The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

Safeguard 3.11 in the process of ensuring #DataAtRest is encrypted. It calls for the encryption of sensitive data on servers, applications, and databases that contain the data. Storage-layer encryption, or server-side encryption, meets the minimum requirements for this Safeguard. Additional encryption methods may include application-layer or client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.

The bottom line is in today's world not encrypting your data, servers, and systems is no longer an option if they contain sensitive data or not. Microsoft #Bitlocker can be managed via group policy or #Intune making it easy for even a small IT Department to deploy and manage encryption and check 3.11 compliance off.

Before you move on, remember that your backups also contain data at rest, so if you are working with sensitive data (which you are) remember that any of your backups have to be encrypted as well. It doesn't make any sense to lock the front door, but leave the back door wide open.

Safeguard 3.6 calls for encryption of end-user devices, 3.9 calls for encryption of removable devices, 3.10 calls for data in transit, and 3.11 is the encryption of data at rest. By simply encrypting your data everywhere you meet 1 requirement in Implementation Group 1, and 3 requirements for Group 2.

Continue the conversation - https://www.linkedin.com/posts/activity-7087437973738123264-U19k?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.10 addresses the #encryption of sensitive data in transit. DataInTransit, or DataInMotion, is data that is being transferred between locations over a private network or the Internet. Using the Transport Layer Security (TLS) and Open Secure Shell (OpenSSH) are two common methods that are used to secure data in transit.

In plain English when data from one system is opened on another system locally or from a cloud service this data is in transit and if the data is sensitive it must be encrypted.

Sensitivedata has different definitions across the globe so it's always best to check your local definition but traditionally the following types of data should be considered sensitive no matter where you are located.

- Social Security, Driver's license, state identification card or Passport number
- Account log-in, financial account, debit/credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- precise geolocation
- racial or origin, religious or philosophical beliefs, or union membership
- contents of a consumers mail, email, and text messages unless the business is the intended recipient.
- Genetic data
- Biometric data
- Health information (HIPPA)
- Information about sex life or sexual orientation
- As well as employee data such as a resume, biography, drug tests, background checks, and even reports and investigations during their tenure.

Releasing any of the above data or transmitting it unencrypted poses risks to the employee and the business. In Ditmann v. UPMC, the Pennsylvania Supreme Court Recognized the Legal Duty to Safeguard Employee Data.

So while 3.10 may be required for only implementation groups 2 and 3 in CIS Controls, it is highly advised for every business or anyone out there storing sensitive data to ensure data is only transmitted when encrypted.

Join the conversation - https://www.linkedin.com/posts/activity-7087184876893790209-YRDM?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.9 continues the conversation Encryption we started in Safeguard 3.6 and requires all removable media to be encrypted. That is any USB drive, flash media, external backup tapes, or other removable media to be encrypted.

While Safeguard 3.9 is only required for Implementation Groups 2 and 3 it should be strongly considered as part of your implementation for your security foundation, as it is one of the easiest methods of ensuring data security on removable media.

Some organizations will document procedures banning the use of external media and that's a solid policy, but as we have moved to the modern workplace of home and the office the need for these devices has grown. Even Road Warriers may need their use to drop a Powerpoint to the A/V team in order to give their presentation.

With how small they have become and the ease of loss, even with the best policy, implementation Safeguard 3.9 is a great step to securing your data.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-encryption-activity-7086749329364762625-8fkb?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.8 is about documenting and examining your dataflow which includes service provider data flows and should e based on the enterprises data management process. This should be reviewed and updated annually or when significant changes occur.

Documenting your Data Flows is a way or representing the flow of data through a process or system. This is typically represented in a diagram format and provides the outputs and inputs of each entity and the process itself. For each data flow at least one of the endpoints (source and/or destination) must exist in a process.

Data Flow Diagrams can be regarded as inverted Petri nets, because places in such networks correspond to the semantics of data memories.

In simple English, you are going to look at how and where your data flows. From the input to the output and every system, database, etc that touches the data in the process. This is not an easy undertaking and if you're not already covering the earlier discussed CIS Safeguards will make this harder. But fear not, like Safeguard 3.7, 3.8 is only required in Implementation Group 2 and 3 - so if you're just getting started with the framework I would not rush to deploy this on day 1.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-dataflow-activity-7085976301949345792-VK9M?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.7 calls for the establishment and maintaining of an overall data classification scheme. Here you find most businesses will use labels such as "Sensitive", "Confidential", and "Public" to classify and control access to their data.

Safeguard 3.7 is required for only ImplementationGroups (IG) 2 and 3, so if you're getting started this may not be required, but its always a smart choice to plan ahead and start outlining data classification today.

You should classify at minimum any records that may contain #PII (Personally identifiable information) or PHI (Protected Health Information), and that is every organization out there when you look at even just your employee records alone.

