The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.7 calls for the establishment and maintaining of an overall data classification scheme. Here you find most businesses will use labels such as "Sensitive", "Confidential", and "Public" to classify and control access to their data.
Safeguard 3.7 is required for only ImplementationGroups (IG) 2 and 3, so if you're getting started this may not be required, but its always a smart choice to plan ahead and start outlining data classification today.
You should classify at minimum any records that may contain #PII (Personally identifiable information) or PHI (Protected Health Information), and that is every organization out there when you look at even just your employee records alone.
There are 7 steps to effective data classification which include:
1) Complete a Risk Assessment
2) Develop your Data Classification Policy
3) Categorize Data Types
4) Discover Location of Data
5) Identify and Classify Data
6) Enable Security Controls
7) Monitor and Maintain
If you've read my other posts you know you can't protect what you don't know so understanding your risks is a key first step. Documenting your policy, categorizing data types, and Discovering location of data fit into that planning and prep phase. Then it's time to identify, classify, and set security the security controls and access controls as you push for least privilege access.
The final step is what connects the circle as it never ends and how well you can monitor and maintain the data classification relies on your team, education to end users, and processes outlined in your policy.
You can't maintain secure data if you allow anyone to drop a confidential document on a USB drive or send it out via email. Education is crucial to ensure security.
Bottom line, while this is not required for Implementation Group 1, this is something we all need to do a better job with as we all are storing documents and data that should be secured better then it is.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-implementationgroups-activity-7080587259481075712-adXa?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.6 is the requirement for you to encrypt data on end user devices that contain sensitive data. This can be accomplished with Microsoft Bitlocker, Apple Filevault, or Linux dmcrypt.
This is a great tip for every device and not just those that contain sensitive data as I discussed a few days ago - https://lnkd.in/eA_-JVYz as a CybersecurityTip.
This safeguard while it only requires encryption for the devices with sensitive data, to check this box off you need to have the policy that outlines that the devices are to be encrypted and as part of your inventory showing the assets which are encrypted and what encryption method is being used.
The bottom line is today every computer, mobile device, portable hard drive, flash drive, backups, and any cloud storage drives you are using should be encrypted as a base level of protection of your data.
Safeguards 3.1 thru 3.6 are all required for all three Implementation Groups so these are great policies to adopt in your organization today.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-bitlocker-activity-7077134189430460416-9ILG?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.5 is how you securely dispose of data which should be outlined in your data management process. You have to ensure the disposal process and method are commensurate with the datasensitivity.
Formatting of a harddrive leaves data on it, so a simple drive format should not be considered an appropriate method of disposing of data.
CIS Controls is for business not personal use so your example isn't effective, but it is because we forget or think it's low risk. There are storable data drives in your computers, servers, network equipment, printers, and if you push it old fax machines where the film roll would actually store an image of every fax received. How do you address all of these devices as the data stored there is an assortment of everything printed from confidential data to that random email.
Here the key is your data management process and policy. Having it outlined what devices have drives that you are concerned with and how you go about disposing of the data, the drive, or the equipment if the flash drive is embedded. It should include how long you retain data, where the data lives, who owns the data, and when it's time to decommission a device how the data that lives on the device is disposed of. So it's both the live data, legacy data, and the devices that store it.
In my past I have taken drives out to a gun range and also have had drives destroyed with a certificate of destruction by a shredding company. They maintain the chain of custody and proof of destruction is typically what an auditor likes to see, but the gun range will ensure no data is recoverable as well. You can also use DiskWiping or DataDump (the process of writing every bit of data with a 0 or 1 and then formatting it). The government standard (DoD 5220.22-M) calls for a Data Wipe to run the same process at minimum 3 times. The government considers this as a Medium Security wipe. I see more companies using a Hard Drive Degausser which will completely sanitize, wipe, and erase hard drives.
No matter what process you use document it and maintain an inventory of destroyed hard drives including serial number, date of destruction, and the certificate.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-datasensitivity-activity-7076594085129506816-S-zd?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.4 covers the enforcement of data retention according to the data management process. Your Data Retention Policy must include both the minimum and maximum timelines.
The primary two reasons you need a data retention policy is for #Liability protection and Regulatory compliance.
Managing and protecting an organization's important data to avoid any civil, criminal, and financial penalties that sometimes result from poor data management.
Local, state, federal, and international policies, rules, statutes, and laws, as well as industry-imposed regulations oftentimes will set the requirement of length of time that specific types of data must be retained and maintained.
It is important to understand what compliances and regulations you fall under and ensure you are retaining the necessary data for the timelines needed.
Looking at some of the industry standards:
Federal Information Security Modernization Act (FISMA) - 3 Years
ISO 27001 - 3 Years
National Energy Commission (NERC) - 3 to 6 Years
Basel II Capital Accord - 3 to 7 Years
Sarbanes-Oxley Act (SOX) - 7 Years
Health Insurance Portability and Accountability Act (HIPAA) - 6 Years
National Industrial Security Program Operating Manual (NISPOM) - 6 to 12 months.
No matter how long you choose to retain the data, you need to have the policy documented and validate and test your backups on a regular basis - otherwise you can't ensure you have backups and are retaining the data.
Your Data Retention Policy should include local, application, databases, and cloud data as well as storing of the retained data both locally and in the cloud. The last thing you want is a fire to destroy your local data and the backup files.
Join the Conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-liability-activity-7074566857776582656-TdVO?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.3 covers configuring data access control lists based on a user's need to know. This includes local and remote file systems, databases, and applications and is the foundation of ZeroTrust.
What does a user need, what do they need access to? If they don't need access then why do they have access?
Sure, 15 years ago we lived in this world of the Company Drive where everyone had access to everything in case they needed it. Today the world is completely different and every users access, applications, and needs has to be reviewed and audited. If they don't need it then it's time to deny access to that resource.
