Know in depth the CIS Security Control 3 v8, a set of security safeguards to help organizations on data protection, the new changes compared to v7, all the safeguards and how to implement CIS Control 3 effectively.



A brief background about data breaches

IBM and the Ponemon institute released a report on the cost of a data breach in 2022, surveying 550 breaches with data gathered from over 3,600 interviews across 17 countries, and the result was mind-blowing. The results show that the average data breach cost US$4.35 million in 2022, indicating that the figures have further risen from the $4.24 million recorded in 2021.

Every year, IBM statistics for the cost of data breaches indicates that the figures keep rising by at least 2.6 per cent, and numbers are expected to shoot up in the coming years.
However, in the US, the figures and drastically different, as the average cost of a data breach was found to be $9.44M, more than double the global average. Know how is the Data Breach loss cost estimate obtained?

The IBM report also showed the causes of most breaches, with stolen or compromised credentials accounting for 19% of breaches, phishing being responsible for 16%, and Cloud misconfiguration causing 15% of breaches.

It’s essential for organizations to deploy a robust data protection strategy to reduce the possibility of a data breach or data leakage, which often leads to financial loss. The CIS Controls is a collection of the best data and computer security practices to mitigate attacks on cyber systems and networks.

CIS Security Controls v8, Data Protection

The CIS Critical Security Controls (CIS Controls) is a set of security Safeguards to help organizations mitigate the most prevalent cyber-attacks against computer systems and networks. These Controls are improved from time to time to address constantly evolving cyber threats and keep up with modern systems and technologies.

More specifically, CIS Control 3 focuses on ensuring data protection both in storage and when transmitted through data management for mobile devices and computers. The Controls map out processes and techniques to identify, classify, safely handle, retain, and dispose of data in a way that minimizes the risks of a data breach.

It’s no news that an organization’s data is no longer restricted to its borders. Some data are now stored in the cloud, shared with partners, transferred over portable end-user devices, and so on. This diverse handling of data opens it to more risks of attack, making data protection a great concern for organizations.

Although encryption offers a lot of protection to data, it doesn’t offer much help in the face of malicious actors with deep-rooted knowledge of bypassing encrypted data. As a result, organizations need to incorporate a holistic data protection strategy outlined by CIS Control 3 to strengthen their security and mitigate cyber-attacks.

Changes compared to v7 where Data Protection is now the Control 3

CIS Control 3v8 is a comprehensive revision of the 3v7 and contains safeguard updates to improve data security and reduce the risks of a breach. Some of the changes include:

– the addition of Service Provider Management Control: a new control that tackles the sensitivity of data in SaaS platforms, including their storage and processing.

– moving Data Protection from the number 13 spot to number 3 and adding five new Safeguards to this Control. These five new Safeguards are focused on managing and identifying data in a more secure approach to minimize vulnerabilities.

Other changes involved Controls, such as Controls 4,5,6,14, and so on.


What data protection safeguards does CIS Control 3 include?

Below are the safeguards of CIS Control 3


3.1: Establish and Maintain a Data Management Process

Organizations should put in place an effective data management process that handles data sensitivity, ownership, storage, retention, backup, and disposal. The data management process should align with the regulations of your specific organization and be reviewed annually or wherever there’s a major policy change.

3.2: Establish and Maintain a Data Inventory

Your inventory outlines the type of data your organization produces, the degree of sensitivity, and how they’re retained and consumed. Typically, your inventory should reflect both structured data (e.g., data stored in databases) and unstructured data (e.g., documents and photos) to ensure a comprehensive data protection policy.

3.3: Configure Data Access Control Lists

Restricting each user’s access is a crucial part of data security, and each user should only have access to the data, applications, and systems on the organization’s network that they require to do their job. Having access to other than what they need (especially sensitive data) increases the risk of a data breach and security compromise, either deliberately or accidentally.

Regular review of access control lists should be done to detect and swiftly remove any unauthorized permissions that a user has, such as when they move to a new department, branch, or role.

3.4: Enforce Data Retention

Data should have minimum and maximum timeframes to control the extent to which different types of data should be retained. To ensure full compliance, you should consider automating the data retention process so that certain types of data do not stay beyond their expiry period due to forgetfulness.

3.5: Securely Dispose of Data

Whether you need to dispose of data because it’s old and irrelevant or due to standard regulations, ensuring secure disposal is crucial to preventing unauthorized access to the data. You should dispose of data according to their sensitivity, making sure that sensitive data are entirely eliminated in a way that no user can access.

3.6: Encrypt Data on End-User Devices

In certain scenarios, company devices get compromised by internal or external threats. Encrypting data on end-user devices helps prevent data misuse when such scenarios arise, adding an extra layer of security to your organization. Typical examples of encryption tools are Windows BitLocker, Linux dm-crypt, and Apple FileVault.

3.7: Establish and Maintain a Data Classification Scheme

Not all the data in your organization are on the same level. Some are sensitive, while others aren’t. Establishing and maintaining a data classification scheme helps you to distinguish sensitive data from non-sensitive data, so you can provide more protection for sensitive ones. Even non-sensitive data can also be further classified as private or public to enhance data protection.

Organizations should review their data classification scheme annually or whenever there’s a significant policy change.

