The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.7 calls for the establishment and maintaining of an overall data classification scheme. Here you find most businesses will use labels such as "Sensitive", "Confidential", and "Public" to classify and control access to their data.

Safeguard 3.7 is required for only ImplementationGroups (IG) 2 and 3, so if you're getting started this may not be required, but its always a smart choice to plan ahead and start outlining data classification today.

You should classify at minimum any records that may contain #PII (Personally identifiable information) or PHI (Protected Health Information), and that is every organization out there when you look at even just your employee records alone.

There are 7 steps to effective data classification which include:
1) Complete a Risk Assessment
2) Develop your Data Classification Policy
3) Categorize Data Types
4) Discover Location of Data
5) Identify and Classify Data
6) Enable Security Controls
7) Monitor and Maintain

If you've read my other posts you know you can't protect what you don't know so understanding your risks is a key first step. Documenting your policy, categorizing data types, and Discovering location of data fit into that planning and prep phase. Then it's time to identify, classify, and set security the security controls and access controls as you push for least privilege access.

The final step is what connects the circle as it never ends and how well you can monitor and maintain the data classification relies on your team, education to end users, and processes outlined in your policy.

You can't maintain secure data if you allow anyone to drop a confidential document on a USB drive or send it out via email. Education is crucial to ensure security.

Bottom line, while this is not required for Implementation Group 1, this is something we all need to do a better job with as we all are storing documents and data that should be secured better then it is.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-implementationgroups-activity-7080587259481075712-adXa?utm_source=share&utm_medium=member_desktop