There are 7 steps to effective data classification which include:
1) Complete a Risk Assessment
2) Develop your Data Classification Policy
3) Categorize Data Types
4) Discover Location of Data
5) Identify and Classify Data
6) Enable Security Controls
7) Monitor and Maintain

If you've read my other posts you know you can't protect what you don't know so understanding your risks is a key first step. Documenting your policy, categorizing data types, and Discovering location of data fit into that planning and prep phase. Then it's time to identify, classify, and set security the security controls and access controls as you push for least privilege access.

The final step is what connects the circle as it never ends and how well you can monitor and maintain the data classification relies on your team, education to end users, and processes outlined in your policy.

You can't maintain secure data if you allow anyone to drop a confidential document on a USB drive or send it out via email. Education is crucial to ensure security.

Bottom line, while this is not required for Implementation Group 1, this is something we all need to do a better job with as we all are storing documents and data that should be secured better then it is.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-implementationgroups-activity-7080587259481075712-adXa?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.6 is the requirement for you to encrypt data on end user devices that contain sensitive data. This can be accomplished with Microsoft Bitlocker, Apple Filevault, or Linux dmcrypt.

This is a great tip for every device and not just those that contain sensitive data as I discussed a few days ago - https://lnkd.in/eA_-JVYz as a CybersecurityTip.

This safeguard while it only requires encryption for the devices with sensitive data, to check this box off you need to have the policy that outlines that the devices are to be encrypted and as part of your inventory showing the assets which are encrypted and what encryption method is being used.

The bottom line is today every computer, mobile device, portable hard drive, flash drive, backups, and any cloud storage drives you are using should be encrypted as a base level of protection of your data.

Safeguards 3.1 thru 3.6 are all required for all three Implementation Groups so these are great policies to adopt in your organization today.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-bitlocker-activity-7077134189430460416-9ILG?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.5 is how you securely dispose of data which should be outlined in your data management process. You have to ensure the disposal process and method are commensurate with the datasensitivity.

Formatting of a harddrive leaves data on it, so a simple drive format should not be considered an appropriate method of disposing of data.

CIS Controls is for business not personal use so your example isn't effective, but it is because we forget or think it's low risk. There are storable data drives in your computers, servers, network equipment, printers, and if you push it old fax machines where the film roll would actually store an image of every fax received. How do you address all of these devices as the data stored there is an assortment of everything printed from confidential data to that random email.

Here the key is your data management process and policy. Having it outlined what devices have drives that you are concerned with and how you go about disposing of the data, the drive, or the equipment if the flash drive is embedded. It should include how long you retain data, where the data lives, who owns the data, and when it's time to decommission a device how the data that lives on the device is disposed of. So it's both the live data, legacy data, and the devices that store it.

In my past I have taken drives out to a gun range and also have had drives destroyed with a certificate of destruction by a shredding company. They maintain the chain of custody and proof of destruction is typically what an auditor likes to see, but the gun range will ensure no data is recoverable as well. You can also use DiskWiping or DataDump (the process of writing every bit of data with a 0 or 1 and then formatting it). The government standard (DoD 5220.22-M) calls for a Data Wipe to run the same process at minimum 3 times. The government considers this as a Medium Security wipe. I see more companies using a Hard Drive Degausser which will completely sanitize, wipe, and erase hard drives.

No matter what process you use document it and maintain an inventory of destroyed hard drives including serial number, date of destruction, and the certificate.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-datasensitivity-activity-7076594085129506816-S-zd?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.4 covers the enforcement of data retention according to the data management process. Your Data Retention Policy must include both the minimum and maximum timelines.

The primary two reasons you need a data retention policy is for #Liability protection and Regulatory compliance.

Managing and protecting an organization's important data to avoid any civil, criminal, and financial penalties that sometimes result from poor data management.

Local, state, federal, and international policies, rules, statutes, and laws, as well as industry-imposed regulations oftentimes will set the requirement of length of time that specific types of data must be retained and maintained.

It is important to understand what compliances and regulations you fall under and ensure you are retaining the necessary data for the timelines needed.

Looking at some of the industry standards:
Federal Information Security Modernization Act (FISMA) - 3 Years
ISO 27001 - 3 Years
National Energy Commission (NERC) - 3 to 6 Years
Basel II Capital Accord - 3 to 7 Years
Sarbanes-Oxley Act (SOX) - 7 Years
Health Insurance Portability and Accountability Act (HIPAA) - 6 Years
National Industrial Security Program Operating Manual (NISPOM) - 6 to 12 months.

No matter how long you choose to retain the data, you need to have the policy documented and validate and test your backups on a regular basis - otherwise you can't ensure you have backups and are retaining the data.

Your Data Retention Policy should include local, application, databases, and cloud data as well as storing of the retained data both locally and in the cloud. The last thing you want is a fire to destroy your local data and the backup files.

Join the Conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-liability-activity-7074566857776582656-TdVO?utm_source=share&utm_medium=member_desktop