The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.2 brings us back to knowing what you have, as it calls for you to establish and maintain a data inventory. You are required to inventory sensitive data at a minimum, but you go thru the same exercise with all of your data types.

You should review and update the inventory annually, at a minimum with a priority on the sensitive or critical data classifications.

I would map a document that includes the File Path, Storage Location, Backup and Retention period and location, data classification (critical, high, medium, low), and what groups or users have access to it.

As we go thru the process you'll hear it again and again, that you can't protect what you don't know - and if you don't know where and what types of data is stored you can't secure it.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-secureit-activity-7073059976482549760-dn_e?utm_source=share&utm_medium=member_desktop