CIS Safeguard 4.3 requires the configuration of automatic session locking on assets. For general purpose operating systems, the period must not exceed 15 minutes, and for mobile devices it should not be longer than 2 minutes.
Going back to Safeguard 1.1 you have your inventory of devices which includes the mobile devices and computers that have the potential to store or process data for your business. So if you are allowing personal devices to store or process your data then they must be inventoried and connected to a device manager to allow you to configure and ensure this setting is established and active.
It doesn't matter if you're working at home, an airport, or at a conference and you're just stepping away for a few minutes. The key thing is teaching the culture that your computer or mobile device should be locked if you're not using it, so #LockItUp.
Getting your team to live in a cybersecurity culture takes time but is a critical step to promoting cybersecurity. It starts with training and setting expectations. When you're not training your team then that culture will be the Wild West and another episode of the Blame Game.
If you are using a local Technology provider then they can push and manage this policy, otherwise Active Directory, Microsoft Entra ID (Azure AD), Mobile Device Managers, Microsoft Intune and others all have group policies or settings you can establish to ensure this is established and it's already included in what you are paying.
Safeguard 4.3 is required for every implementation group and if you're requiring it today then it's past time to educate and activate the settings.
If you don't require it and a laptop is breached or stolen, then you should assume that any potential data on it could be compromised and that may trigger a breach notification depending on the data and your local regulations.
Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)
CIS Safeguard 4.2 calls for you to establish and maintain a secure configuration process for network infrastructure. This includes the review and documentation when significant changes occur or at least once a year.
Before starting we have to rewind to Safeguard 1.1 which requires you to establish and maintain an asset inventory including your network infrastructure inventory. You can't continue until that is completed.
Next is you have to create a standard baseline configuration for each type of network device and if you are working with multiple vendors for each type of device then you should have a documented baseline configuration for each as every vendor does things differently.
Once you have your baselines, then regular audits should be completed to assess the device configuration against these baselines. In the past I have seen these audits completed as part of the technology alignment process or by using configuration management tools like Liongard that can automate the process.
Your process next needs to include a strict change management process that requires review and approval for any configuration modifications. This has to be well-documented, authorized, and align with the established best practices. Any change management process should also account for the process of approval and completing firmware updates.
Using a centralized logging and monitoring tool for your network devices to track and analyze events in real-time will help you ensure you stay on top of the process and finally performing regular reviews of the baseline to ensure they are current and account any new emerging threats or changes in the network infrastructure as a whole.
The most important thing here is to acknowledge that your way may not be the best way and to use any trusted resources or community you are a member of to gain feedback.
Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)
Control 4 is looking for the secure configuration of your assets (end user devices including portable and mobile, network devices, IoT devices, and servers) and your software (operating systems and applications).
To establish and maintain a secure configuration process for your assets and software, we need to develop a comprehensive security policy outlining the requirements for secure configurations.
Conducting a thorough inventory of assets (Safeguard 1.1) and software (Safeguard 2.1), we will define secure configuration baselines, adhering to best practices and industry standards (like CIS Controls).
Automation tools should be utilized whenever possible to enforce these baselines, reducing human error.
You should prioritize strong authentication measures and implement a robust patch management system. Regular security reviews must be conducted, while comprehensive documentation be maintained and annually updated.
Employees are required to receive training to ensure compliance.
The policy and documentation should be reviewed promptly whenever significant changes occur or at minimum once a year.
Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)
I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.
The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.
Safeguard 3.14 is the final safeguard of Control 3, and is the only safeguard that has the security function for detection. We've outlined the data process and data inventory, retention and how to dispose of data securely, data flows and encryption. It's only fitting that Safeguard 3.14 will call for logging of sensitive data access, including the modification and disposal of data.
Logging all actions involving sensitive data, including access, modification and disposal, is vital to prompt detection and response to malicious activity. Data access logs can also be helpful for post-attack investigations and analyses, and for holding culprits accountable.
On Windows File Server you can audit file access events by going to the properties of the target folder/file, security > advanced, auditing, add, and set the audit permissions you want to log. This is not enabled by default, so if you don't know set it, you're not getting these logs.
There are also a number of tools out there that can scan your files and track the changes both within Windows Servers and cloud storage as well.
Like Safeguard 3.13, 3.14 is only required if you are looking to achieve Implementation Group 3, but like many that aren't required for Implementation Group 1 this is one that you should consider enabling for the folders and files that contain your sensitive data. If you have the drive space for the logs, collecting the data will only help you if you need to do an audit or look to identify security breaches.
Get a summary of all of CIS Control Safeguards 1-3 we've reviewed here at https://lnkd.in/eW5UBTxf and stay tuned as we start to dive into Control 4 on Securing Configuration and Enterprise assets and software.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-ciscontrol-activity-7089298477649641472-t3ul?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.13 introduces the concept of DLP (Data Loss Prevention) tools to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory.
DLP solutions can prevent suspicious attempts to copy or send sensitive data by checking whether the user is authorized to do so. Authentication is also important to validate users' identities and prevent malicious access to critical assets.
Data loss prevention solves three main objectives that are common pain points for enterprises: personal information protection, compliance and intellectual property (IP) protection, and data visibility.
If you are collecting and storing personally identifiable information (PII), protected health information (PHI), or payment card information (PCI) you likely fall under a requirement to protect this sensitive data for your customers.