Talking about AccessControlLists then you likely think networking as ACLs are used heavily there. But we go back to our inventory of all of our assets (1.1), users, and data (3.2) mapping out what lists of users should have access to what.
I accomplished this with AD Groups and Group Policy, where each segment of data was categorized in Shared Folders, those Shared Folders had an AD group assigned for permissions, and then Group Policy mapped the drive based on the same group. I maintained an inventory of every shared drive and who had access to it. I also used Liongard with the Windows Server inspector gave me a breakdown of every shared drive and who had access for automatic auditing. Tools like Netwrix Corporation can do similar.
Your ACL is just that, a list. It doesn't matter how or where you store it, but you want to cover all of your data from the local, server, and cloud based data. Yes, include your SaaS apps, databases, applications, and anything that is taking your data and storing it.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-zerotrust-activity-7074233841535569920-12Yq?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.2 brings us back to knowing what you have, as it calls for you to establish and maintain a data inventory. You are required to inventory sensitive data at a minimum, but you go thru the same exercise with all of your data types.
You should review and update the inventory annually, at a minimum with a priority on the sensitive or critical data classifications.
I would map a document that includes the File Path, Storage Location, Backup and Retention period and location, data classification (critical, high, medium, low), and what groups or users have access to it.
As we go thru the process you'll hear it again and again, that you can't protect what you don't know - and if you don't know where and what types of data is stored you can't secure it.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-secureit-activity-7073059976482549760-dn_e?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Now that you know what assets you have in your inventory lists, its time to start protecting them.
CIS Control Safeguard 3.1 is to Establish and Maintain a Data Management Process. The process should address data sensitivity, data ownership, how data is handled, data retention limits, and disposal requirements. This process should be reviewed and updated on an annual basis or when significant changes occur within the data or types of data being stored.
I always started Control 3, with you guessed it an inventory of everywhere data is being stored (it's actually Safeguard 3.2). It was not uncommon to discover that data was in OneDrive, Google Drive, Box.com, Dropbox, on local hard drives, usb drives, etc. That is a nightmare to try to understand, let alone establish a process with it.
So in our internal Data Usage Policies we outlined where and what types of data could be stored where. Each type of data then outlined the criteria outlined in this process.
If it contained trade secrets, business information, employee data, client records, PII, PHI, or other data deemed confidential it was labeled High or Critical, listing who owned, where the data was handled, and how it was retained and backed up.
The same exercise was completed for the Medium and Low data sensitive classifications. This was all documented in the Internal Data Usage Policy which every employee had to read and sign off on that they understood annually or anytime a change occurred.
For compliance here you need to have your processes and policies typed up and documented. It's not hard once you know where and how your data is being stored and accessed. Getting control over how your data is being stored however may be your biggest battle if end users have never had any restrictions before.
Remember to educate why it's important to know how data is being stored, why it's required for security compliance, and ultimately why everyone is responsible for ensuring the company stays secure. You'll have pushback from a few people - but with leadership buy-in, they will adopt.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-secureit-activity-7072793568058204160-YzoX?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
We have now reviewed 15 of the 153 Safeguards, completing Controls 1 and 2 which are based on inventory control.
CIS Control Safeguard 2.7 is the Allowlist of Authorized Scripts, or the measure of using technical controls, such as digital signatures and version control to ensure only authorized scripts such as .ps1, .py, .etc or others are allowed to execute. Here you have to reassess bi-annually at the least and before you scare yourself, this safeguard is only required for Implementation Group 3 compliance.
Two quick tools I know do this well are ThreatLocker and Ivanti Zero-Trust Network Access (ZTNA). There are likely others out there, but I would start my search with these two products if you are looking for compliance here.
While there are methods to block the use of Powershell in windows via Applocker Policy, you would have to duplicate the steps and process for other applications like CMD that may enable batch scripts to run, or other scripting services that may be installed. So in combination with 2.5 you can likely get away with just blocking Powershell and Batch scripts as the Software allowlist would not have authorized any similar programs that can run scripting locally.
I would still point back to the two applications above for your ease and peace of mind just knowing its still working.
The bottom line is for Control 2, you have to maintain a current and accurate inventory of all applications on any of your assets and then have the ability to allowlist and block the software, libraries, and scripts you don't want to run.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-safeguards-activity-7072291885871951872-L7ye?utm_source=share&utm_medium=member_desktop
The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.
The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.
Follow along as I outline and simplify the safeguards as we work together and #SecureIT.
Today we are going to review 2.5 and 2.6, which are using technical controls to establish an Allowlist for Software (2.5) and Libraries (2.6). Both are requirements for Implementation Group 2 and both require at minimum a bi-annual reassessment.
Looking at Software you need to ensure that only authorized software can execute or be accessed, or #Whitelisting.
Microsoft Windows Defender's Application Control allows organizations to control what applications are installed, and you can also use Microsoft Intune for Whitelisting as well.
Some Remote Monitoring and Management Tools like N-able's N-Central offer Application Compliance.
I really love what Danny Jenkins and the team at ThreatLocker have done with application allowlisting and if you have to check off this compliance requirement, you should check them out.
Safeguard 2.6 takes it a step further with Allowlisting of Libraries such as .dll, .ocx, .so, .etc or the files that are loaded into a system process.
Microsoft Windows Defender Application Control policy 19 enables policy enforcement for .NET applications and dynamically loaded libraries - only supported on Win 10 v1803 and newer or Server 2019 and newer.
I would again recommend looking at the #ZeroTrust Model at Threatlocker as it will check off the boxes of 2.5, 2.6, and 2.7 which we will look at tomorrow.
Join the conversation online at - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7071953394730463232-gyLU?utm_source=share&utm_medium=member_desktop