CIS Control 14: Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
14.1: Segment the Network Based on Sensitivity
- Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
14.2: Enable Firewall Filtering Between VLANs
- Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.
14.3: Disable Workstation-to-Workstation Communication
- Disable all workstation-to-workstation communication to limit an attacker’s ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation.
14.4: Encrypt All Sensitive Information in Transit
- Encrypt all sensitive information in transit.
14.5: Utilize an Active Discovery Tool to Identify Sensitive Data
- Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider, and update the organization’s sensitive information inventory.
14.6: Protect Information Through Access Control Lists
- Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.
14.7: Enforce Access Control to Data Through Automated Tools
- Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when the data is copied off a system.
14.8: Encrypt Sensitive Information at Rest
- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.
14.9: Enforce Detail Logging for Access or Changes to Sensitive Data
- Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises
