Write Configurations
- Configure systems not to write data to external removable media, if there is no business need for supporting such devices.
13.9: Encrypt Data on USB Storage Devices
- If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Figure: System Entity Relationship Diagram
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises