The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Now that you know what assets you have in your inventory lists, its time to start protecting them.

CIS Control Safeguard 3.1 is to Establish and Maintain a Data Management Process. The process should address data sensitivity, data ownership, how data is handled, data retention limits, and disposal requirements. This process should be reviewed and updated on an annual basis or when significant changes occur within the data or types of data being stored.

I always started Control 3, with you guessed it an inventory of everywhere data is being stored (it's actually Safeguard 3.2). It was not uncommon to discover that data was in OneDrive, Google Drive, Box.com, Dropbox, on local hard drives, usb drives, etc. That is a nightmare to try to understand, let alone establish a process with it.

So in our internal Data Usage Policies we outlined where and what types of data could be stored where. Each type of data then outlined the criteria outlined in this process.

If it contained trade secrets, business information, employee data, client records, PII, PHI, or other data deemed confidential it was labeled High or Critical, listing who owned, where the data was handled, and how it was retained and backed up.

The same exercise was completed for the Medium and Low data sensitive classifications. This was all documented in the Internal Data Usage Policy which every employee had to read and sign off on that they understood annually or anytime a change occurred.

For compliance here you need to have your processes and policies typed up and documented. It's not hard once you know where and how your data is being stored and accessed. Getting control over how your data is being stored however may be your biggest battle if end users have never had any restrictions before.

Remember to educate why it's important to know how data is being stored, why it's required for security compliance, and ultimately why everyone is responsible for ensuring the company stays secure. You'll have pushback from a few people - but with leadership buy-in, they will adopt.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-secureit-activity-7072793568058204160-YzoX?utm_source=share&utm_medium=member_desktop