Best Practice of CIS Control 3

Develop a data management process that addresses data sensitivity, retention, storage, backup, and disposal. The process should follow a well-documented enterprise-level standard that aligns with regulatory requirements.

Create and update annually a comprehensive data inventory that identifies the types and sensitivity of data produced, retained, and consumed by the organization, including both structured and unstructured data. This inventory is essential for risk assessment.

Configure access control lists to ensure that users can only access the data, applications, and systems required for their job. This will help reduce the risk of data breaches and internal/external threats. Regular reviews of access control lists should be conducted to remove unnecessary permissions.

Enforce data retention policies to ensure compliance with regulatory requirements.

Develop a secure data disposal process and tools that align with the sensitivity and format of each type of data. Use data disposal services if necessary.

Encrypt data on end-user devices using appropriate encryption tools for the operating system.

Establish and maintain a data classification scheme based on stringent criteria to distinguish sensitive and critical data from other data.

Document data flows to map the movement of data through the organization and identify vulnerabilities that could weaken cybersecurity.

Encrypt data on removable media to reduce the risk of data exploitation if the device is stolen.

Encrypt critical data in transit using encryption options such as OpenSSH and TLS that include authentication.

Encrypt all sensitive data at rest on servers, databases, and applications.

Segment data processing and storage based on data classification to ensure that sensitive data is treated with more care.

Deploy a data loss prevention (DLP) solution to protect both on-site and remote data, particularly sensitive content, against data exfiltration. A data backup strategy should also be in place.

Log all actions involving sensitive data, including access, modification, and disposal, to promptly detect and respond to malicious activity, and for post-attack investigations and analyses.