DLP is not new, but as compliance requirements evolve it is becoming more of a conversation and more businesses are finding the requirement to implement a DLP solution.
You may not need a DLP solution today (there are many on the market), but the reality is you will at some point. Safeguards 3.13 and 3.14 are the two safeguards inside control 3 that are required for Implementation Group 3.
Join the conversation - https://www.linkedin.com/posts/activity-7088253513553588225-Z7v4?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.12 requires you to segment data processing and storage based on the sensitivity of the data.
Here datasecurity is calling for sensitive data to be retained and accessed only on the enterprise assets intended for that level of data.
Let's try to put it in other terms. The US Government uses what is known as a SCIF (Sensitive Compartmented Information Facility) or a secure room that guards against electronic surveillance and suppresses data leakage of sensitive military and security information. In order to access the room a person has to leave anything that could capture or remove data from the room. Maintaining data security at the highest level.
Now you don't need to establish a SCIF to maintain data security but I have seen and implemented for many organizations an Air Gapped computer which is a establishment of a computer and sensitive data off of the primary computer network and without internet connectivity.
You don't have to go to an air-gapped network, or even the degree that Kentucky Fried Chicken goes to maintain Colonel Harland Sanders' handwritten recipe but if you are looking to meet compliance with Implementation Group 2, you will be required at a minimum to create some segmentation of sensitive data. Simply establishing Virtual Networking or VLANs and segment your sensitive data groups and systems you can meet this while maintaining your primary network for Facebook videos and reading my latest LinkedIn posts - or actual work
Ohhh and please stop emailing sensitive data. A simple typo can release the data. Just look at the latest DOD breach where employees were emailing .ml domain versus the .mil domain. Yes it happened - https://lnkd.in/efmsFQ2a
Join the conversation - https://www.linkedin.com/feed/update/urn:li:activity:7087872503020183553?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.
Safeguard 3.11 in the process of ensuring #DataAtRest is encrypted. It calls for the encryption of sensitive data on servers, applications, and databases that contain the data. Storage-layer encryption, or server-side encryption, meets the minimum requirements for this Safeguard. Additional encryption methods may include application-layer or client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.
The bottom line is in today's world not encrypting your data, servers, and systems is no longer an option if they contain sensitive data or not. Microsoft #Bitlocker can be managed via group policy or #Intune making it easy for even a small IT Department to deploy and manage encryption and check 3.11 compliance off.
Before you move on, remember that your backups also contain data at rest, so if you are working with sensitive data (which you are) remember that any of your backups have to be encrypted as well. It doesn't make any sense to lock the front door, but leave the back door wide open.
Safeguard 3.6 calls for encryption of end-user devices, 3.9 calls for encryption of removable devices, 3.10 calls for data in transit, and 3.11 is the encryption of data at rest. By simply encrypting your data everywhere you meet 1 requirement in Implementation Group 1, and 3 requirements for Group 2.
Continue the conversation - https://www.linkedin.com/posts/activity-7087437973738123264-U19k?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.10 addresses the #encryption of sensitive data in transit. DataInTransit, or DataInMotion, is data that is being transferred between locations over a private network or the Internet. Using the Transport Layer Security (TLS) and Open Secure Shell (OpenSSH) are two common methods that are used to secure data in transit.
In plain English when data from one system is opened on another system locally or from a cloud service this data is in transit and if the data is sensitive it must be encrypted.
Sensitivedata has different definitions across the globe so it's always best to check your local definition but traditionally the following types of data should be considered sensitive no matter where you are located.
- Social Security, Driver's license, state identification card or Passport number
- Account log-in, financial account, debit/credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- precise geolocation
- racial or origin, religious or philosophical beliefs, or union membership
- contents of a consumers mail, email, and text messages unless the business is the intended recipient.
- Genetic data
- Biometric data
- Health information (HIPPA)
- Information about sex life or sexual orientation
- As well as employee data such as a resume, biography, drug tests, background checks, and even reports and investigations during their tenure.
Releasing any of the above data or transmitting it unencrypted poses risks to the employee and the business. In Ditmann v. UPMC, the Pennsylvania Supreme Court Recognized the Legal Duty to Safeguard Employee Data.
So while 3.10 may be required for only implementation groups 2 and 3 in CIS Controls, it is highly advised for every business or anyone out there storing sensitive data to ensure data is only transmitted when encrypted.
Join the conversation - https://www.linkedin.com/posts/activity-7087184876893790209-YRDM?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.9 continues the conversation Encryption we started in Safeguard 3.6 and requires all removable media to be encrypted. That is any USB drive, flash media, external backup tapes, or other removable media to be encrypted.
While Safeguard 3.9 is only required for Implementation Groups 2 and 3 it should be strongly considered as part of your implementation for your security foundation, as it is one of the easiest methods of ensuring data security on removable media.
Some organizations will document procedures banning the use of external media and that's a solid policy, but as we have moved to the modern workplace of home and the office the need for these devices has grown. Even Road Warriers may need their use to drop a Powerpoint to the A/V team in order to give their presentation.
With how small they have become and the ease of loss, even with the best policy, implementation Safeguard 3.9 is a great step to securing your data.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-encryption-activity-7086749329364762625-8fkb?utm_source=share&utm_medium=member_desktop