3.8: Document Data Flows

Organizations should keep tabs on the movement and flow of data in and out of the enterprise in order for timely detection of vulnerabilities that could weaken their cybersecurity. You should review documentation annually and apply necessary updates whenever a significant change that could potentially impact this safeguard occurs.

3.9: Encrypt Data on Removable Media

Organizations should prepare for scenarios of device theft by encrypting the data on external hard drives, flash drives, and other removable media. These devices may also be misplaced and eventually land in the wrong hands, but with encryption, you can rest assured that the data will not be misused or exploited.

3.10: Encrypt Sensitive Data in Transit

Organizations should encrypt critical data in transit to ensure optimal protection wherever the data goes. Popular encryption options for companies are Open Secure Shell (OpenSSH) and Transport Layer Security (TLS). All encryptions must also be adequately authenticated. For example, OpenSSH validates host keys and investigates any connection warnings, while TLS uses valid DNS identifiers with certificates signed by a trusted and valid certification authority.

3.11: Encrypt Sensitive Data At Rest

Sensitive data at rest either on servers, databases, or applications, should be encrypted with at least Storage-layer encryption. Additional encryption methods can be deployed to ensure that only authorized users can view and use the data, even if the storage device gets into the wrong hands.

3.12: Segment Data Processing and Storage Based on Sensitivity

Data processing and storage should be segmented based on data classification to ensure that sensitive data is treated with more caution than less sensitive data. Avoid processing sensitive data on enterprise assets that manage less sensitive data at the same time. Doing this will prevent a hacker from automatically accessing all company data once they gain access to some less sensitive data.

3.13: Deploy a Data Loss Prevention Solution

Data loss protection (DLP) is a powerful automated system for protecting on-site and remote data from accidental loss and exfiltration. The tool identifies all sensitive data processed, stored, or transmitted through enterprise assets and updates the data inventory. Know more about DLP vs IRM here.

3.14: Log Sensitive Data Access

All sensitive data actions should be logged, including access, modification, and disposal, as this is essential for timely detection and response to malicious activity. Post-attack investigations and detection of breach culprits for appropriate accountability also require data access logs to be fully carried out.

How a data-centric security approach can help you to implement CIS Control 3

Organizations deploying data-centric security can better implement CIS Control 3 because their technologies, processes, and policies are concerned with the lifecycle of data, including its location, collection, transfer, storage, and visibility.

Key Elements And Benefits of a Data-Centric Security Approach

The key elements of an effective data-centric security system include the following:

1. Identification, discovery, and classification of sensitive information

An internal or external attacker’s primary target is to access the most sensitive company information since they carry the highest benefits. They may as well go after other data, e.g., regulation data like EU-GDPR, PCI, or others. Often, these data are stored in specific repositories known to only the company’s team; however, they can be shared, putting the data at risk. Organizations interested in implementing data-centric security controls need tools and technologies that help to identify where their data is at all times to prevent unauthorized access. Know the Advantages of Data Classification boosted by AI and Machine Learning.

2. Data-centric protection

Data-centric security controls focus on monitoring and securing an organization’s sensitive information to prevent unauthorized access due to cloud, network, or data leakage. You know where your data is and where it goes while having absolute control over it, regardless of how far it travels.

3. Audit and monitoring of access to data

Organizations must analyze data use and determine if users’ behavioural patterns are within the acceptable standard so as to know the level of risk associated with the data at any time.

4. Administration and management of data policies

Employees come and go, but company data remain relevant at all times. A data-centric security approach allows organizations to determine who should or shouldn’t have access to certain data, depending on their policies. So when you stop collaborating with someone or find out they’re at risk, you immediately revoke access to the data, destroy it, or prevent it from leaving the corporate network.


How can SealPath help?

When it comes to improving your organization’s data protection strategy, SealPath can offer a data-centric security system that effectively monitors your data at rest, in transit, and in use. Thus, regardless of how far your data travels, you are not only aware of its journey, but you still have absolute control over it and can destroy it in case of a breach risk.

SealPath offers you Information Rights Management (IRM) / Enterprise Digital Rights Management (E-DRM) / Enterprise Information Protection and Control (IPC) over all your data, preventing a breach incident.

Information Rights Management (IRM)/Enterprise Digital Rights Management (E-DRM)/Enterprise Information Protection and Control (IPC) solution

The IPC (Information Protection and Control), or IRM / E-DRM (Information Rights Management / Enterprise Digital Rights Management) technologies give you the power to control information wherever they are, even if it’s outside the cloud. It combines identity control + encryption + auditing + remote control and takes them beyond the sphere of traditional encryption.

Some of the capabilities of this technology include the ability to:
• provide protection that travels with the information
• monitor access to information and limit the permissions on the documentation (Only View, Edit, Print, etc.).
• revoke access, no matter where the files are stored

A data-centric approach to security makes protection user-driven or managed by the administrator in order to secure certain folders. In the cloud, folders or documentation repositories are automatically protected by encrypting them in systems with O365, Box, etc.

These technologies can be integrated with classification tools so that classified data within or outside the corporate network or cloud are automatically protected, depending on their level of confidentiality, DLP, or CASB.

Find out more information in the following page or contact us for more details.